Remote Key Attestation and EV Certificate Woes

[zoracon]

As remote work expands, so does remote engineering teams. These are just general comments and questions I am posing to possibly get help in my quest to utilize EV code signing (for trust on Windows) without being tied in to a specific service. I am also hoping to shed light on an issue I have seen where documentation on this process is sparse and generally not spoken of much unless you work for a large corporation. Let me know if this is not the forum to discuss.

I have found the attestation process for FIPS Yubikey (PIV) to not be a straightforward endeavor for each CA's EV certificate.

I know this is fairly "new" in terms of moving away from expensive HSM to a cheaper smartcard. However, the directions can't be readily applied depending on the CA.

For example, the CA we chose sends you an HSM or hardware token. However, they did not provide the option to attest with Yubikeys or have any instructions. Even though it is possible by creating a .csr file with ECCP256 (CAB Forum Requirements as of June).

There were other issues, such as needing to sign a Windows executable on a Windows based machine.

The process to do so on an O.S. like Linux is possible but very flaky and convoluted. But that is outside of the scope of remote attestation to an extent. However, it does relate back to the fact the Windows Defender is the reason why an EV certificate is being used in the first place. I know you can use non EV code signing certificates, but just wanted to point that out.

Cloud based services allow you to sign code through a service. But I really really hope to see the expansion of support using remote attestation for PIV by the major CAs

SSL.com does a great job of documentation but if more smaller teams who can't afford cloud services can utilize this process, it would open the door for safe code signing and convenient code signing for various engineering flows. Multiple people on a remote team could have smart cards with attestation.

Anyway, those are my woes as someone who has been trying to apply CAB Forum Requirements and NIST docs for months in a way that's sane for a small remote team. Thanks in advance to anyone who engages or can offer clarity!

[primetomas]

Great experience description. Can you elaborate a bit more "However, the directions can't be readily applied depending on the CA."?
Is it just because different CAs does this in their own way, and some can accept remote attestation while other do not (for reasons specific to that CA)?
Or is it some technical reason?

[zoracon]

The former. Where CAs issue you a hardware token with little guidance for flexibility. Like attestation. Even though it is technically possible.

[vanbroup]

Thanks for bringing up this issue @zoracon, this is one of the reasons we started the Remote Key Attestation project. Currently it's barely supported and many CA's ship you a token with a key pre-generated. Obviously, that is slow and doesn't work well for renewals or re-keys.

The vendors that have implemented a form of Remote Key Attestation do that often in their own proprietary way, which again makes it challenging for software vendors and CAs to support.

This is also an active topic within the Code Signing working group of the CA/Browser forum.

We are currently running a survey to get more details about current implementations and implementation plans, please ask your vendor(s) to complete the survey and participate on the work of this project.

https://forms.gle/rUj2J5BshrN4zxG46

[zoracon]

I am glad that something is being worked on and will look at the discussion happening in the CA/B forum. I will forward this to our CA contact.

[jrmoir]

There are easier ways around this for now. Most CAs offering EV certificate for code-signing don't pay any attention to the rules.
Order the certs from them, tell them you have a token. Generate key and CSR from your Yubikey and submit that CSR.
How? Easy:

Entrust and Globalsign both use (still!) Javascript and ActiveX on IE11. So a easily-editable web page submits a CSR to a URL - no attestation needed. (The tokens they use don't support attestation so there is no way they ask for proof!)
https://www.entrust.com/-/media/documentation/userguides/ecs_getting_started_code_signing_guide.pdf
https://support.globalsign.com/code-signing/download-and-install-ev-code-signing-certificate

Digicert use a utility (Windows) which submits a CSR again to a web service. No attestation. The software has no idea if you have any token and of course can't prove it to the API endpoint. Simple with Burp and you can see where the CSR is POSTed. (tip: https://digicert.com/api/ev-code-listener.php)
Or Digicert let you submit an 'attestation letter' because we know paper are as strong as cryptographie:
https://social.msdn.microsoft.com/Forums/windows/en-US/bcc42f87-0c83-4f75-b47e-629bff228796/document-signing-certificates-in-azure-key-vault?forum=AzureKeyVault
(Last post from Claire Novotny)
https://twitter.com/bitcynth/status/1377089738130264064?s=20 for other example.

Sectigo force you to use their token when they generate a key, which is 'safest' and at least follows the rules but often inconvenient.

SSL.com make attempts and support Yubikey attestation: https://www.ssl.com/hsm-attestation/
They have 'procedures' in place for some cloud services (some like Google have proofs, as do Azure if you have a dedicated HSM from them).
Azure and AWS are a mess for their HSM-backed key services. They just say 'trust us' and provide no proofs, but CAs accept it because saying no is hard.

[zoracon]

@QCLectic For FIPS Yubikeys. Are we able to have multiples of our own keys to attest? For example, we have 2 designated code signers and a backup yubikey?

[QCLectic]

@QCLectic For FIPS Yubikeys. Are we able to have multiples of our own keys to attest? For example, we have 2 designated code signers and a backup yubikey?

yes it is possible to do attestations for multiple tokens on an order, each associated with a unique issuance.

[zoracon]

@QCLectic One more question as I get a backup certificate to our main one, is it possible to do this for non-EV certificates as well? Where I order a non-EV certificate and attest with my own FIPS keys?

This question comes from the ballot around this being passed to make requirements the same for EV and non-EV code signing certs
https://www.linkedin.com/pulse/cabrowser-forum-updates-requirements-code-signing-private-morton/

[QCLectic]

@QCLectic One more question as I get a backup certificate to our main one, is it possible to do this for non-EV certificates as well? Where I order a non-EV certificate and attest with my own FIPS keys?

This question comes from the ballot around this being passed to make requirements the same for EV and non-EV code signing certs https://www.linkedin.com/pulse/cabrowser-forum-updates-requirements-code-signing-private-morton/

By November 15th, SSL.com will have a mechanism to allow Yubikey FIPS attestation for non-EV code signing certs. Just requires an update of processes and some coding to allow for it.

[zoracon]

@QCLectic One more question as I get a backup certificate to our main one, is it possible to do this for non-EV certificates as well? Where I order a non-EV certificate and attest with my own FIPS keys?
This question comes from the ballot around this being passed to make requirements the same for EV and non-EV code signing certs https://www.linkedin.com/pulse/cabrowser-forum-updates-requirements-code-signing-private-morton/

By November 15th, SSL.com will have a mechanism to allow Yubikey FIPS attestation for non-EV code signing certs. Just requires an update of processes and some coding to allow for it.

@QCLectic is this live?

[zoracon]

I see that the latest guidelines in the C/AB forum passed Ballot CSC-13

Update section 16.3 under new sub-section 16.3.1 to include the allowance of key generation and protection using a cloud-based key protection solution providing key generation and protection in a hardware crypto module that conforms to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+

Hope to see more docs from CAs on accomplishing this along with guides from cloud based HSMs or other crypto modules! Either way I am glad this happened!