There are new minimum requirements for code signing for use by all Certificate Authorities (CA), according to the Code Signing Working Group of the Certificate Authority Security Council (CASC).
These requirements represent the first-ever standardized code signing guidelines. Code signing is the method of using a certificate-based digital signature to sign executables and scripts in order to verify the author’s identity and ensure the code has not been changed or corrupted.
RELATED STORIES
Securing Against Disguised Data
IoT Attack Scare: Is Industry Ready?
Network Visibility with New Platform
ICSJWG: Security in Perspective
Helping to verify software authenticity and avoid downloading malware and other malicious software is critical to protecting consumers’ online interactions. Microsoft is the first applications software vendor to adopt these guidelines, with others expected to follow.
The Code Signing Working Group is part of the CA/Browser Forum, a voluntary group of CAs, Internet browser software vendors, and suppliers of other applications that use X.509 v.3 digital certificates for SSL/TLS and code signing. Comprised of CASC members, the Code Signing Working Group spent over two years coming up with the new “Minimum Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates” in cooperation with CAs, Application Software Suppliers and members of the security community.
The guidelines include several new features, including:
Stronger protection for private keys: The best practice will be to use a FIPS 140-2 Level 2 HSM or equivalent.
Certificate revocation: Most likely, a revocation will be requested by a malware researcher or an application software supplier like Microsoft, if they discover users of their software may be installing suspect code or malware.
Improved code signatures time-stamping: CAs must now provide a time-stamping authority (TSA) and specifies the requirements for the TSA and the time-stamping certificates.
Microsoft will require CAs that issue code signing certificates for Windows platforms must adhere to these guidelines beginning February 1 next year.