[Cryptography] HSM's to be required for Code Signing Certificates

[Dirk-Willem van Gulik]

On 27 Jan 2017, at 17:49, Henry Baker <hbaker1 at pipeline.com> wrote:
> At 12:52 AM 1/27/2017, Peter Gutmann wrote:
>> The solution to the problem isn't a FIPS-anything HSM, it's a FIPS-nothing physical control over when something gets signed, and what gets signed.
> 
> So, is this another one of those mumbo jumbo witch doctor "security theater" pageants that impress the press (and later, the court judges) ??

I beg to differ. I very regularly encounter situations in the field where  ISV their signing keys for run of the mill software to be deployed on typical end devices at customers (home and especially in the enterprise) is specifically targeted and copied. And as some security vendors are quite slack with their whitelisting (anything signed by the same key as the previous release is auto added without vetting who sent it in) - this is an issue.

Keep in mind that with 'agile' the 'path to the app store' or to an update site is sometimes exercised weekly, sometimes even more often - and terribly automated.

So making it routine to keep the signing keys for standard end user software on chipcards/usb tokens --EVEN-- if these are pin-less or with a pin hardcoded in a script right next to it and even if the chipcard is always plugged in; is already a significant improvement. As it is the *copy*ing that is currently quite key.

And on the positive side - I found that introducing a modicum of PIN keypad steps - e.g. a a dirt cheap low end ACR reader - is generally easy and welcomed as a process thing. People are quickly accustomed to having this somewhat formal and mind-focusing step of entering 'their' pin to approve 'the' release for auto upload to some app store. And organisationally welcome it.

Dw.