*Ballot FORUM-8: Charter to Establish a Code Signing Certificate
Working Group*
*Purpose of Ballot*
It is proposed that the Forum establish a working group to adopt and
maintain a policy, framework, and set of standards related to the
issuance and management of code signing certificates by a third-party
Certificate Issuer, rather than by the platform supplier (i.e.
Certificate Consumer) itself. The work would be based on the Forum’s
prior adoption of the EV Code Signing Guidelines, version 1.4, (Ballot
172; 5 July 2016), and additional work by Forum members who expressly
agreed to operate pursuant to the Forum’s IPR Policy, between 2013 and
2015, which resulted in a failed proposal to adopt a set of baseline
requirements for the issuance and management of code signing
certificates
(https://cabforum.org/wp-content/uploads/Code-Signing-Requirements-2015-11-19.pdf;
https://cabforum.org/2015/12/17/ballot-158).
It is proposed by Ben Wilson of DigiCert and endorsed by Mike Reilly
of Microsoft and Bruce Morton of Entrust Datacard that the Forum
charter a working group to operate in accordance with the Scope and
other provisions that follow. This Charter will take effect upon
approval of the CAB Forum by ballot conducted in accordance with Bylaw
5.3.
*— BALLOT BEGINS —*
*Code Signing Certificate Working Group Charter*
*Introduction*
This introduction provides general information and context with an
intent to assist the interpretation of this Charter.
A code signing certificate contains the public key corresponding to a
private key that is used by a person or organization to digitally sign
data—such data usually containing instructions (i.e. “code”) for
hardware to perform certain tasks. A code signing certificate can be
identified by the existence of an Extended Key Usage (EKU) Object
Identifier (OID) of 1.3.6.1.5.5.7.3.3.
The objective of a code signing certificate is to provide a
cryptographic way to identify the source of code. There are a variety
of functional models and use cases whereby a code signing certificate
is issued by a Certificate Issuer to a Subscriber for use in signing
code that will run on a particular computing platform or group of
platforms. (Each platform supplier determines how a chain between a
trusted root CA certificate and the code signing certificate will be
created and verified.)
The primary use case under consideration for the working group is a
model whereby the platform supplier accepts code signing certificates
issued by a third-party Certificate Issuer. A common example of this
model is Microsoft’s Authenticode, although others exist.
Other functional models include those which allow developers to
self-sign code and those in which the platform supplier manages the
code signing or certificate issuance process, and these models are
expressly excluded from the working group’s mandate. Common examples
of these models that are expressly excluded from the scope of
guidelines to be promulgated by the working group are Apple’s
Developer ID program and Google’s Android.
Chartering of the Code Signing Certificate Working Group
Upon approval of the CAB Forum by ballot, the Code Signing Certificate
Working Group (“CSCWG”) is created to perform the activities as
specified in this Charter, subject to the terms and conditions of the
CA/Browser Forum Bylaws and Intellectual Property Rights (IPR) Policy,
as such documents may change from time to time. In the event of a
conflict between this Charter and any provision in either the Bylaws
or the IPR Policy, the provision in the Bylaws or IPR Policy SHALL
take precedence. The definitions found in the Forum’s Bylaws SHALL
apply to capitalized terms in this Charter.
1Scope
The authorized scope of the CSCWG SHALL be to discuss, adopt, and
maintain policies, frameworks, and sets of standards related to the
issuance and management of code signing certificates by third-party
Certificate Issuers under a publicly trusted root (and not code
signing certificates issued under a private root CA), limited as follows:
1. EV Code Signing Guidelines, v. 1.4 and subsequent versions
2. Version 1.0 Draft of November 19, 2015, Baseline Requirements for
the Issuance and Management of Publicly-Trusted Code Signing
Certificates (subject to the CSCWG making a written finding that
the provenance of such document is sufficiently covered by the
Forum’s IPR Policy)
3. Verification requirements for issuance/renewal of code signing
certificates
4. Subscriber protection of private keys, including keys stored in
the cloud
5. Certificate issuance and revocation
6. Requirements/controls on use of code signing certificates
7. Mechanisms to engage with AV vendors, researchers, and others
regarding signed malware
8. Certificate profiles for code signing certificates and Issuing CA
certificates (including the appropriateness of extensions and when
those extensions should be present)
9. Certificate issuance and revocation
10. CA operational practices, physical/logical security, etc.
The CSCWG SHALL exercise caution to ensure that its work product does
not impede the issuance of other EKU types.
2Out of Scope
The CSCWG SHALL NOT develop guidelines, standards, or requirements
applicable to:
1. Self-signed code;
2. Platform suppliers / Certificate Consumers;
3. Certificates issued under a root certificate that is not publicly
trusted, even though they are managed by Certificate Issuers or
other third-party service providers; or
4. The code signing or certificate issuance process when managed by a
platform supplier / Certificate Consumer.
3Charter Expiration
The CSCWG is chartered until it is dissolved as specified in Bylaw
5.3.2(c).
