Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malware based revocation proposal #10

Closed
wants to merge 11 commits into from
Closed

Malware based revocation proposal #10

Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
ab39ccd
Malware based revocation proposal
XolphinMartijn Jun 29, 2022
c7ed1c1
Further simplify the language
XolphinMartijn Aug 22, 2022
a9b412f
Clarify the use of 7 calendar days
XolphinMartijn Aug 23, 2022
3b17fca
Remove "based on discussions with the CA" as it is already implied
XolphinMartijn Aug 23, 2022
8bd87c3
Use Subscribers Private Key term
XolphinMartijn Aug 23, 2022
90fa38a
Replace believe and aware for clearer requirements
XolphinMartijn Sep 22, 2022
abace6b
Add Discovered the incident for accuracy
XolphinMartijn Sep 26, 2022
8e7e3b4
Clarifications
XolphinMartijn Nov 28, 2022
aec1757
Reference CPR
XolphinMartijn Nov 30, 2022
6f752d7
problem report update
XolphinMartijn Dec 1, 2022
f590ee5
Discussed changes
XolphinMartijn Jan 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
25 changes: 14 additions & 11 deletions docs/CSBR.md
View file
Open in desktop
Expand Up @@ -171,7 +171,7 @@ Capitalized Terms are as defined in the Baseline Requirements or the EV SSL Guid

**Subscriber:** A natural person or Legal Entity to whom a Code Signing Certificate is issued and who is legally bound by a Subscriber Agreement or Terms of Use.

**Suspect Code**: Code that contains malicious functionality or serious vulnerabilities, including spyware, malware and other code that installs without the user\'s consent and/or resists its own removal, and code that can be exploited in ways not intended by its designers to compromise the trustworthiness of the Platforms on which it executes.
**Suspect Code**: Code that contains malicious functionality or serious vulnerabilities, including spyware, malware and other code that installs without the user\'s consent and/or resists its own removal, code that compromises user security and/or code that can be exploited in ways not intended by its designers to compromise the trustworthiness of the Platforms on which it executes.

**Takeover Attack**: An attack where a Signing Service or Private Key associated with a Code Signing Certificate has been compromised by means of fraud, theft, intentional malicious act of the Subject's agent, or other illegal conduct.

Expand Down Expand Up @@ -503,19 +503,22 @@ If the CA decides that the revocation will have an unreasonable impact on its cu

The CA MUST revoke a Code Signing Certificate within one (1) business day if the Subscriber requests in writing that the CA revoke the Certificate or notifies the CA that the original certificate request was not authorized and does not retroactively grant authorization.

#### 4.9.1.3 Revocation Based on Reported or Detected Compromise or Use in Malware
#### 4.9.1.3 Revocation Based on Reported or Detected Compromise or Use in Suspect Code

For all incidents involving malware, CAs SHALL revoke the Code Signing Certificate in accordance with and within the following maximum timeframes. Nothing herein prohibits a CA from revoking a Code Signing Certificate prior to these timeframes.
Except for cases that fall under Section 4.9.1.1, if, while investigating a Certificate Problem Report, the CA determines the Subscriber's Private Key is compromised or likely being used for Suspect Code, the CA SHALL revoke the corresponding Code Signing Certificate in accordance with and within the following maximum time frames. Nothing herein prohibits a CA from revoking a Code Signing Certificate prior to these time frames.

1. The CA MUST contact the software publisher within one (1) business day after the CA is made aware of the incident.
2. The CA MUST determine the volume of relying parties that are impacted (e.g., based on OCSP logs) within 72 hours after being made aware of the incident.
3. The CA MUST request the software publisher send an acknowledgement to the CA within 72 hours of receipt of the request.
a. If the publisher responds within 72 hours, the CA and publisher MUST determine a "reasonable date" to revoke the certificate based on discussions with the CA.
b. If CA does not receive a response, the CA must notify the publisher that the CA will revoke in 7 days if no further response is received.
i. If the publisher responds within 7 days, the CA and the publisher will determine a "reasonable date" to revoke the certificate based on discussion with the CA.
ii. If no response is received after 7 days, the CA must revoke the certificate except if the CA has documented proof (e.g., OCSP logs) that the revocation will cause significant impact to the general public.
1. The CA SHALL contact the Subscriber within 24 hours after the CA received the Certificate Problem Report, notifying that the Certificate is scheduled to be revoked with a revocation date set before the time that the Private Key became compromised or likely used to sign Suspect Code. This revocation date is set in the past to prevent Relying Parties from executing Suspect Code signed with the affected Code Signing Certificate.
2. The CA SHALL request the Subscriber to respond with an acknowledgement and SHOULD request the Subscriber to respond with an impact assessment of affected Relying Parties if the revocation date is set before the time that the Private Key became compromised or likely used to sign Suspect Code, and to state the associated Application Software Supplier(s).
3. The CA SHALL request the Subscriber to respond to the CA within 72 hours of the CA sending the notification.
4. If the Subscriber responds within 72 hours, then based on the Subscriber's impact assessment:
1. The CA MAY submit a revocation plan to associated Application Software Suppliers no later than 7 calendar days after the CA received the Certificate Problem Report. The revocation plan:
1. SHALL contain informing about the planned revocation date to be set for the to-be-revoked Certificate; and
2. SHALL request suggestions for a "more appropriate" revocation date in case the proposed revocation date has a significant impact on Relying Parties associated with that particular Application Software Supplier.
3. The CA SHALL request the Application Software Supplier to respond within 72 hours.
2. Based on the feedback received, the CA MAY determine a more appropriate revocation date to be associated with the revocation of the Certificate. The CA SHALL revoke the Certificate within 7 days after the CA received the Certificate Problem Report.
5. If the CA does not receive a response from the Subscriber, then the CA SHALL revoke the Certificate within 24 hours from the end of the response period.

A CA revoking a Certificate because the Certificate was associated with signed Suspect Code or other fraudulent or illegal conduct SHOULD provide all relevant information and risk indicators to other CAs or industry groups. The CA SHOULD indicate whether its investigation found that the Suspect Code was a false positive or an inadvertent signing.
A CA revoking a Certificate because the Certificate was associated with signed Suspect Code or other fraudulent or illegal conduct SHOULD provide all relevant information and risk indicators to other CAs, Application Software Suppliers, or industry groups. The CA SHOULD contact the Application Software Suppliers within 24 hours after the CA received the Certificate Problem Report.

#### 4.9.1.4 Revocation of a Subordinate CA Certificate

Expand Down