{"id":15805,"date":"2022-09-30T12:05:07","date_gmt":"2022-09-30T16:05:07","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=15805"},"modified":"2023-05-24T10:44:54","modified_gmt":"2023-05-24T14:44:54","slug":"ov-code-signing-key-storage-requirement-changes-pushed-to-2023","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/ov-code-signing-key-storage-requirement-changes-pushed-to-2023\/","title":{"rendered":"OV Code Signing Key Storage Requirement Changes Pushed to 2023"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-industry-leaders-decided-to-hold-off-on-rolling-out-the-new-secure-key-storage-requirements-for-organization-validation-ov-code-signing-certificates-until-june-1-2023\">Industry leaders decided to hold off on rolling out the new secure key storage requirements for organization validation (OV) code signing certificates until June 1, 2023<\/h2>\n\n\n\n<p>Back in July, we published a blog post explaining that changes were coming down the pike to require <a href=\"https:\/\/www.thesslstore.com\/blog\/changes-coming-to-ov-code-signing-certificates-keys-starting-nov-15\/\">standard code signing certificates\u2019 private keys<\/a> to be stored on approved hardware security devices. This rollout was supposed to take effect starting Nov. 15 (Nov. 14 for North and South American users). However, as things often go in life, the situation has changed (and continues to evolve).<\/p>\n\n\n\n<p>The CA\/B Forum has decided to <a href=\"https:\/\/lists.cabforum.org\/pipermail\/cscwg-public\/2022-September\/000891.html\">postpone the deadline until June 1, 2023<\/a>, giving certificate authorities and certificate users more time to update their systems and processes. Let\u2019s take a quick look at what the changes are and why they\u2019re being delayed.<\/p>\n\n\n\n<p>Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n<span style=\"--tl-form-height-m:140.469px;--tl-form-height-t:116.8555px;--tl-form-height-d:116.8555px;\" class=\"tl-placeholder-f-type-shortcode_16066 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<div class=\"wp-block-advanced-gutenberg-blocks-notice is-variation-info has-icon\" data-type=\"info\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><circle cx=\"12\" cy=\"12\" r=\"10\"><\/circle><line x1=\"12\" y1=\"16\" x2=\"12\" y2=\"12\"><\/line><line x1=\"12\" y1=\"8\" x2=\"12\" y2=\"8\"><\/line><\/svg><p class=\"wp-block-advanced-gutenberg-blocks-notice__title\">CAs to Roll Out Pricing Changes Ahead of New OV Code Signing Certificate Changes<\/p><p class=\"wp-block-advanced-gutenberg-blocks-notice__content\">In March 2023, we published an article about some of the pricing changes you can expect to see as <a href=\"https:\/\/www.thesslstore.com\/blog\/code-signing-price-changes-as-cas-align-with-new-industry-standards\/\">Certificate Authorities align with the new industry code signing standards<\/a>.<\/p><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-a-quick-recap-of-the-proposed-changes-to-ov-code-signing-certificate-key-storage\">A Quick Recap of the Proposed Changes to OV Code Signing Certificate Key Storage<\/h2>\n\n\n\n<p>We\u2019re not going to go over all of this super in depth since we already have a full article on this topic. However, we thought it would be good to at least briefly cover the CA\/B Forum\u2019s new industry requirements for issuing and storing OV code signing certificates before getting into the changes to when it\u2019s supposed to roll out.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>The CA\/B Forum\u2019s new requirements affect new\/reissued IV and OV code signing certificates.<\/strong> The changes listed in the CA\/B Forum\u2019s <a href=\"https:\/\/cabforum.org\/wp-content\/uploads\/Baseline-Requirements-for-the-Issuance-and-Management-of-Code-Signing.v3.1.pdf\">Code Signing Baseline Requirements (CSBR) version 3.1<\/a> specify how to create, store, install, renew, and reissue corresponding private keys for individual validation (IV) and organization validation (OV) <a href=\"https:\/\/www.thesslstore.com\/products\/code-signing-certificates.aspx\">code signing certificates<\/a>.<\/li>\n\n\n\n<li><strong>Certificate signing requests (CSR) for code signing certificates go the way of the Dodo bird (for most users).<\/strong> Instead of you creating and submitting a certificate signing request (CSR) form for each certificate, your issuing CA will usually handle the certificate and key generation processes on their end. This is similar to <a href=\"https:\/\/www.thesslstore.com\/comodo\/how-ev-code-signing-works.aspx\">the process for extended validation (EV) code signing certificates<\/a>.<\/li>\n\n\n\n<li><strong>The cryptographic module(s) (hardware) you use must meet specific security standards.<\/strong> Not just any secure hardware will work. You must use FIPS 140 Level 2\/EAL 4+ compliant secure hardware cryptographic modules or signing services as a minimum to store your code signing certificates\u2019 sensitive private keys.<\/li>\n<\/ul>\n\n\n\n<p>All of these things aim to improve the security of your private keys. But if the changes are so positive, why are we delaying them?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-these-changes-are-being-pushed-back-until-june-1-2023\">Why These Changes Are Being Pushed Back Until June 1, 2023<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"590\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/cabforum-proposed-cscwg-change-discussion2-1024x590.png\" alt=\"A screenshot from the CA\/B Forum's public discussion email list. This screenshot shows Ian McMillan's message regarding proposed changes to the code signing baseline requirements. \" class=\"wp-image-15807\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/cabforum-proposed-cscwg-change-discussion2-1024x590.