[Skip navigation links]

CA Browser Forum releases draft requirements for code-signing certificates

The CA Browser Forum (CAB) is an industry body that develops and agrees to abide by standards to improve the security of PKI.  Its members include Certificate Authorities and software vendors.

To reduce the incidence and risk of publicly trusted code-signing certificates being misused to digitally sign malware, the CAB has prepared and released new draft guidelines for public comment.  The Code Signing Baseline Requirements are not yet finalised and are released as a draft only at this time.

Once the Requirements are finalised then QuoVadis will update its CP/CPS to include the new requirements.  At this time, QV will also provide more information about the nature of these changes and how they will affect users of code-signing certificates.

One proposed change that is worth noting is the recommendation to issue code-signing certificates onto approved SSCDs, such as a hardware security module or cryptographic USB token.  The changes are designed to improve the security and misuse of the private key associated with a digital certificate.  See section 16.3, Subscriber Private Key Protection.