Code Signing Ballots
Open Ballots (GitHub Pull Requests)
- Created at Mar 11, 2024
- Created at Jan 18, 2024This PR is still in discussion, and as such, marked as Draft
Closed Ballots (GitHub Pull Requests)
- Created at Nov 20, 2023, merged on Mar 4, 2024
- Created at Oct 30, 2023, merged on Dec 7, 2023This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates” version 3.4 in order to restore a version reference to the Extended Validation Guidelines which was inadvertently removed in a previous version of the Requirements. In addition, a minor typographical issue is also resolved.
- Created at Apr 6, 2023, merged on Jun 29, 2023This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.2, Section 4.9.1 – “Circumstances for revocation” in order to align it with the TLS and S/MIME BRs and set stricter requirements for revocation due to Private Key Compromise and use in Suspect Code. The following motion has been proposed by Martijn Katerbarg of Sectigo and endorsed by Ian McMillan of Microsoft and Bruce Morton of Entrust.
- Created at Dec 15, 2022, merged on Sep 5, 2023
- Created at Sep 26, 2022, merged on Oct 28, 2022
This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.1 according to the attached redline which includes the change of the effective date of November 15, 2021, to June 1, 2023, subscriber key protection and verification requirements in the following sections:
Section 6.2.7.4.1 Subscriber Private Key protection Section 6.2.7.4.2 Subscriber Private Key verification Section 1.2.2 Relevant Dates The change to extend the effective date for these sections regarding subscriber private key protection is to provide approximately 1 year of time from the public announcement of the requirement change for all effected parties to implement the changes.
- Created at Aug 19, 2022, merged on Mar 4, 2024
- Created at Jul 14, 2022, merged on Sep 20, 2022As part of the review process for ballot CSC-14, several minor typographical and formatting errors were identified. This ballot corrects those errors; no normative changes are introduced by this ballot.
- Created at Aug 31, 2021, merged on Jun 29, 2022RFC 3647 defines a standard framework for outlining the obligations of participants in a PKI. Following the recommended framework as specified in RFC 3647 allows for easier comparison of “The Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” with other policy documents, most notably work products of other CA/Browser Forum working groups and individual Certification Authority Certificate Policies and Certification Practice Statements. This ballot restates all existing obligations and requirements that are contained in The Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” in the outline recommended by RFC 3647.
- Created at Jul 16, 2021, not merged
Added documents Dimitris had shared with list
Cut and pasted over any fields from 1.2 that mapped to the 1.3 structure of the BRs to the new version, according to https://github.com/seb-git/code-signing/blob/main/docs/RFC3647_Comparison_Table_for_Baseline_Requirements.pdf
What’s left in this document are sections that either weren’t specified or didn’t match the section headers as indicated in the .pdf
Where multiple sections where suggested as target section, the full origin section has been copied into both target sections for later clean up (e.g. 8.1 to 8 as well as 9.16.3)
Where section headers didn’t match at all (e.g. section 16 in the origin document handles signing services) it wasn’t copied over
The section headers from the original document where kept for now, so it’s clear where they came from
Required next steps:
- Clean up duplicate sections
- Find 1.3 sections for remaining sections that have not been copied over
- Remove old header names, clean up format
Passed Ballots
- Ballots CSC-25 and CSC-26
- Ballot CSC-24 - Timestamping Private Key Protection
- Ballot CSC-23 - Marking the EV Code Signing Guidelines SUPERCEDED
- Ballots CSC-21 and CSC-22
- Ballot FORUM 20v2 – Amend Code Signing Certificate Working Group Charter
- Ballot CSC-20: Restore Version Reference to EV Guidelines
- Ballot CSC-19: Remove TLS BR References
- Ballot CSC-18: Update Revocation Requirements
- Ballot CSC-17: Subscriber Private Key Extension
- Ballot CSC-15 – Summer 2022 Cleanup
- Ballot CSC-14 – Convert Code Signing Baseline Requirements to RFC 3647 Framework
- Ballot CSC-13 – Update to Subscriber Key Protection Requirements
- Ballot CSC-6 – Update to Subscriber Private Key Protection Requirements
- Ballot CSC-12 – CRL Revocation Date Clarification
- Ballot CSC-11 – Update to log data retention requirements
- Ballot CSC-9 – Spring 2021 Cleanup and Clarification
- Ballot CSC-10 – WebTrust CSBR v2.0 Audit Criteria
- Ballot CSC-8 v3: Update to Revocation response mechanisms. key protection for EV certificates, and clean-up of 11.2.1 & Appendix B
- Ballot CSC-7v2: Update to merge EV and Non-EV clauses
- Ballot CSC-6: Reserved
- Special Ballot CSCWG-5: Election of Code Signing Certificate Working Group Vice Chair
- Ballot CSC-4 v1: Move deadline for transition to RSA-3072 and SHA-2 timestamp tokens
- Ballot CSCWG-3: Election of Code Signing Certificate Working Group Chair
- Ballot CSCWG-2: Combine Baseline and EV Code Signing Documents
- Ballot CSC-1: Adopt Baseline Requirements version 1.2
- Ballot FORUM-8: Establishment of a Code Signing Working Group
- Ballot 180 – Readopting the BRs, EVGL, EV Code Signing, and NCSSR Guidelines with Amendments
- Ballot 172 – Removal of permanentIdentifier from EV Code Signing Guidelines
- Ballot 158 – Adoption of Code Signing Baseline Requirements
- Ballot 132 – EV Code Signing Timestamp Validity Period (passed)
- Notice of IPR Review Period for Amendment to the EV Code Signing Guidelines by Ballot 117
- Ballot 117 – EV Code Signing Guidelines Corrections(passed)
- Ballot 70 – EV Code Signing Identifier