Certificate Authority Security Council recently renewed the minimum requirements for code signing, which apply to all certification centers. Previously, no such requirements exist, but now it will improve Web security and simplify the verification of programs legality.
New requirements for the production and maintenance of code signing certificates include the steps that will be required to carry out certification authorities and individual companies to develop software to ensure that the code signing certificates are used for legitimate purposes. The document allows to solve problems with the concerns about the reliability of the signed object, as well as the correctness of the identification program publisher.
Requirements addressed to the certificate authorities, issuing code signing certificates. Developers and software companies will have to comply with it if they want to achieve compatibility with the standards. Failure to comply with these demands will lead to the fact that the code signing certificate will be canceled or not issued.
A few words about code signing certificates
Code Signing Certificates allow you to sign executable files and scripts to verify the correctness of the author’s personality, as well as to verify that the code has not been changed or somehow damaged after the signing. Some malicious attacks aimed at theft of certificates to use them to sign malware. Malicious code in such a case would have to pass security protection. The stolen code signing certificates are sold on a daily basis on clandestine markets for $ 1,000. Code signing certificates are critical for all devices.
Microsoft has adopted these minimum requirements and demands from all certification authorities issuing code signing certificates for Windows platforms, to adapt minimum requirements to February 1, 2017.
Details of the new requirements
Adopted requirements allow for certification centers to think over process of release and revocation of certificates. Organizations are also responsible for ensuring that the private key is securely stored and protected in a safe environment that will protect the key from theft or misuse. Certification Authority will have to give guidance about how it is necessary to protect the keys. However, the whole problem is to preserve private keys rests precisely on the organization.
Protection of private keys. Companies will be required to apply the platform module for the generation and storage of key pairs, FIPS-140-Level-2 safety module or equivalent, or any other type of storage, such as, for example, USB-key, or SD-card. Tokens must be physically separated from devices performing signing until it is not required to organize a signing session.
Protect computer for signing code. The computer which is used for the code signing, cannot be used for browsing the Internet. It should periodically scan for possible infection with the most modern software.
Selection of a trusted party. If you are using a third-party service for signatures, in this case, the service must support multifactor authentication to gain access to code signatures. If the service does not have these options, it is not compatible with the new requirements.
Transfer key in protected mode. If the private key generation occurs on the side of companies, private keys can be taken outside the secure infrastructure. In this case, the key is to be sent to you with the activation, equivalent to 128 bit encryption, or encrypt the private key with a minimum of 128 bits resistance. Private key is needed to wrap in 128-bit AES key. You can also hold the key to a PKCS 12 file, which is encrypted with a randomly generated password of 16 characters or more.
Using a secure key. The certificate code signing will be released only when public key corresponds to current safety requirements.
If the private key was somehow compromised or used to sign malware, the company will have to ask for a certification authority to revoke the certificate. If the private key has been compromised as a result of the attack, a certification authority shall not issue a new certificate or to replace the old, yet the center will not be satisfied with the improvement of the company’s protection.