The CA/Browser Forum approved vote CSC-13which aims to increase the protection of the private keys of code signing certificates.

The Code Signing Baseline Requirements (CSBR) deals with the issuance of Extended Validation (EV) and Non-EV Code Signing certificates. Previously, CSBRs had different private key protection requirements for EV and non-EV code signing certificates. For example, the non-EV key pair could be generated in software, which would easily allow the private key to be distributed and thus increase the potential risk of it being compromised.

As of November 15, 2022, the code signing certificate key pair must be generated and stored in a hardware cryptographic module that meets or exceeds the requirements of FIPS 140-2 Level 2 or Common Criteria EAL4+. This means that the key pair will be generated in a device, where the private key cannot be exported. This will help minimize the risk of the private key being compromised.

There is flexibility as to where the code signing certificate subscriber can use a hardware cryptographic module, which is operated by:

• The subscriber, such as a secure token or server hardware security module (HSM)
• A cloud service, such as AWS or Azure
• A signing service that can be provided by the certificate authority (CA) or another trust service provider

Additionally, the CA must verify or ensure that the private key was generated in a hardware encryption module using one of the following methods:

• CA delivers a hardware encryption module with one or more pre-generated key pairs
• The subscriber’s certificate request is countersigned by the hardware encryption module providing remote key attestation
• Subscriber uses CA-prescribed crypto library and appropriate hardware crypto module combination
• Subscriber provides an internal or external IT audit indicating that they are using only an appropriate hardware crypto module to generate the key pair(s)
• The subscriber provides an appropriate report from the subscription to the cloud-based key protection solution and the configuration of the resources protecting the private key in the hardware encryption module
• CA relies on an auditor-signed report witnessing the generation of the key pair in a subscriber-hosted or cloud-based hardware crypto module
• Subscriber provides an agreement to use a signature service that meets CSBR

The goal is to reduce compromise of the code signing certificate’s private key, which mitigates the risk of relying parties installing signed malware in their systems.

In the long term, we hope that all vendors of hardware cryptographic modules will add support for remote key attestation as it provides a user-friendly method with cryptographic assurance that a private key was generated using an appropriate hardware cryptographic module.

Entrust provides code signing certificates and hardware security modules to support enterprise code signing and private key protection.

The post CA/Browser Forum Updates Requirements for Code Signing Certificate Private Keys appeared first on the Entrust blog.

*** This is a syndicated Entrust Blog Security Bloggers Network blog written by Bruce Morton. Read the original post at: https://www.entrust.com/blog/2022/05/ca-browser-forum-updates-requirements-for-code-signing-certificate-private-keys/