The CA/Browser Form Code Signing Working Group has recently updated the Signing Service Requirements in the Code Signing Baseline Requirements (CSBRs) through ballot CSC-21.
The former Signing Service Requirements allowed for a model with risks for secure deployment. Upon receiving a Code Signing Request, the model would allow the Signing Service to perform CA functions, such as providing the Certificate Subscriber Agreement and performing applicant verification.
Definition of Signing Service
The new model requires the CA to provide the Subscriber Agreement and perform verification. The updated requirements now define the Signing Service as: “An organization that generates the key pair and securely manages the private key associated with the code signing certificate on behalf of the subscriber.” The primary focus is to support the subscriber and ensure that their private keys are generated and protected within a cryptographic module to control private key activation.
Advantages of Signing Services
Signing Services play a critical role in mitigating the primary risk of private key compromise for subscribers. Additionally, they provide simplicity by offering alternatives, such as using a subscriber-hosted cryptographic module. This eliminates the need for subscribers to install and configure a server crypto module or use tokens and drivers.
Compliance and Audit Requirements
In addition to providing Signing Service requirements, the CSBRs also provide audit requirements to ensure compliance and private key protection. Signing Services must undergo annual audits to meet the applicable requirements outlined in WebTrust for CSBRs and WebTrust for Network Security.
As your code signing solution partner, Entrust supports these updated requirements and offers Code Signing as a Service for both OV and EV Code Signing Certificates.
