TrustCor votes “YES” on ballot FORUM-8. Regards,
Neil > On 1 Mar 2019, at 17:22, Ben Wilson via Public <[email protected]> wrote: > > I hereby announce that Voting Begins on the following ballot and that > DigiCert affirmatively votes "Yes": > > > > > > Ballot FORUM-8: Charter to Establish a Code Signing Certificate Working Group > > > > Purpose of Ballot > > > > It is proposed that the Forum establish a working group to adopt and maintain > a policy, framework, and set of standards related to the issuance and > management of code signing certificates by a third-party Certificate Issuer, > rather than by the platform supplier (i.e. Certificate Consumer) itself. The > work would be based on the Forum's prior adoption of the EV Code Signing > Guidelines, version 1.4, (Ballot 172; 5 July 2016), and additional work by > Forum members who expressly agreed to operate pursuant to the Forum's IPR > Policy, between 2013 and 2015, which resulted in a failed proposal to adopt a > set of baseline requirements for the issuance and management of code signing > certificates > (https://cabforum.org/wp-content/uploads/Code-Signing-Requirements-2015-11-19.pdf; > https://cabforum.org/2015/12/17/ballot-158). > > > > It is proposed by Ben Wilson of DigiCert and endorsed by Mike Reilly of > Microsoft and Bruce Morton of Entrust Datacard that the Forum charter a > working group to operate in accordance with the Scope and other provisions > that follow. This Charter will take effect upon approval of the CAB Forum by > ballot conducted in accordance with Bylaw 5.3. > > > > - BALLOT BEGINS - > > > > Code Signing Certificate Working Group Charter > > > > Introduction > > > > This introduction provides general information and context with an intent to > assist the interpretation of this Charter. > > > > A code signing certificate contains the public key corresponding to a private > key that is used by a person or organization to digitally sign data-such data > usually containing instructions (i.e. "code") for hardware to perform certain > tasks. A code signing certificate can be identified by the existence of an > Extended Key Usage (EKU) Object Identifier (OID) of 1.3.6.1.5.5.7.3.3. > > > > The objective of a code signing certificate is to provide a cryptographic way > to identify the source of code. There are a variety of functional models and > use cases whereby a code signing certificate is issued by a Certificate > Issuer to a Subscriber for use in signing code that will run on a particular > computing platform or group of platforms. (Each platform supplier determines > how a chain between a trusted root CA certificate and the code signing > certificate will be created and verified.) > > > > The primary use case under consideration for the working group is a model > whereby the platform supplier accepts code signing certificates issued by a > third-party Certificate Issuer. A common example of this model is Microsoft's > Authenticode, although others exist. > > > > Other functional models include those which allow developers to self-sign > code and those in which the platform supplier manages the code signing or > certificate issuance process, and these models are expressly excluded from > the working group's mandate. Common examples of these models that are > expressly excluded from the scope of guidelines to be promulgated by the > working group are Apple's Developer ID program and Google's Android. > > > > > Chartering of the Code Signing Certificate Working Group > > > > > Upon approval of the CAB Forum by ballot, the Code Signing Certificate > Working Group ("CSCWG") is created to perform the activities as specified in > this Charter, subject to the terms and conditions of the CA/Browser Forum > Bylaws and Intellectual Property Rights (IPR) Policy, as such documents may > change from time to time. In the event of a conflict between this Charter and > any provision in either the Bylaws or the IPR Policy, the provision in the > Bylaws or IPR Policy SHALL take precedence. The definitions found in the > Forum's Bylaws SHALL apply to capitalized terms in this Charter. > > > > > 1 Scope > > > > > The authorized scope of the CSCWG SHALL be to discuss, adopt, and maintain > policies, frameworks, and sets of standards related to the issuance and > management of code signing certificates by third-party Certificate Issuers > under a publicly trusted root (and not code signing certificates issued under > a private root CA), limited as follows: > > > > a. EV Code Signing Guidelines, v. 1.4 and subsequent versions > b. Version 1.0 Draft of November 19, 2015, Baseline Requirements