Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Code Signing and Time Stamping #19

Closed
twbaldridge opened this issue Nov 4, 2016 · 5 comments
Closed

Code Signing and Time Stamping #19

twbaldridge opened this issue Nov 4, 2016 · 5 comments

Comments

@twbaldridge
Copy link

We must include Code Signing certificates, and because some vendors require Time Stamping for Code Signing this is also required as a core capability in this CP iteration. A clear path for broadly accepted USG issued Code Signing certificates is critical capability to include in the CP, otherwise as we have existing mobile code web services, we are right back where we are with Device TLS certificates for Code Signing Certificates.

@LarryFrank
Copy link

DoD has NOT agreed to do this at this point - I do not care myself - but NSA I4 has serious concerns.

@weirdscience
Copy link
Contributor

Code signing will require adopting the Code Signing Baseline Requirements and another root if the subordinate CAs are not technically constrained.

@rmhrisk
Copy link

rmhrisk commented Mar 28, 2017

I would like to recommend that the USPKI not issue code signing certificates and instead focus efforts on centralizing and automating the process of code signing.

The issuance of code signing certificates is sufficiently different, I imagine relatively rare, and places the USPKI in a position to sign kernel mode drivers (as an example) for hosts across the globe. Moreover, these certificates would not be covered by Certificate Transparency (at least in a meaningful way).

Centralizing code signing, ensuring code that is signed is done so utilizing good key management, antivirus checking and by authorized people would be a much better focus for the group to spend its efforts on.

I do think time stamping is something the USPKI should do.

@konklone
Copy link
Contributor

This was something @rmhrisk kindly discussed with us at the F2F as well, and it was a persuasive argument.

However, we have not had a chance since the F2F to circle back with @twbaldridge and others. Let's queue this up for our weekly call to discuss.

@lachellel
Copy link
Contributor

Agreements:

  • Code signing needs addressed outside of this effort and CP / CPS and PKI hierarchy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

6 participants