4Personnel and Participation
4.1Selection of Officers
Dean Coclin will act as chair of the CSCWG until the first Working
Group Teleconference, at which time the group will select a chair and
vice-chair. The chair and vice-chair will serve until October 31,
2020, or until they are replaced, resign, or are otherwise
disqualified. Thereafter, elections SHALL be held for chair and vice
chair every two (2) years in coordination with the Forum’s election
process and in conjunction with its election cycle. Officer elections
SHALL occur in accordance with Bylaw 4.1(c).
4.2Eligibility to Participate, Suspension, and Termination of
Membership in CSCWG
4.2.1Eligibility to Participate
The CSCWG SHALL consist of two classes of voting members, Certificate
Issuers and Certificate Consumers meeting the eligibility criteria below:
(1)A Certificate Issuer eligible for voting membership in the CSCWG
MUST have a publicly-available audit report or attestation statement
in accordance with one of the following schemes:
1. WebTrust for CAs v.2.0 or newer; or
2. ETSI EN 319 411-1, which includes normative references to ETSI EN
319 401 (the latest version of the referenced ETSI documents
should be applied); or
3. If a Government Certificate Issuer is required by its Certificate
Policy to use a different internal audit scheme, it MAY use such
scheme provided that the audit either (a) encompasses all
requirements of one of the above schemes or (b) consists of
comparable criteria that are available for public review.
These audit reports must also meet the following requirements:
4. They must report on the operational effectiveness of controls for
a historic period of at least 60 days;
5. No more than 27 months have elapsed since the beginning of the
reported-on period and no more than 15 months since the end of the
reported-on period; and
6. The audit report was prepared by a Qualified Auditor.
In addition, the Certificate Issuer MUST actively issue code signing
certificates that are accepted for use in computing platforms in which
the platform supplier accepts code signing certificates issued by such
Certificate Issuer.
(2)A Certificate Consumer (i.e. a platform supplier) eligible for
voting membership in the CSCWG must produce a computing platform that
accepts code signing certificates issued by third-party Certificate
Issuers who meet criteria set by such Certificate Consumer.
4.2.2Membership Application/Declaration process
1. An Applicant not already a member of the Forum SHALL provide the
following information:
7. Confirmation that the applicant satisfies at least one (1) of the
membership eligibility criteria (and if it satisfies more than one
(1), indication of the single category under which the applicant
wishes to apply).
8. The organization name, as they wish it to appear on the Forum Web
site and in official Forum documents.
9. URL of the applicant's main Web site.
10. Names and email addresses of employees who will participate in the
Working Group and Forum as Member representatives.
11. Emergency contact information for security issues related to
certificate trust.
Applicants that qualify as Certificate Issuers or Root Certificate
Issuers must supply the following additional information:
12. URL of the current qualifying audit report.
13. The URL of at least one third party website that includes a
certificate issued by the Applicant in the certificate chain.
14. Links or references to issued end-entity certificates that
demonstrate them being treated as valid by a Certificate Consumer
Member.
Such Applicant SHALL become a Member once the CSCWG has determined by
consensus among the Members during a CSCWG Meeting or Teleconference
that the Applicant meets all of the requirements above or, upon the
request of any Member of the CSCWG, by a Ballot among Members of the
CSCWG. Acceptance by consensus shall be determined or a Ballot of the
Members shall be held as soon as the Applicant indicates that it has
presented all information required above and has responded to all
follow-up questions from the CSCWG and the Member has complied with
the requirements of Bylaw 5.5.
Certificate Issuer applicants that are not actively issuing code
signing certificates but otherwise meet these membership criteria MAY
request to the CSCWG that they be granted an invitation for Associate
Member status in accordance with Bylaw 3.1, subject to conditions
designated by the CSCWG.
The CSCWG SHALL allow participation by Interested Parties, as set
forth in the Bylaws.
2. Existing CAB Forum Members seeking to participate in the CSCWG, in
accordance to Bylaw 5.3.1(c), MUST formally declare their intent
to participate in writing and provide the CSCWG Chair with this
declaration and evidence that they meet the criteria set forth
above. Such Applicants SHALL become Members of the CSCWG as
determined by consensus during a CSCWG Meeting or Teleconference,
or upon the request of any Member of the CSCWG, by a Ballot among
Members of the CSCWG.
In order to determine the composition of the initial set of CSCWG
Members, at least twenty-four (24) hours prior to the initial meeting
of the CSCWG, the CSCWG Chair SHALL publish a list of Members seeking
to participate who he determines meet the criteria set forth above. As
the first order of business at the first meeting of the CSCWG, those
organizations on the Chair’s list of proposed, qualifying Members
SHALL vote to determine the initial set of CSCWG Members.
The Chair of the CSCWG SHALL establish a list for declarations of
participation and manage it in accordance with the Bylaws, the IPR
Policy, and the IPR Policy Agreement.
4.2.3Ending Working Group Membership
Members may resign from the CSCWG at any time. Resignation or other
termination of membership in the CSCWG does not prevent a Member from
potentially having continuing obligations, under the Forum's IPR
Policy or any other document.
A Certificate Consumer Member's membership will automatically cease if
any of the following become true:
1.it stops providing updates for its membership-qualifying software
product; and
2.six (6) months have elapsed since the last such published update.