for the > Issuance and Management of Publicly-Trusted Code Signing Certificates > (subject to the CSCWG making a written finding that the provenance of such > document is sufficiently covered by the Forum's IPR Policy) > c. Verification requirements for issuance/renewal of code signing > certificates > d. Subscriber protection of private keys, including keys stored in the > cloud > e. Certificate issuance and revocation > f. Requirements/controls on use of code signing certificates > g. Mechanisms to engage with AV vendors, researchers, and others regarding > signed malware > h. Certificate profiles for code signing certificates and Issuing CA > certificates (including the appropriateness of extensions and when those > extensions should be present) > i. Certificate issuance and revocation > j. CA operational practices, physical/logical security, etc. > > > > The CSCWG SHALL exercise caution to ensure that its work product does not > impede the issuance of other EKU types. > > > > > 2 Out of Scope > > > > > The CSCWG SHALL NOT develop guidelines, standards, or requirements applicable > to: > > > > a. Self-signed code; > b. Platform suppliers / Certificate Consumers; > c. Certificates issued under a root certificate that is not publicly > trusted, even though they are managed by Certificate Issuers or other > third-party service providers; or > d. The code signing or certificate issuance process when managed by a > platform supplier / Certificate Consumer. > > > > > 3 Charter Expiration > > > > > The CSCWG is chartered until it is dissolved as specified in Bylaw 5.3.2(c). > > > > > 4 Personnel and Participation > > > > > > 4.1 Selection of Officers > > > > > Dean Coclin will act as chair of the CSCWG until the first Working Group > Teleconference, at which time the group will select a chair and vice-chair. > The chair and vice-chair will serve until October 31, 2020, or until they are > replaced, resign, or are otherwise disqualified. Thereafter, elections SHALL > be held for chair and vice chair every two (2) years in coordination with the > Forum's election process and in conjunction with its election cycle. Officer > elections SHALL occur in accordance with Bylaw 4.1(c). > > > > > 4.2 Eligibility to Participate, Suspension, and Termination of > Membership in CSCWG > > > > > > 4.2.1 Eligibility to Participate > > > The CSCWG SHALL consist of two classes of voting members, Certificate Issuers > and Certificate Consumers meeting the eligibility criteria below: > > > > (1) A Certificate Issuer eligible for voting membership in the CSCWG > MUST have a publicly-available audit report or attestation statement in > accordance with one of the following schemes: > > * WebTrust for CAs v.2.0 or newer; or > * ETSI EN 319 411-1, which includes normative references to ETSI EN 319 > 401 (the latest version of the referenced ETSI documents should be applied); > or > * If a Government Certificate Issuer is required by its Certificate > Policy to use a different internal audit scheme, it MAY use such scheme > provided that the audit either (a) encompasses all requirements of one of the > above schemes or (b) consists of comparable criteria that are available for > public review. > > > > These audit reports must also meet the following requirements: > > * They must report on the operational effectiveness of controls for a > historic period of at least 60 days; > * No more than 27 months have elapsed since the beginning of the > reported-on period and no more than 15 months since the end of the > reported-on period; and > * The audit report was prepared by a Qualified Auditor. > > > > In addition, the Certificate Issuer MUST actively issue code signing > certificates that are accepted for use in computing platforms in which the > platform supplier accepts code signing certificates issued by such > Certificate Issuer. > > > > (2) A Certificate Consumer (i.e. a platform supplier) eligible for voting > membership in the CSCWG must produce a computing platform that accepts code > signing certificates issued by third-party Certificate Issuers who meet > criteria set by such Certificate Consumer. > > > > > 4.2.2 Membership Application/Declaration process > > > > > A. An Applicant not already a member of the Forum SHALL provide the > following information: > > > > * Confirmation that the applicant satisfies at least one (1) of the > membership eligibility criteria (and if it satisfies more than one (1), > indication of the single category under which the applicant wishes to apply). > * The organization name, as they wish it to appear on the Forum Web site > and in