We want to inform you about new industry requirements that were announced by the Certificate Authority Security Council (CASC) for Code Signing certificates on 8th December 2016 and that comes into effect on the 1st of February 2017.
The new requirements address four key areas within our Code Signing products and provide a safer experience and minimize the risk of Code Signing attacks.
To reduce the chance of issuing certificates to malicious publishers the guidelines require that Symantec:
- Follow a strict and standardized identity verification process to authenticate publishers
- Check all Code Signing orders against lists of suspected or known malware publishers
- Check all Code Signing orders that were previously revoked by Symantec where the certificates were used to sign suspect code.
Symantec has also introduced a ‘Certificate Problem Reporting’ system for both Symantec and Thawte Code Signing certificates which will allow third parties like malware organisations and software suppliers to report issues relating to key compromise, certificate misuse and possible fraud. Under the new arrangement, once Symantec receives a request, we will either revoke the certificate within forty eight hours, or alert the requestor that we have started an investigation.
Symantec has enhanced their timestamping services for their Code Signing customers to meet the new requirements. More information can be found in the following KB articles for Microsoft Signing and Java Signing.
The main benefit of using a timestamp is that the signature does not expire when the certificate does, which is what happens in normal circumstances. Instead, the signature remains valid for the lifetime of the timestamp, which can be as long as 135 months.
Symantec has published a set of guidelines on private key protection best practices for Symantec and Thawte Code Signing certificates which must be reviewed and accepted by subscribers as part of the enrollment process.
These guidelines makes recommendations regarding the secure storage of private keys to mitigate against the risk of potential vulnerabilities, however it is important to call out that Code Signing minimum requirements published in December stop short of mandating that an OV Code Signing certificate must be stored on a FIPS 140-2 Level 2 HSM or equivalent on premise hardware.
Lastly, any pending Symantec or Thawte Code Signing orders placed before the 25th of January 2017 and not issued before the 1st of February 2017 will be cancelled by Symantec and respective customers asked to re-enroll.
If you want any further clarification about this announcement, or have any questions feel free to get in touch your Certificate Authority who issued your Code Signing Certificate.