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/cabforum-proposed-cscwg-change-discussion2-300x173.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/cabforum-proposed-cscwg-change-discussion2-768x442.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/cabforum-proposed-cscwg-change-discussion2.png 1351w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: A screenshot from the CA\/B Forum\u2019s public mailing list discussion on the proposed changes.<\/em><\/figcaption><\/figure>\n\n\n\n<p>In a <a href=\"https:\/\/lists.cabforum.org\/pipermail\/cscwg-public\/2022-September\/000856.html\">CA\/B Forum public mailing list discussion<\/a>, Ian McMillan, Principal Product Manager at Microsoft, explained that the deadline for the proposed changes was \u201ctoo tight\u201d for subscribers and CAs alike and that he\u2019d received a lot of emails expressing concerns about the Nov. 15, 2022 timeline. While having an aggressive deadline is great, the issue is the requirements would be difficult to implement effectively in such a brief window.<\/p>\n\n\n\n<p>In part, McMillan said there are concerns relating to the <a href=\"https:\/\/www.jabil.com\/blog\/global-chip-shortages.html\">ongoing global supply chain challenges<\/a> and rising costs. These factors make it difficult to get the necessary hardware security tokens <em>en mass<\/em>e, particularly when you consider that Keyfactor reports that organizations have an average of <a href=\"https:\/\/www.keyfactor.com\/blog\/the-importance-of-code-signing-in-software-supply-chain\/\">25 code signing certificates<\/a>, yet only half (51%) store them in hardware security modules (HSMs).<\/p>\n\n\n\n<p>Unsurprisingly, representatives from several CAs \u2014 DigiCert, Sectigo, and Entrust \u2014 agreed that delaying the change will be good for the CAs and certificate users alike. Because code signing is such an integral part of the software development process, certificate users have a wide variety of systems and processes that will need to be supported and\/or updated. This gives them time to finalize their process and get their ducks in a row.<\/p>\n\n\n\n<p>Here&#8217;s a quick look at the ballot voting results that were posted on the CA\/B Forum&#8217;s CSCWG public discussion list:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"674\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/cabforum-cscwg-changes-ballot-vote2-1024x674.png\" alt=\"A screenshot from the CA\/B Forum's public discussion email list. This screenshot shows the voting results of Ballot CSCWG-17 regarding the private key storage requirements extension. \" class=\"wp-image-15808\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/cabforum-cscwg-changes-ballot-vote2-1024x674.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/cabforum-cscwg-changes-ballot-vote2-300x197.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/cabforum-cscwg-changes-ballot-vote2-768x505.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/cabforum-cscwg-changes-ballot-vote2.png 1102w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image caption: A screenshot from the CA\/B Forum discussion list that shows the voting results of Ballot CSCWG-17, which pushed back the key storage requirements change to June 1, 2023.<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-do-i-have-to-wait-to-make-the-key-storage-changes\">Do I Have to Wait to Make the Key Storage Changes?<\/h2>\n\n\n\n<p>No. If you\u2019re the proactive, go-getter type who wants to start implementing the changes right away, you can certainly do so if you have the appropriate cryptographic hardware. This way, you don\u2019t have to wait and worry about doing so down the road. Reach out to your certificate provider to see what steps you need to take to make this happen.<\/p>\n\n\n\n<p>If you\u2019re like most companies that want to take advantage of the delay, that\u2019s okay, too. But just be sure to give yourself ample time to make the changes before the planned June 1, 2023 deadline arrives. \u00a0<\/p>\n\n\n<span style=\"--tl-form-height-m:886.734px;--tl-form-height-t:807.75px;--tl-form-height-d:807.75px;\" class=\"tl-placeholder-f-type-shortcode_16093 tl-preload-form\"><span><\/span><\/span>","protected":false},"excerpt":{"rendered":"<p>Industry leaders decided to hold off on rolling out the new secure key storage requirements for organization validation (OV) code signing certificates until June 1, 2023 Back in July, we&#8230;<\/p>\n","protected":false},"author":17,"featured_media":15809,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[17,10200],"tags":[4969,13199],"class_list":["post-15805","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-industry-lowdown","category-monthly-digest","tag-code-signing","tag-code-signing-baseline-requirements","post-with-tags"],"views":6178,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/ov-code-signing-key-storage-requirement-changes-delayed-feature.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/15805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=15805"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/15805\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/15809"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=15805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=15805"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=15805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}