official Forum documents. > * URL of the applicant's main Web site. > * Names and email addresses of employees who will participate in the > Working Group and Forum as Member representatives. > * Emergency contact information for security issues related to > certificate trust. > > > > Applicants that qualify as Certificate Issuers or Root Certificate Issuers > must supply the following additional information: > > > > * URL of the current qualifying audit report. > * The URL of at least one third party website that includes a certificate > issued by the Applicant in the certificate chain. > * Links or references to issued end-entity certificates that demonstrate > them being treated as valid by a Certificate Consumer Member. > > > > Such Applicant SHALL become a Member once the CSCWG has determined by > consensus among the Members during a CSCWG Meeting or Teleconference that the > Applicant meets all of the requirements above or, upon the request of any > Member of the CSCWG, by a Ballot among Members of the CSCWG. Acceptance by > consensus shall be determined or a Ballot of the Members shall be held as > soon as the Applicant indicates that it has presented all information > required above and has responded to all follow-up questions from the CSCWG > and the Member has complied with the requirements of Bylaw 5.5. > > > > Certificate Issuer applicants that are not actively issuing code signing > certificates but otherwise meet these membership criteria MAY request to the > CSCWG that they be granted an invitation for Associate Member status in > accordance with Bylaw 3.1, subject to conditions designated by the CSCWG. > > > > The CSCWG SHALL allow participation by Interested Parties, as set forth in > the Bylaws. > > > > B. Existing CAB Forum Members seeking to participate in the CSCWG, in > accordance to Bylaw 5.3.1(c), MUST formally declare their intent to > participate in writing and provide the CSCWG Chair with this declaration and > evidence that they meet the criteria set forth above. Such Applicants SHALL > become Members of the CSCWG as determined by consensus during a CSCWG Meeting > or Teleconference, or upon the request of any Member of the CSCWG, by a > Ballot among Members of the CSCWG. > > > > In order to determine the composition of the initial set of CSCWG Members, at > least twenty-four (24) hours prior to the initial meeting of the CSCWG, the > CSCWG Chair SHALL publish a list of Members seeking to participate who he > determines meet the criteria set forth above. As the first order of business > at the first meeting of the CSCWG, those organizations on the Chair's list of > proposed, qualifying Members SHALL vote to determine the initial set of CSCWG > Members. > > > The Chair of the CSCWG SHALL establish a list for declarations of > participation and manage it in accordance with the Bylaws, the IPR Policy, > and the IPR Policy Agreement. > > > > > 4.2.3 Ending Working Group Membership > > > Members may resign from the CSCWG at any time. Resignation or other > termination of membership in the CSCWG does not prevent a Member from > potentially having continuing obligations, under the Forum's IPR Policy or > any other document. > > > > A Certificate Consumer Member's membership will automatically cease if any of > the following become true: > > 1. it stops providing updates for its membership-qualifying software > product; and > > 2. six (6) months have elapsed since the last such published update. > > > > A Certificate Issuer's membership in the CSCWG may be suspended if any of the > following become true: > > 1. it fails to perform and disclose its membership-qualifying audit > and fifteen (15) months have elapsed since the end of the audit period of its > last successful membership-qualifying audit; > > 2. its membership-qualifying audit is revoked, rescinded or withdrawn; > > 3. fifteen (15) months have elapsed since the end of the audit period > of its last successful membership-qualifying audit; or > > 4. it is no longer the case that its currently-issued certificates are > treated as valid by at least one Certificate Consumer Member of the CSCWG. > > > > Any Member who believes one of the above circumstances is true of any other > Member may report it on the CSCWG's Public Mail List. The CSCWG Chair will > then investigate, including asking the reported Member for an explanation or > appropriate documentation. If evidence of continued qualification for > membership is not forthcoming from the reported Member within five (5) > working days, the CSCWG Chair will announce that such Member is suspended, > such announcement to