You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/CSBR.md
+37-1Lines changed: 37 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -315,6 +315,8 @@ Capitalized Terms are as defined below and in the EV SSL Guidelines:
315
315
316
316
**Lifetime Signing OID:** An optional extended key usage OID (`1.3.6.1.4.1.311.10.3.13`) used by Microsoft Authenticode to limit the lifetime of the code signature to the expiration of the code signing certificate.
317
317
318
+
**Linting**: A process in which the content of digitally signed data such as a Precertificate [RFC 6962], Certificate, Certificate Revocation List, or OCSP response, or data-to-be-signed object such as a `tbsCertificate` (as described in [RFC 5280, Section 4.1.1.1](https://tools.ietf.org/doc/html/rfc5280##section-4.1.1.1)) is checked for conformance with the profiles and requirements defined in these Requirements.
319
+
318
320
**Non-EV Code Signing Certificate:** Term used to signify requirements that are applicable to Code Signing Certificates which do not have to meet the EV requirements.
319
321
320
322
**Notary**: A person whose commission under applicable law includes authority to authenticate the execution of a signature on a document.
@@ -1242,8 +1244,34 @@ No stipulation.
1242
1244
1243
1245
### 4.3.1 CA actions during certificate issuance
1244
1246
1247
+
#### 4.3.1.1 Manual authorization of certificate issuance for Root CAs
1248
+
1245
1249
Certificate issuance by the Root CA MUST require an individual authorized by the CA (i.e. the CA system operator, system officer, or PKI administrator) to deliberately issue a direct command in order for the Root CA to perform a certificate signing operation.
1246
1250
1251
+
#### 4.3.1.2 Linting of to-be-signed Certificate content
1252
+
1253
+
Due to the complexity involved in implementing Certificate Profiles that conform to these Requirements, it is considered best practice for the CA to implement a Linting process to test the technical conformity of each to-be-signed artifact prior to signing it. When a Precertificate has undergone Linting, it is not necessary for the corresponding to-be-signed Certificate to also undergo Linting, provided that the CA has a technical control to verify that the to-be-signed Certificate corresponds to the to-be-signed Precertificate in the manner described by RFC 6962, Section 3.2.
1254
+
Effective 2025-06-15, the CA SHOULD implement such a Linting process.
1255
+
1256
+
Methods used to produce a certificate containing the to-be-signed Certificate content include, but are not limited to:
1257
+
1258
+
1. Sign the `tbsCertificate` with a "dummy" Private Key whose Public Key component is not certified by a Certificate that chains to a publicly-trusted CA Certificate; or
1259
+
2. Specify a static value for the `signature` field of the Certificate ASN.1 SEQUENCE.
1260
+
1261
+
CAs MAY implement their own certificate Linting tools, but CAs SHOULD use the Linting tools that have been widely adopted by the industry (see https://cabforum.org/resources/tools/).
1262
+
1263
+
CAs are encouraged to contribute to open-source Linting projects, such as by:
1264
+
1265
+
- creating new or improving existing lints,
1266
+
- reporting potentially inaccurate linting results as bugs,
1267
+
- notifying maintainers of Linting software of checks that are not covered by existing lints,
1268
+
- updating documentation of existing lints, and
1269
+
- generating test certificates for positive/negative tests of specific lints.
1270
+
1271
+
#### 4.3.1.3 Linting of issued Certificates
1272
+
1273
+
CAs MAY use a Linting process to test each issued Certificate.
1274
+
1247
1275
### 4.3.2 Notification to subscriber by the CA of issuance of certificate
1248
1276
1249
1277
No stipulation.
@@ -2071,6 +2099,10 @@ The CA SHALL enforce multi-factor authentication for all accounts capable of dir
2071
2099
2072
2100
### 6.6.1 System development controls
2073
2101
2102
+
If a CA uses Linting software developed by third parties, it SHOULD monitor for updated versions of that software and plan for updates no later than three (3) months from the release of the update.
2103
+
2104
+
The CA MAY perform Linting on the corpus of its unexpired, un-revoked Subscriber Certificates whenever it updates the Linting software.
2105
+
2074
2106
### 6.6.2 Security management controls
2075
2107
2076
2108
### 6.6.3 Life cycle security controls
@@ -2608,7 +2640,11 @@ The Audit Report MUST be available as a PDF, and SHALL be text searchable for al
2608
2640
2609
2641
## 8.7 Self-audits
2610
2642
2611
-
CAs must abide by the self-audit requirements of these Guidelines. During the period in which it issues Code Signing Certificates, the CA MUST strictly control its service quality by performing ongoing self-audits against a randomly selected sample of at least three percent of the Non-EV Code Signing Certificates and at least three percent of the EV Code Signing Certificates it has issued in the period beginning immediately after the last sample was taken. For all Code Signing Certificates where the final cross-correlation and due diligence requirements of Section 8 of these Guidelines is performed by an RA, the CA MUST strictly control its service quality by performing ongoing self-audits against a randomly selected sample of at least six percent of the Non-EV Code Signing Certificates and at least six percent of the EV Code Signing Certificates it has issued in the period beginning immediately after the last sample was taken.
2643
+
During the period in which the CA issues Certificates, the CA SHALL monitor adherence to its Certificate Policy, Certification Practice Statement and these Requirements and strictly control its service quality by performing self audits on at least a quarterly basis against a randomly selected sample of the greater of one certificate or at least six percent of the Non-EV Code Signing Certificates and at least six percent of the EV Code Signing Certificates issued by it during the period commencing immediately after the previous self-audit sample was taken.
2644
+
2645
+
Effective 2025-06-15, the CA SHOULD use a Linting process to verify the technical accuracy of Certificates within the selected sample set independently of previous linting performed on the same Certificates.
2646
+
2647
+
Except for Delegated Third Parties that undergo an annual audit that meets the criteria specified in [Section 8.4](#84-topics-covered-by-assessment), the CA SHALL strictly control the service quality of Certificates issued or containing information verified by a Delegated Third Party by having a Validation Specialist employed by the CA perform ongoing quarterly audits against a randomly selected sample of at least the greater of one certificate or six percent of the Non-EV Code Signing Certificates and at least six percent of the EV Code Signing Certificates verified by the Delegated Third Party in the period beginning immediately after the last sample was taken. The CA SHALL review each Delegated Third Party's practices and procedures to ensure that the Delegated Third Party is in compliance with these Requirements and the relevant Certificate Policy and/or Certification Practice Statement.
0 commit comments