Code Trust Certificate College Park Certificate Authority

UMCP Code Trust Certificate Authority

The Code Trust Certificate Authority is not yet implemented.

Our views on Code Signing

The following are our initial principles on the subject of codesigning.

1. Codesigning will be done only in direct support of the core business processes of the University.
2. Each discrete edited version of the auditable code shall require a separate and distinct codesigning audit.
3. Codesigning clients shall provide the CA with the machines and compilation software necessary to build the binaries to be signed. The CA may refuse to sign binaries from any code compilation environment that the CA, in its sole, exclusive, and final discretion finds problematic from a security point of view.
4. Codesigning clients shall submit to the CA the complete source for the code to be signed, with a complete description of the compilation and linking processes, sufficient that the CA staff can compile the auditable source into the final binary. The CA shall audit the source code, generate the final binary, sign this binary, and then return the signed binary code to the client.
5. Codesigning clients shall reimburse the CA for the staff time spent doing these security audits.

Notes

1. This CA does not want to sign code for class projects or instructional enterpreneurial enterprises. In such cases it would prefer to provide advice and support to such clients in erecting their own PKI instance, so end-clients can make an independant decision on trusting their root.
2. This CA will not generically sign a software package or object. Any edits whatsoever shall trigger a followup audit. This is to prevent a Trojan Horse from entering the source code after an initial codesigning audit.
3. The CA must have the option of rejecting any library that provides an open-ended execution environment (such as executing any arbitrary PERL or TCL command passed to it).
4. The CA must audit the entire cycle of compilation and signing. The object signing crypto material should never be present on a non-CA-controlled machine.
5. This CA is an extremely resource-starved enterprise. It must be able to cover its costs.

More Notes

Some more thoughts:

An instance of codesigning should be coordinated by a committee optimally of at least three people:

• One person from the organization that wants to sign the code
• One person from the CA staff
• Potentially one person from another security-conscious entity on campus

The representative from the CA should have exclusive control of the object signing crypto material.