The CASC's Minimum Requirements for Code Signing Certificates enables a common vetting process for all CAs
SAN FRANCISCO, CA--(Marketwired - Dec 8, 2016) - The Certificate Authority Security Council (CASC), an advocacy group committed to the advancement web security, today announced the Code Signing Working Group has released new Minimum Requirements for Code Signing for use by all Certificate Authorities (CA). These requirements represent the first-ever standardized code signing guidelines. Code signing is the method of using a certificate-based digital signature to sign executables and scripts in order to verify the author's identity and ensure that the code has not been changed or corrupted. Helping to verify software authenticity and avoid downloading malware and other malicious software is critical to protecting consumers' online interactions. Microsoft is the first applications software vendor to adopt these guidelines, with others expected to follow.
The Code Signing Working Group is part of the CA/Browser Forum, a voluntary group of CAs, Internet browser software vendors, and suppliers of other applications that use X.509 v.3 digital certificates for SSL/TLS and code signing. Comprised of CASC members, the Code Signing Working Group spent over two years coming up with the new "Minimum Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates" in cooperation with CAs, Application Software Suppliers and members of the security community.
"Previously, there were no standards, which meant that if one CA rejected a company's application, that company could submit the same application to a different CA," said Dean J. Coclin Senior Director, Business Development, Symantec. "The Minimum Requirements for Code Signing will improve all CAs' ability to identify the publishers and authenticate that the code is unchanged."
The guidelines include several new features that will help businesses defend their IT systems and information stores from cyber-attacks, including:
Microsoft will require CAs that issue code signing certificates for Windows platforms must adhere to these guidelines beginning on February 1, 2017.
"The combined versions of Microsoft's Windows platform represent nearly 90 percent of the desktop operating system market share, so its decision to mandate that CAs follow the new requirements is significant," said Jeremy Rowley, Executive Vice President of Emerging Markets, DigiCert. "We expect Microsoft will serve as the catalyst for other application software suppliers to do the same."
"Microsoft is committed to continuously improving the security of our products and services. These new baseline requirements will further our goal by ensuring that our certificate authority partners follow a standard set of rules when issuing certificates to software developers," said Jody Cloutier, Senior Security Program Manager, Microsoft Cryptographic Ecosystem.
Resources:
Code Signing Endorsement
Code Signing White Paper
Connect with CASC
About the CASC
The Certificate Authority Security Council is comprised of leading global Certificate Authorities that are committed to the exploration and promotion of best practices that advance trusted SSL deployment and CA operations as well as the security of the internet in general. While not a standards-setting organization, the CASC works collaboratively to improve understanding of critical policies and their potential impact on the internet infrastructure. More information is available at https://casecurity.org.