CA/B Forum and Code Signing

With the constant increase in cyber threats and vulnerability exploitation, online security is necessary to prevent any loss of personal information. Hence, Digital certificates are the most widely known online security method that protects the user’s data from a breach by establishing a secure connection online. Reducing the probability of receiving phishing messages or malware makes Digital certificates an important and continuously used measure for developing a secure digital trust.

To maintain this trust and accountability for each digital interaction, a set of regulations must be followed. The Certification Authority Browser forum is a voluntary organization that cooperates with many certification authorities and, thus, guarantees the validity of digital certificates by creating set standard requirements.  

The CA/B Forum’s primary objective is to enhance online trust and security. They achieve this by formulating industry standards called the Baseline Requirements, and all CAs must deliver and handle digital certificates according to those requirements, whether for an SSL/TLS protocol or a code signing certificate.

The SSL/TLS certificate confirms the website’s identity to the client, and the Code Signing proves the application developer. These standards are crucial to ensuring the trustworthiness of the digital certification system, making the cyber world safe.  

Updates in CA/B Forums Requirements for Code Signing

The CA/Browser Forum is also important in creating an environment where CAs and browser suppliers ensure that the digital certificates meet and follow the specific requirements. Over the years, many changes have been made to the CA/Browser Baseline Requirements, leading to a more secure Code Signing environment.

The set standards enable the end-user to know where the signed code was indeed used. Moreover, it increases trust in the venture, reduces the extent to which malware may be spread, and ensures that safe code is used where it is required the most.  

Conforming to these guidelines imposed by the CA/B Forum is instrumental in protecting the credibility and validity of digital certificates. These requirements establish ideal practices for issuing and administering digital certificates. By complying with the regulations, Certificate Authorities can certify that the issued certificates are validated and trustworthy. Additionally, these standards will promote a more dependable digital platform where users can feel safe with the information they come across and the software they utilize.  

2021 – Initial Updates to strengthen the foundation

• Minimum Key Strength Increased (June 2021)

  The June 2021 update raised the minimum key strength for several certificates. Since the strength of the key determines the difficulty of breaking it, in a digital environment, such a higher key, for example, RSA-3072, is way more challenging to forge the digital signature, which ultimately ensures more data integrity and authenticity.

• Stricter Verification and Private Key Protection (June 2021)

  CA/B Forum implements stricter certificate identity verification and private key protection. These private keys should be secured by applying or equal to FIPS 140-2 level 2 cryptographic modules, which will not allow unauthorized control access.

2022 – Focusing on certain vulnerabilities and updates  

• Addressing Subordinate CA Certificate (March 2022)

  For this update, any certificate issued by the Issuing CA that is used for timestamping or generating Code Sign certificates had to include a CA/B Forum reserved identifier. This helped make the timestamping reliable and efficient.

• Phasing Out SHA-1 (April 2022)

  The restrictions from the CA/B Forum on using SHA-1 on timestamp tokens were useful in preventing forgeries.

• Time Encoding (July 2022)

  This update classifies the time encoding within code signing certificate revocation entries. Previously, there was a discrepancy in the time encoded in the “Invalidity Date” field of CRL and the time encoded in the “revocationDate” field in actual revoked certificate. This update was aimed to ensure consistency and accuracy by mandating that the time encoded in both fields must be equal.

2023 – Focus on Private Key Security

• Mandatory Hardware Crypto Modules (June 2023)

  In June 2023, a major change required that all code signing certificates must use hardware crypto modules for private key generation, storage, and use. Hardware crypto modules, often referred to as HSMs, are like high-security vaults for private keys; they dramatically decrease the likelihood of compromise. These HSMs must comply with FIPS 140-2 Level 2 (or higher) or Common Criteria EAL 4+ requirements.

  Before, software-based key generation was an option, allowing private keys to be more readily transmitted. Moreover, the verification techniques for certificates with Organization Validation and Individual Validation have been made stricter to confirm the identities of those ordering these certificates. The improvements established by the CA/B Forum in June 2023 are a significant advancement in making the code signing procedure more secure and reducing the chance for data exploitation.

Responsibilities of CA/B Forum

The CA/Browser Forum is responsible for various activities such as:

• Aiding industry collaboration

  The CA/B Forum facilitates collaboration by convening regular conferences and discussions among its members. These conferences serve as a platform for CAs and browser merchants, as well as other investors, to exchange information, discuss new risks, and collaborate on solutions. The CA/B Forum also has a mailing list and an online medium where members can communicate and collaborate.

• Identifying emerging threats

  The CA/B Forum regularly tracks the changing cyber threat situation. There are various ways to find possible threats, such as threat intelligence reports, various industry meetings, and technical exploration. Once a threat is found, the CA/B Forum will collaborate with its members to determine the appropriate course of action, which may require altering the Baseline Requirements or publishing new guidelines.

• Defining technical specifications

  The CA/B Forum defines specifications through its technical experts from the member organizations. These organizations can be certificate authorities or CA, browser vendors, etc.

  These working groups elaborate on the conditions of a digital certificate issuing process, verification, revocation, and management. For instance, they indicate the minimum key strength for each certificate and the exact cryptographic algorithms that should be used.

• Formulating mandatory compliance standards

  The CA/B Forum doesn’t directly enforce its standards. However, they establish mandatory compliance requirements through a process of ballot voting by their members. These requirements dictate the actions certificate authorities (CAs) must take when issuing and managing certificates.

  The CA/B Forum also publishes Baseline Requirements documents that detail these mandatory standards. CAs that fail to comply risk losing browser trust and having their issued certificates flagged as untrusted.

Future Proposals by CA/Browser Forum

Since technology changes rapidly, the CA/B Forum is always looking to the future to ensure that the existing system stays a strong part of online trust. This means not just responding to new threats but proactively considering how evolving technologies may change the process by which the certificates are issued, validated, and managed. They also ensure that the Baseline Requirements stay in parallel with changing regulations and industry best practices.

The following are the suggested proposals for future implementation:

• Stricter Revocation Requirements (Proposed April 2024)

  Presently, certificates might only be revoked if the private key associated with them is compromised, but the proposed update extends the scope of self-revocation of the certificate used to sign suspicious programs. By promptly revoking such certificates, the CA/B Forum helps prevent these malicious applications from being installed and executed.

• Mandatory Audits (Proposed June 2024)

  Auditing act as an independent security inspection as it confirms that these signing services are compliant with the latest security standards outlined by the CA/B Forum. This helps identify any possible flaws or vulnerabilities in the code signing operation. By addressing these vulnerabilities promptly, the CA/B Forum helps mitigate the risk of compromised certificates or other security breaches within the code signing process.

Conclusion

It is important to stay ahead of the CA/B Forum’s constantly growing security to ensure the integrity of the code signing certificates. Encryption Consulting’s CodeSign Secure solution assists you with FIPS 140-2 Level 3 HSM compliance, according to the CA/Browser Forum’s specification of baseline requirements from June 1, 2023, and onward.

In addition to the CodeSign Secure solution, our HSM-as-a-service is FIPS 140-2 Level 3 validated hardware, allowing full coverage for organizations looking for even higher security. Our Solutions and services will ensure that the Code Signing process flows according to the latest best practices and CA/B Forum specifications in a secure, trust-oriented, user-centered software landscape.