[cabfpub] Ballot 158: Adopt Code Signing Baseline Requirements

N. Atilla Biler atilla.biler at turktrust.com.tr
Fri Dec 4 02:01:09 MST 2015


Dear Dean and Dear All,

 

First of all many thanks for the Code Signing WG for preparing these BRs.

 

I would like to raise a discussion about the security requirements of the
hardware security devices mentioned in the document. Under section "16.3
Subscriber Private Key Protection" the following hardware security module
requirements are stated:

 

"

.

 

2. A hardware crypto module with a unit design form factor certified as
conforming to at least FIPS 140 Level 2, Common Criteria EAL 4+, or
equivalent. 

3. Another type of hardware storage token with a unit design form factor of
SD Card or USB token (not necessarily certified as conformant with FIPS 140
Level 2 or Common Criteria EAL 4+). The Subscriber MUST also warrant that it
will keep the token physically separate from the device that hosts the code
signing function until a signing session is begun. 

.

"

 

Actually, in many contexts and legislative requirements, the minimum
security level for those PKI devices, whether they be HSM devices or smart
cards, are indicated as either Common Criteria EAL4+ certified or
equivalently FIPS PUB 140-2 Level 3 certified (not Level 2). The
corresponding requirement under section 16.3 of Code Signing BRs do not
enforce that equivalency; i.e. it allows choosing a relatively lower level
of security if FIPS certification is preferred. 

 

On the other hand, when I checked the EV Code Signing Guidelines again, I
saw that only FIPS 140-2 Level 2 requirement is stated under section "16
Data Security". When I first examined the EV Code Signing Guidelines draft,
I thought Level 2 was deliberately selected by the WG for defining a certain
level of security yet not limiting the hardware device options in the market
for code signing services. That's why, I hadn't objected that requirement
under EV Guidelines at that time.

 

However, upon introducing a Common Criteria equivalency of EAL 4+ in the BRs
now, I believe the security levels should also be equivalent (at least
parallel, as equivalency of FIPS and Common Criteria security levels is
sometimes arguable).

 

Hence, what I would suggest is changing the requirement under section 16.3
of Code Signing BRs to "FIPS 140-2 Level 3 or Common Criteria EAL 4+" and
reflecting this requirement similarly to the EV Code Signing Guidelines.

 

I should probably have opened this discussion well before but I only
recently noticed this specific issue. I hope it's not too late to discuss,
considering the ongoing ballot process.

 

Best regards,

 

 

N. Atilla BILER

Business Development Manager / Advisor to R&D Center

TURKTRUST Inc.

 

Address: Hollanda Cad. 696.Sok. No:7 Yildiz 06550 Cankaya / ANKARA - TURKEY

Phone   : +90 (312) 439 10 00

Mobile  : +90 (530) 314 24 05

Fax         : +90 (312) 439 10 01

E-mail    :  <mailto:atilla.biler at turktrust.com.tr>
atilla.biler at turktrust.com.tr 

Web      :  <http://www.turktrust.com.tr/> www.turktrust.com.tr 

 

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Dean Coclin
Sent: 3 Aralık 2015 Perşembe 23:24
To: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Ballot 158: Adopt Code Signing Baseline Requirements

 

Adding public link to final version:
https://cabforum.org/wp-content/uploads/Code-Signing-Requirements-2015-11-19
.pdf

 

 

From:  <mailto:public-bounces at cabforum.org> public-bounces at cabforum.org [
<mailto:public-bounces at cabforum.org> mailto:public-bounces at cabforum.org] On
Behalf Of Dean Coclin
Sent: Thursday, December 03, 2015 4:04 PM
To: CABFPub
Subject: [cabfpub] Ballot 158: Adopt Code Signing Baseline Requirements

 

After a 2 week pre-ballot, the Code Signing Working Group has now prepared
the formal ballot below:

 

Ballot 158: Adopt Code Signing Baseline Requirements

 

The following motion is proposed by the Code Signing Working Group and is
endorsed by Microsoft, Trend Micro and OATI. Further information on the
ballot is in the email message below.

