OV Code Signing Key Storage Requirement Changes Pushed to 2023
1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)
Loading...

OV Code Signing Key Storage Requirement Changes Pushed to 2023

Industry leaders decided to hold off on rolling out the new secure key storage requirements for organization validation (OV) code signing certificates until June 1, 2023

Back in July, we published a blog post explaining that changes were coming down the pike to require standard code signing certificates’ private keys to be stored on approved hardware security devices. This rollout was supposed to take effect starting Nov. 15 (Nov. 14 for North and South American users). However, as things often go in life, the situation has changed (and continues to evolve).

The CA/B Forum has decided to postpone the deadline until June 1, 2023, giving certificate authorities and certificate users more time to update their systems and processes. Let’s take a quick look at what the changes are and why they’re being delayed.

Let’s hash it out.

A Quick Recap of the Proposed Changes to OV Code Signing Certificate Key Storage

We’re not going to go over all of this super in depth since we already have a full article on this topic. However, we thought it would be good to at least briefly cover the CA/B Forum’s new industry requirements for issuing and storing OV code signing certificates before getting into the changes to when it’s supposed to roll out.

  • The CA/B Forum’s new requirements affect new/reissued IV and OV code signing certificates. The changes listed in the CA/B Forum’s Code Signing Baseline Requirements (CSBR) version 3.1 specify how to create, store, install, renew, and reissue corresponding private keys for individual validation (IV) and organization validation (OV) code signing certificates.
  • Certificate signing requests (CSR) for code signing certificates go the way of the Dodo bird (for most users). Instead of you creating and submitting a certificate signing request (CSR) form for each certificate, your issuing CA will usually handle the certificate and key generation processes on their end. This is similar to the process for extended validation (EV) code signing certificates.
  • The cryptographic module(s) (hardware) you use must meet specific security standards. Not just any secure hardware will work. You must use FIPS 140 Level 2/EAL 4+ compliant secure hardware cryptographic modules or signing services as a minimum to store your code signing certificates’ sensitive private keys.

All of these things aim to improve the security of your private keys. But if the changes are so positive, why are we delaying them?

Why These Changes Are Being Pushed Back Until June 1, 2023

A screenshot from the CA/B Forum's public discussion email list. This screenshot shows Ian McMillan's message regarding proposed changes to the code signing baseline requirements.
Image caption: A screenshot from the CA/B Forum’s public mailing list discussion on the proposed changes.

In a CA/B Forum public mailing list discussion, Ian McMillan, Principal Product Manager at Microsoft, explained that the deadline for the proposed changes was “too tight” for subscribers and CAs alike and that he’d received a lot of emails expressing concerns about the Nov. 15, 2022 timeline. While having an aggressive deadline is great, the issue is the requirements would be difficult to implement effectively in such a brief window.

In part, McMillan said there are concerns relating to the ongoing global supply chain challenges and rising costs. These factors make it difficult to get the necessary hardware security tokens en masse, particularly when you consider that Keyfactor reports that organizations have an average of 25 code signing certificates, yet only half (51%) store them in hardware security modules (HSMs).

Unsurprisingly, representatives from several CAs — DigiCert, Sectigo, and Entrust — agreed that delaying the change will be good for the CAs and certificate users alike. Because code signing is such an integral part of the software development process, certificate users have a wide variety of systems and processes that will need to be supported and/or updated. This gives them time to finalize their process and get their ducks in a row.

Here’s a quick look at the ballot voting results that were posted on the CA/B Forum’s CSCWG public discussion list:

A screenshot from the CA/B Forum's public discussion email list. This screenshot shows the voting results of Ballot CSCWG-17 regarding the private key storage requirements extension.
Image caption: A screenshot from the CA/B Forum discussion list that shows the voting results of Ballot CSCWG-17, which pushed back the key storage requirements change to June 1, 2023.

Do I Have to Wait to Make the Key Storage Changes?

No. If you’re the proactive, go-getter type who wants to start implementing the changes right away, you can certainly do so if you have the appropriate cryptographic hardware. This way, you don’t have to wait and worry about doing so down the road. Reach out to your certificate provider to see what steps you need to take to make this happen.

If you’re like most companies that want to take advantage of the delay, that’s okay, too. But just be sure to give yourself ample time to make the changes before the planned June 1, 2023 deadline arrives.  

Be the first to comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Casey Crane

Casey Crane is a regular contributor to (and managing editor of) Hashed Out. She has 15+ years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.