Hi Ben, I thought that I would provide some input on Code Signing and hopefully it will be considered for the charter.
The public CAs are currently working with two orphaned code signing certificate guidelines. Here are some issues: * Documents are be out of date as such software suppliers, CAs, subscribers and relying parties are not benefiting from lessons learned or ecosystem updates * Clients of software suppliers may be at higher risk than necessary * Subscribers of code signing certificates are required to meet dated specifications which may be costly * Cloud provision of subscriber HSM has not been addressed * The two documents specify different requirements to address the same problem * CAs that issue both OV and EV code signing certificates must manage two sets of controls * CAs that issue both OV and EV will have to undergo two different audits in 2019 It would be great if an outcome of the Working Group is one document for code signing certificates. I think that the one document can address both the EV and OV code signing certificate types, especially since many of the requirements are just references to the Baseline Requirements or EV SSL Guidelines. I would also consider creating a Time-stamp certificate document. The advantage is that we could set a standard for time-stamp certificate and time-stamp authorities to support code signing, document signing, etc. I would be interested in helping out with the Code Signing Working Group charter drafting. Bruce. From: Public [mailto:[email protected]] On Behalf Of Ben Wilson via Public Sent: November 29, 2018 11:18 AM To: CABFPub <[email protected]> Subject: [EXTERNAL][cabfpub] Code Signing and SMIME Working Group Charter Drafting As mentioned on today's call - please contact me off-list if you're interested in helping draft the charters for the two above-listed working groups.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
