Certificate Authority Security Council's Minimum Requirements for the Issuance and Management of Code Signing Certificates taking effect on February 1, 2017
Microsoft has announced that they will be adopting the new Minimum Requirements for the Issuance and Management of Code Signing Certificates issued by the Certificate Authority Security Council (CASC). This means, beginning February 1, 2017, Certificate Authorities (CAs) will need to meet these requirements in order for their certificates to be trusted in Windows platforms. As such, GlobalSign will be making the changes listed below starting January 30, 2017.
All Code Signing Certificates Will Be Issued with USB tokens
The Minimum Requirements specify that CAs shall ensure stronger protection for private keys. As such, all Code Signing Certificates, not just Extended Validation level, will require a USB token starting on January 30, 2017. With this, all New and Renewal Standard Code Signing orders will be sent a USB token to store the certificate and protect the private key. Also, all standard Code Signing products except for EV Code Signing will be integrated to one “multi-platform” Code Signing Certificate.
Note: Reissues of existing Code Signing Certificates (issued prior to 30 January 2017) will not require a token right away. However, this is subject to change.
Inclusion of State and/or Locality in the subjectDN
The Minimum Requirements specify standardized and strict identity verification practices. With this, GlobalSign will now require Code Signing Certificates to contain State and/or Locality in the subjectDN. As such, ordering pages will be updated to include Locality or State or both as mandatory fields in the code signing application.
New Timestamping Requirements
Furthermore, the Minumum Requirements specify timestamping requirements. As such, GlobalSign has new dedicated Code Signing timestamp URLs (for use after January 30, 2017) :
|Hashing Algorithm||New Timestamp URL|
Problem Certificate Reporting and Revocation
Lastly, there are new/standardized requirements in place for problem certificate reporting and revocation. Problem certificates would be those suspected of private key compromise, used to sign suspect or malicious code, etc.
Most likely, a revocation will be requested by a malware researcher or an application software supplier, such as Microsoft, where users of their software may be installing suspect code or malware. In this case, if Microsoft were to ask GlobalSign to revoke the certificate, then within two days the certificate must be revoked or Microsoft must be informed that GlobalSign has started an investigation. Problem certificates can be reported directly through our website at: https://www.globalsign.com/en/report-abuse/
For further information, please refer to our recent blog post What Do The New Code Signing Certificate Requirements Mean For Developers.
1. Minimum Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates
2. Microsoft Trusted Root Program Requirements