include the basis upon which the suspension has been > made. > > > > A suspended Member who believes it has then re-met the membership criteria > under the relevant clauses shall post its evidence to the CSCWG Public Mail > List or provide evidence to the CSCWG Chair who SHALL post it to the CSCWG > Public Mail List. The CSCWG Chair will examine the evidence and unsuspend the > member, or not, by announcement to the CSCWG Public Mail List. A Member's > membership will automatically cease six months after it becomes suspended if > the Member has not re-met the membership criteria by that time. > > > > While suspended, a Member may participate in CSCWG Meetings, CSCWG > Teleconferences, and on the CSCWG's discussion lists, but may not propose or > endorse ballots or take part in any form of voting. > > > > Votes cast before the announcement of a Member's suspension will stand. > > > > > 5 Voting and Other Organizational Matters > > > > > > 5.1 Voting Structure > > > The rules described in Bylaw 2.3 and 2.4 SHALL apply to all ballots, > including Draft Guideline Ballots. > > > > In order for a ballot to be adopted by the Code Signing Certificates Working > Group, two-thirds or more of the votes cast by the Certificate Issuers must > be in favor of the ballot and more than 50% of the votes cast by the > Certificate Consumers must be in favor of the ballot. At least one member of > each class must vote in favor of a ballot for it to be adopted. Quorum is the > average number of Member organizations (cumulative, regardless of Class) that > have participated in the previous three (3) Code Signing Certificate Working > Group Meetings or Teleconferences (not counting subcommittee meetings > thereof). For transition purposes, if three (3) meetings have not yet > occurred, quorum is three (3). > > > > > 5.2 Other Organizational Matters > > > > > (a) The Chair may delegate any of his/her duties to the Vice Chair as > necessary. The Vice Chair has the authority of the Chair in the event of any > absence or unavailability of the Chair, and in such circumstances, any duty > delegated to the Chair herein may be performed by the Vice Chair. For > example, the Vice Chair may preside at CSCWG Meetings and Teleconferences in > the Chair's absence. > > > > (b) CSCWG-created Subcommittees may be approved either (1) by formal > ballot as described in Bylaw 2.3 or (2) by simple majority vote of those > members present at a regularly scheduled CSCWG Meeting or Teleconference > provided that the proposal is mentioned in an agenda circulated on the CSCWG > Public Mail List at least forty-eight (48) hours prior to the CWG Meeting or > Teleconference. > > > > > 6 Summary of Major Deliverables > > > > > The deliverables of the CSCWG are defined in the Scope section above. > > > > > 7 Primary Means of Communication > > > > > (a) The CSCWG SHALL appoint a webmaster to maintain the CSCWG's pages on the > wiki and the Forum's Public Web Site. > > > > (b) The CSCWG will communicate primarily through listserv-based email in > accordance with Bylaw 5.3.1(d). The CSCWG List SHALL be available to the > public, who will not have posting privileges (i.e. anyone may subscribe to > receive messages and the list may be crawled and indexed by Internet search > engines). > > > > (c) The CSCWG SHALL conduct periodic calls or face-to-face meetings as > needed. Minutes SHALL be kept, and such minutes SHALL be made public in > accordance with Bylaw 5.2. > > > > > 8 IPR Policy and Antitrust Policy > > > > > As with all Forum Working Group activity, the IPR Policy, v1.3 or later, > SHALL apply to all activities and work of the CSCWG. All Participants in the > CSCWG SHALL have on file with the Forum a valid, signed IPR Policy Agreement > (v.1.3). A previously submitted IPR Policy Agreement (v1.3) by an existing > Member of the Forum shall suffice as meeting the obligation under section 4.5 > of the IPR Policy that a Participant in the CSCWG commit to CAB Forum License > requirements. > > > > In accordance with the Forum's antitrust policy, an antitrust compliance > statement SHALL be read at the start of all Working Group Meetings, in > substantially the form written in Bylaw 1.3. > > > > > --- MOTION ENDS--- > > > > > The procedure for approval of this ballot is as follows: > > > > Discussion Period (7+ days): > > Start Time: Friday, 22-February-2019 at 0100 UTC > > End Time: Friday, 1-March-2019 at 0100 UTC > > > > Vote for Approval (7 days): > > Start Time: Friday, 1-March-2019 at 1722 UTC > > End Time: Friday, 8-March-2019 at 1722 UTC > > > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
