Root Causes 309: What Is Key Attestation for Code Signing?
On June 1, 2023 new rules for delivery of code signing certificates went into effect, requiring the certificate be delivered by secure HSM. In addition to shipping a token by mail, certificates can be electronically delivered to Subscriber-owned hardware that supports key attestation. In this episode we explain key attestation, supporting hardware, and the pros and cons of this method.
- Original Broadcast Date: June 8, 2023
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
There was a very important change in the world of Code Signing that occurred as of June 1, 2023. By CA/Browser Forum ballot, starting June 1, 2023 all Code Signing certificates have to be delivered on a secure HSM, essentially. On a secure piece of hardware that holds the key securely. And this is to, I don’t want to say prevent, but to mitigate and make more difficult various abuses, malware-style abuses that involve signed code where the signing certificate is owned by a third party.
So how can this happen? Well, it can happen a couple of ways, and one obvious way which is that the Certificate Authority, Sectigo, gets the cert, puts it on the token, puts the token in the mail and ships it to you and you get your token and you unwrap it and it’s there on the fob and now you have your Code Signing cert. Certainly that is done a lot, but you can imagine there are some disadvantages with that. It costs money. You gotta buy the token. You gotta ship the token, and it costs time. You gotta sit around and wait for it to come. And so another opportunity is available as well according to the Baseline Requirements or according to the BRs and that is called key attestation.
-
Jason Soroko
Yeah. So, you know, we are talking now about, Tim, the basis of attestation and PKI is about you can prove that you are in possession of a private key. We know about that but attestation is a little different in the sense of what’s the providence of the key? Where did it come from? Was it always in a safe place or did it originate or be created from a safe place?
And I think the whole idea of having a CA ship the token, the hardware security modules because by the time it reaches your hands as the end user, it’s kind of been attested to the CA. Because of the fact that it’s originating from there, that it’s always been in the hardware from the point of the CA’s possession to the token itself. But for those of you who are generating your own private keys in an HSM or something like that, unfortunately, I think we are still living in a world where attestation is not completely uniform in terms of equipment that supports it and certainly even in equipment that does support it there’s different ways of doing it. So, I think it’s more of a ubiquity problem in terms of how to do it, Tim, than it is the actual doing.
-
Tim Callan
For sure. You can’t just use any thumbnail drive for this. First of all, it has to be FIPS compliant. That’s a requirement of ours and that’s also a requirement of the BRs, and that’s also good sense. It’s meeting the information processing safety standards that are set out in FIPS but in addition to that, it has to be a FIPS compliant token that technically supports over-the-internet key transfer and attestation, it attests that it received the key and there’s a very limited number of devices in the market today that will do that. For instance, today, we are aware of two devices and I guess I can just tell you what those are. That’s the Thales Luna devices that support key attestation or net HSM devices from Thales and then Yubico YubiKeys. FIPS YubiKeys from Yubico also support key attestation. There may be others or others may come on the market and as they do, we and other CAs I think will expand our support of it, but you’ve got to get those specific tokens, and you have to have and be in possession of those specific HSMs in order to use them to support key attestation as a delivery mechanism.
-
Jason Soroko
That’s correct. Thankfully, you know, Luna is very common. It’s been out there a long time. In fact, one of the podcast guests we’ve had, Bruno Couillard, was instrumental in development of Luna back in the day. But also, YubiKey, very, very ubiquitous, very out there. Thankfully, these aren’t rare pieces of equipment, rare hardware that you can’t get your hands on. A lot of people already do but not everybody does, and I think that’s the issue.
-
Tim Callan
And these aren’t the only models that these vendors sell. So, you also don’t say, oh, I got an HSM from Yubico, I’m fine. I got an HSM from Thales, I’m fine. No. It has to be these specific products. It has to be the products that support key attestation or it doesn’t work.
This is occurring because we did have a CA/Browser Forum rule. This is a baseline requirement. This is not something that any individual CA is enforcing unilaterally. This is a new industry standard and as I said in the beginning, the real reason for that is because it is believed that this will reduce the risk and exposure of certificates ultimately being stolen and misused by purveyors of malware.
