[Cscwg-public] Code Signing Guidelines update v3

Bruce Morton Bruce.Morton at entrustdatacard.com
Thu Apr 9 13:39:10 MST 2020

Attached is the updated document based on today's meeting. I also updated section 18 based on discussions with Dean.

Below are 2 lists. The Issues list are items which should be addressed before finalizing the document. The Parking Lot list are items to either be discussed or changes to be made after the merger has been completed.

9.4 - Should the Signing Service Certificate maximum validity period be 39 months or 135 months? Or do we need a Non-EV and an EV Certificate requirement?
Appendix A - Confirm the requirement for key size minimum of 3072-bit RSA effective 1 January 2021, also applies to EV Code Signing Roots, EV Subordinate CAs, EV Subscriber Certificates, EV Time-stamp CAs and EV Time-stamp Certificates.
Appendix B 2.F - May EV Subordinate CA Certificates have EKUs which may include documentSigning and emailProtection?
Appendix B 3.F - May EV Code Signing Certificates have EKUs which may include documentSigning, lifetimeSigning, and emailProtection?

Parking Lot Items:
8.2 - For discussion, "Subsequent signature validation MAY ignore revocation, especially if rejecting the Code will cause the device to fail to boot."
8.5 - Do we need the Insurance requirement?
9.2.4 - Should we address including givenName and surName in certificates?
11.1.1 - Discuss item 4, "If the Subject's or Subject's Affiliate's, Parent Company's, or Subsidiary Company's date of formation, as indicated by either a QIIS or QGIS, was less than three years prior to the date of the Certificate Request, verify the identity of the Certificate Requester."
11.1.2 - How to identify individuals working on open source code as part of a consortium?
11.2 - Should EV Guidelines section 11.5 regarding Verified Method of Communication be addressed?
11.5 - High risk certificate requests should either be removed or updated to provide common methods for all CAs.
14 - Consolidate Employee and Third Party requirements for Non-EV and EV Certificates.
15 - Consolidate Data Records for CAs, Signing Authorities, and Time-stamp Authorities.
16.3 - Subscriber private key protection should be updated. Cloud-based key protection should be considered.
17.1 - Review if special audit criteria is needed for Government CAs.

Thanks, Bruce.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/cscwg-public/attachments/20200409/f8c5b6af/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Baseline and EV Requirements for the Issuance and Management of Code Signing v3.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 125373 bytes
Desc: Baseline and EV Requirements for the Issuance and Management of Code Signing v3.docx
URL: <http://cabforum.org/pipermail/cscwg-public/attachments/20200409/f8c5b6af/attachment-0001.docx>

More information about the Cscwg-public mailing list