- - - - Motion for Ballot 158 - - - -

Be it resolved that the CA / Browser Forum adopts the recommendation of the
Code Signing Working Group for Version 1.0 of the Baseline Requirements for
Code Signing. Once adopted, the effective date will be October 1, 2016.

- - - - Motion Ends - - - -

The review period for this ballot shall commence at 2200 UTC on 3 Dec 2015,
and will close at 2200 UTC on 10 Dec 2015. Unless the motion is withdrawn
during the review period, the voting period will start immediately
thereafter and will close at 2200 UTC on 17 Dec 2015. Votes must be cast by
posting an on-list reply to this thread. 

 

A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative of a voting
member before the close of the voting period will be counted. Voting members
are listed here: 

 

https://cabforum.org/members/ 

 

In order for the motion to be adopted, two thirds or more of the votes cast
by members in the CA category and greater than 50% of the votes cast by
members in the browser category must be in favor. Quorum is currently nine
(9) members- at least nine members must participate in the ballot, either by
voting in favor, voting against, or abstaining.

 

Dean Coclin and Jeremy Rowley

Code Signing Working Group co-chairs

 

From:  <mailto:public-bounces at cabforum.org> public-bounces at cabforum.org [
<mailto:public-bounces at cabforum.org> mailto:public-bounces at cabforum.org] On
Behalf Of Dean Coclin
Sent: Thursday, November 19, 2015 2:01 PM
To: CABFPub
Subject: [cabfpub] Pre-Ballot: Code Signing Baseline Requirements

 

The Code Signing Working Group of the CA/Browser Forum has completed its
work on Version 1 of the Code Signing Baseline Requirements.  The Working
Group has been meeting over the last 2+ years to develop and bring this
topic to the Forum for approval. 

 

This Working Group was chartered by the Forum at the Mozilla face to face
meeting in February 2013 and has brought together forum members and outside
participants to craft a document which we believe will help improve the
security of the ecosystem. Forum members in the working group include:
Comodo, Digicert, Entrust, ETSI, Federal PKI, Firmaprofessional,
Globalsign, Izenpe, Microsoft, Startcom, SwissSign, Symantec, Trend Micro,
WoSign as well as non-members: Cacert, Intarsys, OTA, Richter, and
Travelport.  Also, there have been several public commenting periods which
resulted in changes and revisions to the document. 

 

The stated goal of the group was to: "Create a set of baseline requirements
for code signing that will reduce the incidence of signed malware". We
strived to work on 3 sub goals, which are by no means 100% solved. However
we feel that the document reflects progress towards these goals which were:

1.       Minimize private key theft by moving toward more secure key storage
(protection of private keys)

2.       Baseline authentication and vetting procedures for all parties

3.       Information sharing (notification/revocation) for fraud detection.
This piece was moved to the Information Sharing Working Group

 

The document is now final and no further changes are being accepted.
Comments and suggestions will be accumulated for a future version of the
document.

 

The group is seeking 2 endorsers for the ballot below:

- - - - Motion for Ballot XXX - - - -

Be it resolved that the CA / Browser Forum adopts the recommendation of the
Code Signing Working Group for Version 1.0 of the Baseline Requirements for
Code Signing. Once adopted the effective date will be October 1, 2016.

- - - - Motion Ends - - - -

The review period for this ballot shall commence at 2200 UTC on 3 Dec 2015,
and will close at 2200 UTC on 10 Dec 2015. Unless the motion is withdrawn
during the review period, the voting period will start immediately
thereafter and will close at 2200 UTC on 17 Dec 2015. Votes must be cast by
posting an on-list reply to this thread. 

 

A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative of a voting
member before the close of the voting period will be counted. Voting members
are listed here: 

 

https://cabforum.org/members/ 

 

In order for the motion to be adopted, two thirds or more of the votes cast
by members in the CA category and greater than 50% of the votes cast by
members in the browser category must be in favor. Quorum is currently nine
(9) members- at least nine members must participate in the ballot, either by
voting in favor, voting against, or abstaining.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20151204/81f7337e/attachment-0001.html 


More information about the Public mailing list