-
Jason Soroko
That’s right. I think it’s a good move. Definitely anytime you are protecting the providence of your keys, that is important and Code Signing is just so, so important. It’s not like there are a ton of these things around. It’s not like you are having to protect hundreds and hundreds of these things. Like it’s kind of a crown jewel to any organization that is signing code. So, you gotta take real care of it.
-
Tim Callan
Now, in terms of brass tacks, and for some degree we will let the market tell us how this is going to be used. I don’t imagine that this is gonna be terribly appealing to the one-off what we can call retail Code Signing user.
If you are just going to a CA and buying a cert, there’s not much advantage for you to try to go out and shop this key, wonder if you got the right key, get it in your hands, get it shipped to you and then go to the retailer’s website and buy the cert and deal with key attestation. Like for that person, I recommend just having them ship it to you on a token. Because they will do it and they’ll do it correctly, it will be right and it’ll show up in a padded envelope in three days and then you’ll be all set to go. However, for repeat purchasers or mass purchasers – think of an enterprise, think of a professional software development firm. Think of an electronics supply chain manufacturer, somebody with repeat Code Signing needs. Those are the people where I can imagine you say, look, we want to be able to get certs and we want to be able to get them right now. We are gonna have a store of keys in a safe place. Someone is gonna go unlock a cabinet, take one out and get the Code Signing certificate and under those circumstances, that’s where I think this really could make a difference.
-
Jason Soroko
Thanks, Tim. I was gonna ask you the question of the background behind it. That really is it. We are talking about the edge case here. For those of you who are reading the BR requirements and looking at that key attestation capability, you really have to know why you would use that and it would have to be because of volume or flexibility. For everyone else - in fact, I think even for those of you running pretty big shops – the numbers of these certs you are gonna be needing is small. Therefore, a hand full of tokens, more than likely one token in a company is what’s gonna be out there.
-
Tim Callan
You touched on this, Jay. I think the real benefit is instant delivery because whether you buy your token from the CA or whether you buy your token directly, the price to you is probably just about the same.
-
Jason Soroko
Exactly.
-
Tim Callan
The CA is probably gonna have to charge you a little bit of shipping and handling but what do we care about $10-$15 in the grand scheme of things? The issue is going to be basically waiting for the mails. So, you order your cert, you get it all done, they say great. They put it in the bin and the guy in the brown truck comes and picks it up and then you get it when exactly? And if you want it today, then key attestation makes that possible. If you want it today and they are physically shipping hardware, that just isn’t in the cards. And so, again, for a one-off user, just plan ahead a little. Buy your cert a couple weeks before you are actually gonna need to sign your code and you are perfectly fine and you can buy multi-year certificates so an extra week shouldn’t be a big deal to you. If you are a kind of a volume production professional house, those are the people I think who want to look into this.
-
Jason Soroko
Perfect. Hey, Tim, just to back up about a million steps, right, just explain to people why, why, why are we going through all this pain.
-
Tim Callan
Why are we doing this in the first place?
-
Jason Soroko
You know, you and I right now could go generate a whole pile of private keys that could be used for Code Signing Right? We could even make these things, you know, encode them in such a way in certificates that we authorize Code Signing and just all kinds of stuff. The problem is, never mind, you know, the fact that you need the CA signature. I think what’s important is you and I, Tim, have had so many podcasts about, you know, generating these private keys and the difficulty of doing it with enough entropy to guarantee that the private key doesn’t follow a pattern.
We just had a podcast - Don’t Roll Your Own Crypto. It’s almost like, geez, don’t even generate your private keys in a place that you don’t absolutely know that you are getting enough of the good juice of entropy and hardware security and all the other things that comes with a FIPS certified piece of equipment. It’s just one of those things.
-
Tim Callan
Yep. I agree, Jay. So, anyway, that’s an aspect of this new Code Signing rule that I think hasn’t been discussed very much and we wanted to make sure that you knew about it.