[cabfpub] Ballot 172: Removal of permanentIdentifier from EV Code Signing Guidelines

Richard Wang richard at wosign.com
Fri Jul 1 02:20:20 UTC 2016


WoSign votes NO.


I think this is a good solution to identify the developer identity. If it has a permanent identifier, and if this developer signed a malware, then he/she can’t get code signing certificate from other CA.

The current situation is one developer signed malware, the certificate is issued by WoSign, and WoSign revoked it; then this developer buys another certificate from Symantec and continue to sign malware, then revoked by Symantec; then this developer buys another code signing certificate from DigiCert, and continue to sign malware, and so on, on…

If we add a permanent identifier with this company’s registration number, if we have a central malware report system, then if WoSign found a malware signer, we report this permanent identifier to blacklist system, then other CA check the system and can’t issue code signing certificate to this company, this will block the malware signer.

This is why the permanent identifier come out, I think if Windows can use this in SmartScreen system, then if the company buy certificate from another CA that it is easy to find out it is a malware signer.


Best Regards,

Richard

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jody Cloutier
Sent: Thursday, June 30, 2016 12:55 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Ballot 172: Removal of permanentIdentifier from EV Code Signing Guidelines

Microsoft votes yes.

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Patrick Tronnier
Sent: Wednesday, June 29, 2016 7:30 AM
To: 'Bruce Morton' <Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>>; public at cabforum.org<mailto:public at cabforum.org>
Subject: Re: [cabfpub] Ballot 172: Removal of permanentIdentifier from EV Code Signing Guidelines

OATI Abstains

Thanks.

With kind regards,

Patrick Tronnier
Principal Security Architect &
Sr. Director of Customer Support
Phone: 763.201.2000
Fax: 763.201.5333
Direct Line: 763.201.2052
Open Access Technology International, Inc.
3660 Technology Drive NE, Minneapolis, MN 55418


CONFIDENTIAL INFORMATION: This email and any attachment(s) contain confidential and/or proprietary information of Open Access Technology International, Inc. Do not copy or distribute without the prior written consent of OATI. If you are not a named recipient to the message, please notify the sender immediately and do not retain the message in any form, printed or electronic.

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Bruce Morton
Sent: Tuesday, June 21, 2016 1:24 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] Ballot 172: Removal of permanentIdentifier from EV Code Signing Guidelines


{External email message: This email is from an external source. Please exercise caution prior to opening attachments, clicking on links, or providing any sensitive information.}
Ballot 172 - Removal of permanentIdentifier from EV Code Signing Guidelines
The following motion has been proposed by Bruce Morton of Entrust and endorsed by Rick Andrews of Symantec and Jeremy Rowley of DigiCert:
Background:
The EV Code Signing Guidelines require a SAN which includes the permanentIdentifier. The permanentIdentifier is not used by any browser or operating system. Therefore, it is proposed that the permanentIdentifier requirement be removed from the EV Code Signing Guidelines.
--Motion Begins--
Effective upon the date of passage, the following modifications are made to the EV Code Signing Guidelines:
Section 9.2.2 • Replace all contents with “No stipulation.”
Section 9.7 (B): • Remove section 9.7 (B).
--Motion Ends--
The review period for this ballot shall commence at 2200 UTC on 21 June 2016, and will close at 2200 UTC on 28 June 2016. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on 5 July 2016. Votes must be cast by posting an on-list reply to this thread.
A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: https://cabforum.org/members/
In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently ten (10) members– at least ten members must participate in the ballot, either by voting in favor, voting against, or abstaining.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160701/8826cee4/attachment-0002.html>


More information about the Public mailing list