New CA/B Forum Code Signing Requirements in Effect – Is Your Organization Compliant?
madhav
Tue, 06/20/2023 – 06:29
Numerous breaches and malicious malware attacks have used fraudulent code signing certificates to cause significant damage of the certificate owner’s reputation and business. To prevent this from happening, earlier this month, the CA/B forum’s new Code Signing Baseline Requirements (CSBRs) came into effect, bringing with it changes to how organizations must generate and protect code signing certificate private keys.
In today’s digital world, code signing is an essential part of doing business for virtually any organization that distributes code to their end users. Code signing verifies the identity of the publisher of a specific set of code and attests it has not been modified since it was signed. Certificates delivered along with software that has been signed is a critical way for users to determine whether software originates from a legitimate source before installation. Regardless of the use case or industry an organization operates in, private key security must be utilized for code signing certificates to be trusted and valued. Otherwise, anyone who can access a legitimate certificate owner’s private key can create software that will appear to be signed by that organization.
With the number of high-profile malware attacks making headlines these days, the CA/B Forum passed Ballot CSC-13. The ballot mandates the certificate generation and storage of signing keys to be protected in a certified hardware crypto module, with the goal of increasing the protection of code singing certificate private keys. These new requirements officially came into effect on June 1, 2023, with Ballot CSC-17.
The CA/B Forums New Requirements for Code Signing
The biggest change to CBRs requirements for issuing EV and non-EV code signing certificates is related to private key protection. For example: before the new requirements, the non-EV key pair could be generated in
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: