-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code Signing and Time Stamping #19
Comments
DoD has NOT agreed to do this at this point - I do not care myself - but NSA I4 has serious concerns. |
Code signing will require adopting the Code Signing Baseline Requirements and another root if the subordinate CAs are not technically constrained. |
I would like to recommend that the USPKI not issue code signing certificates and instead focus efforts on centralizing and automating the process of code signing. The issuance of code signing certificates is sufficiently different, I imagine relatively rare, and places the USPKI in a position to sign kernel mode drivers (as an example) for hosts across the globe. Moreover, these certificates would not be covered by Certificate Transparency (at least in a meaningful way). Centralizing code signing, ensuring code that is signed is done so utilizing good key management, antivirus checking and by authorized people would be a much better focus for the group to spend its efforts on. I do think time stamping is something the USPKI should do. |
This was something @rmhrisk kindly discussed with us at the F2F as well, and it was a persuasive argument. However, we have not had a chance since the F2F to circle back with @twbaldridge and others. Let's queue this up for our weekly call to discuss. |
Agreements:
|
We must include Code Signing certificates, and because some vendors require Time Stamping for Code Signing this is also required as a core capability in this CP iteration. A clear path for broadly accepted USG issued Code Signing certificates is critical capability to include in the CP, otherwise as we have existing mobile code web services, we are right back where we are with Device TLS certificates for Code Signing Certificates.
The text was updated successfully, but these errors were encountered: