(6 votes, average: 4.17 out of 5)
Cyber perpetrators don’t leave a single stone unturned when discovering security loopholes, no matter how thin their chances of success are. That’s why authorities such as CA/B Forum must stay a step ahead, tighten their policies and minimize security breaches. One such change is occurring from June 1, 2023, related to OV Code Signing Certificates.
Lately, November 15, 2022 was the initial date for implementing the change in OV Code Signing Certificate issuance policies. But now CA/B Forum has extended it for providing a relevant period for its seamless implementation.
From June 1, 2023, OV code signing certificates will require a hardware security module to store their private key. Moreover, this hardware must comply with FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent.
This change comes as the CA/B Forum’s voted to change its “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates.” Its latest version, 3.0.0, outlines the changes coming to OV Code Signing Certificates.
Before going into details of this change, let’s first understand what OV code signing certificates are and how they function (for now).
Effective from the mentioned date, any publisher reissuing, purchasing, or renewing a certificate will get restricted from exporting PKCS#12 or PFX files and using activation links without hardware tokens.
A Code Signing Certificate authenticates executable scripts, code and content employing digital signatures. In other words, it assures users of the safety of the software or code they’re using.
An organization validation OV Code Signing Certificate, as the name implies, is a certificate that involves verification of the organization behind the software or code. Once signed, it displays the name of the publisher/developer organization when users install it on their systems. This helps bridge the trust gap and communicates the software’s legitimacy to the end-users.
Per current norms, once the certificate authority successfully verifies your organization, the certificate is stored in an encrypted file on the user’s computer. Right now, you don’t require any hardware token to store the certificate or private key till 1st June, 2023.
Here’s what the Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates V 3.0.0 mentions:
Subscriber Private Keys for Code Signing Certificates SHALL be protected per the following requirements. The CA MUST obtain a contractual representation from the Subscriber that the Subscriber will use one of the following options to generate and protect their Code Signing Certificate Private Keys in a Hardware Crypto Module with a unit design form factor certified as conforming to at least FIPS 140‐2 Level 2 or Common Criteria EAL 4+.
Thus, the private keys of OV code signing certificates must be stored in one of the following:
You’re right if this sounds like an EV code signing certificate. From June 1 2023, we expect OV code signing certificates to be delivered in a USB security token the same way EV code signing certificates are today.
In addition, you can see some CAs implementing all the changes until mid-April to minimize buffer time. It will help Certificate Authorities to impeccably update their services. And all customers will leverage the seamless procedure to buy a Code Signing Certificate (IV or OV), aligning with new regulations.
The main and perhaps the only reason, as you can understand, is to make the private keys of OV code signing certificates as secure as possible. Although the organization’s vetting process is quite secure, the security of private keys is a vulnerable part of the code signing ecosystem.
Hackers took advantage of this slim window of opportunity by stealing two of NVIDIA’s code signing certificates. They used these certificates to sign malware so that they bypass Windows’ security filters and warnings. Lapsus$, the hackers’ group behind the attack, claimed to have stolen 1TB of data and started leaking data after NVIDIA refused to negotiate.
To avoid such scenarios in the future, it’s essential to ensure the safety of private keys, and that’s exactly what the CA/B forum is doing.
The changes will occur for all certificates issued on and after June 1, 2023. However, if you’re already using an Comodo Code Signing Certificate or Sectigo Code Signing Certificate, you can continue using the certificate the way you did before. Your certificate authority will communicate with you if anything needs to be done.
It’s also to be noted that individual developers will also need to adapt to this change, as the CA/B forum will implement these changes in Individual Validation Code Signing(IV).
All the changes will get implemented from June 1, 2023 and the CAs will take care of the transition. If you currently hold an OV Code Signing Certificate, it will function normally until its expiration date. And CA will allow you to use the same PFX file for digitally signing the executable files. But, if you purchase an OV certificate after June 1, 2023, you will only receive a hardware-based certificate.
Further, Sectigo, a well-known certificate authority is implementing all the changes before April 24, 2023. But, you can still purchase its software-based Code Signing Certificate with three-year validity through a seamless validation procedure.
Although, you need to complete the document verification before new policy implementation. As a result, you will save additional cost by 3 to 4x, efforts and time in the extended period.
Physical Security Token is must for Code Signing after 1st June 2023. Still, you can eliminate the physical token process, get a Code Signing Certificate right now at cheapest price!