With changes to the governance regulations in the CA/Browser Forum, a new Code Signing Working Group was officially chartered in March 2019. The working group is composed of Certificate Authorities and certificate consumers (operating systems that consume these certificates), and its main goal is to set standards related to the issuance and management of code signing certificates (see the full charter here).
Aren’t there standards already in existence for the issuance of code signing certificates? Sort of. A prior code signing working group had developed a set of standards in 2016; however, the standards were not adopted by the CA/Browser Forum. Hence they became an “orphaned” work product. But Microsoft deemed them suitable for adoption by their root program, which meant that all CAs that issue code signing certificates for Windows had to abide by them. And auditors developed audit guidelines based on this document.
Fast forward to 2019, and we now have an official CA/B Forum working group just for this purpose. The first order of business was to formally adopt the prior Code Signing Minimum Requirements as a CA/B Forum standard. This measure passed unanimously and is now going through a mandatory 60-day intellectual property rights review period, which will conclude on Aug. 13. Assuming no IP issues are brought to the attention of the working group chair (yours truly), the document will become an official Forum standard.
So what’s next for code signing? The group has started looking at potential improvements to the current document, which has not been updated in over three years. Threats continue to expand and the group is investigating improvements to vetting (including video evidence), revocation, hashing algorithms, and time stamping. The group is also seeking additional members in the certificate consumer category for wider exposure and input. Membership info can be found here.