A Certificate Issuer’s membership in the CSCWG may be suspended if any
of the following become true:
1.it fails to perform and disclose its membership-qualifying audit and
fifteen (15) months have elapsed since the end of the audit period of
its last successful membership-qualifying audit;
2.its membership-qualifying audit is revoked, rescinded or withdrawn;
3.fifteen (15) months have elapsed since the end of the audit period
of its last successful membership-qualifying audit; or
4.it is no longer the case that its currently-issued certificates are
treated as valid by at least one Certificate Consumer Member of the CSCWG.
Any Member who believes one of the above circumstances is true of any
other Member may report it on the CSCWG’s Public Mail List. The CSCWG
Chair will then investigate, including asking the reported Member for
an explanation or appropriate documentation. If evidence of continued
qualification for membership is not forthcoming from the reported
Member within five (5) working days, the CSCWG Chair will announce
that such Member is suspended, such announcement to include the basis
upon which the suspension has been made.
A suspended Member who believes it has then re-met the membership
criteria under the relevant clauses shall post its evidence to the
CSCWG Public Mail List or provide evidence to the CSCWG Chair who
SHALL post it to the CSCWG Public Mail List. The CSCWG Chair will
examine the evidence and unsuspend the member, or not, by announcement
to the CSCWG Public Mail List. A Member's membership will
automatically cease six months after it becomes suspended if the
Member has not re-met the membership criteria by that time.
While suspended, a Member may participate in CSCWG Meetings, CSCWG
Teleconferences, and on the CSCWG's discussion lists, but may not
propose or endorse ballots or take part in any form of voting.
Votes cast before the announcement of a Member's suspension will stand.
*//*
5*Voting and Other Organizational Matters*
5.1Voting Structure
The rules described in Bylaw 2.3 and 2.4 SHALL apply to all ballots,
including Draft Guideline Ballots.
In order for a ballot to be adopted by the Code Signing Certificates
Working Group, two-thirds or more of the votes cast by the Certificate
Issuers must be in favor of the ballot and more than 50% of the votes
cast by the Certificate Consumers must be in favor of the ballot. At
least one member of each class must vote in favor of a ballot for it
to be adopted. Quorum is the average number of Member organizations
(cumulative, regardless of Class) that have participated in the
previous three (3) Code Signing Certificate Working Group Meetings or
Teleconferences (not counting subcommittee meetings thereof). For
transition purposes, if three (3) meetings have not yet occurred,
quorum is three (3).
5.2Other Organizational Matters
(a) The Chair may delegate any of his/her duties to the Vice Chair as
necessary. The Vice Chair has the authority of the Chair in the event
of any absence or unavailability of the Chair, and in such
circumstances, any duty delegated to the Chair herein may be performed
by the Vice Chair. For example, the Vice Chair may preside at CSCWG
Meetings and Teleconferences in the Chair’s absence.
(b) CSCWG-created Subcommittees may be approved either (1) by formal
ballot as described in Bylaw 2.3 or (2) by simple majority vote of
those members present at a regularly scheduled CSCWG Meeting or
Teleconference provided that the proposal is mentioned in an agenda
circulated on the CSCWG Public Mail List at least forty-eight (48)
hours prior to the CWG Meeting or Teleconference.
**
6Summary of Major Deliverables
The deliverables of the CSCWG are defined in the Scope section above.
7Primary Means of Communication
(a) The CSCWG SHALL appoint a webmaster to maintain the CSCWG’s pages
on the wiki and the Forum’s Public Web Site.
(b) The CSCWG will communicate primarily through listserv-based email
in accordance with Bylaw 5.3.1(d). The CSCWG List SHALL be available
to the public, who will not have posting privileges (i.e. anyone may
subscribe to receive messages and the list may be crawled and indexed
by Internet search engines).
(c) The CSCWG SHALL conduct periodic calls or face-to-face meetings as
needed. Minutes SHALL be kept, and such minutes SHALL be made public
in accordance with Bylaw 5.2.
8IPR Policy and Antitrust Policy
As with all Forum Working Group activity, the IPR Policy, v1.3 or
later, SHALL apply to all activities and work of the CSCWG. All
Participants in the CSCWG SHALL have on file with the Forum a valid,
signed IPR Policy Agreement (v.1.3). A previously submitted IPR Policy
Agreement (v1.3) by an existing Member of the Forum shall suffice as
meeting the obligation under section 4.5 of the IPR Policy that a
Participant in the CSCWG commit to CAB Forum License requirements.
In accordance with the Forum’s antitrust policy, an antitrust
compliance statement SHALL be read at the start of all Working Group
Meetings, in substantially the form written in Bylaw 1.3.
--- MOTION ENDS---
The procedure for approval of this ballot is as follows:
*Discussion Period (7+ days):*
Start Time: Friday, 22-February-2019 at 0100 UTC
End Time: Friday, 1-March-2019 at 0100 UTC
*Vote for Approval (7 days):*
Start Time: Friday, 1-March-2019 at 0100 UTC
End Time: Friday, 8-March-2019 at 0100 UTC
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
