Re: [cabfpub] Code Signing and SMIME Working Group Charter Drafting

[Ryan Sleevi via Public]

On Thu, Nov 29, 2018 at 5:05 PM Bruce Morton via Public 
wrote:

> Hi Ben,
>
>
>
> I thought that I would provide some input on Code Signing and hopefully it
> will be considered for the charter.
>
>
>
> The public CAs are currently working with two orphaned code signing
> certificate guidelines. Here are some issues:
>
>
>
> ·Documents are be out of date as such software suppliers, CAs,
> subscribers and relying parties are not benefiting from lessons learned or
> ecosystem updates
>
> ·Clients of software suppliers may be at higher risk than
> necessary
>
> ·Subscribers of code signing certificates are required to meet
> dated specifications which may be costly
>
> ·Cloud provision of subscriber HSM has not been addressed
>
> ·The two documents specify different requirements to address the
> same problem
>
> ·CAs that issue both OV and EV code signing certificates must
> manage two sets of controls
>
> ·CAs that issue both OV and EV will have to undergo two different
> audits in 2019
>
>
>
> It would be great if an outcome of the Working Group is one document for
> code signing certificates. I think that the one document can address both
> the EV and OV code signing certificate types, especially since many of the
> requirements are just references to the Baseline Requirements or EV SSL
> Guidelines.
>
>
>
> I would also consider creating a Time-stamp certificate document. The
> advantage is that we could set a standard for time-stamp certificate and
> time-stamp authorities to support code signing, document signing, etc.
>

I would suggest that this be out of scope of Code Signing - there are
significant differences, there exist industry standards already (within the
IETF and within ETSI), and these have different purposes: timestamping
extends beyond code-signing, as you note.


> I would be interested in helping out with the Code Signing Working Group
> charter drafting.
>

As noted, Google is very concerned that, given the confusion the market
shares around what the CA/Browser Forum is and is not, a code signing WG
may be seen as either impacting non-third-party mediated code signing, or
somehow encouraging third-party mediated code-signing as being an
improvement over first-party mediated code-signing, which it is not.

In this regard, and as discussed during the Shanghai F2F, ensuring that the
scope of any charter makes it very clear that the scope of activities, and
work product, are specifically limited to those software suppliers that
engage with third-party CAs to perform identity validation and assessment,
and to explicitly exclude from the scope, goals, and activities the broader
discussion of code-signing, including that of first-party mediated
code-signing.
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Code Signing and SMIME Working Group Charter Drafting

[Bruce Morton via Public]

Hi Ben,

I thought that I would provide some input on Code Signing and hopefully it will 
be considered for the charter.

The public CAs are currently working with two orphaned code signing certificate 
guidelines. Here are some issues:


*Documents are be out of date as such software suppliers, CAs, 
subscribers and relying parties are not benefiting from lessons learned or 
ecosystem updates

*Clients of software suppliers may be at higher risk than necessary

*Subscribers of code signing certificates are required to meet dated 
specifications which may be costly

*Cloud provision of subscriber HSM has not been addressed

*The two documents specify different requirements to address the same 
problem

*CAs that issue both OV and EV code signing certificates must manage 
two sets of controls

*CAs that issue both OV and EV will have to undergo two different 
audits in 2019

It would be great if an outcome of the Working Group is one document for code 
signing certificates. I think that the one document can address both the EV and 
OV code signing certificate types, especially since many of the requirements 
are just references to the Baseline Requirements or EV SSL Guidelines.

I would also consider creating a Time-stamp certificate document. The advantage 
is that we could set a standard for time-stamp certificate and time-stamp 
authorities to support code signing, document signing, etc.

I would be interested in helping out with the Code Signing Working Group 
charter drafting.

Bruce.

From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Ben Wilson via 
Public
Sent: November 29, 2018 11:18 AM
To: CABFPub 
Subject: [EXTERNAL][cabfpub] Code Signing and SMIME Working Group Charter 
Drafting

As mentioned  on today's call - please contact me off-list if you're interested 
in helping draft the charters for the two above-listed working groups.
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

[cabfpub] Code Signing and SMIME Working Group Charter Drafting

[Ben Wilson via Public]

As mentioned  on today's call - please contact me off-list if you're
interested in helping draft the charters for the two above-listed working
groups.



smime.p7s
Description: S/MIME cryptographic signature
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public