The CA/Browser Forum (CA/B) is a voluntary group that focuses on establishing standards and guidelines for Certificate Authorities (CAs) on issuing and managing digital certificates used to secure websites and online communication, particularly SSL/TLS certificates.
The CA/B Forum is formed by leading Certificate Authorities (CAs), such as GlobalSign, Sectigo, Entrust, DigiCert, and others, internet browser vendors, such as Google Chrome and Apple Safari, and other application vendors who work together on defining standards and industry best practices for secure web communications.
While the CA/B Forum primarily focuses on web security, it also extends its influence to setting code signing requirements, given that the same certificate authorities (CAs) that issue SSL/TLS certificates also issue code signing certificates.
Similar to the security standards developed for SSL/TLS certificates, the code signing baseline requirements are focused on enforcing strict validation procedures and revocation protocols as well as strong cryptographic algorithms, key lengths, private key protection, etc. This helps to ensure that code signing certificates remain secure and reliable, bolstering the overall integrity of software distribution in the digital landscape.
Software that is signed using a valid code signing certificate issued by a publicly trusted CA (that adheres to the CA/B Forum requirements), will be trusted by Operating Systems and other software platforms.
In light of increasing code signing-related attacks, the CA/B Forum recently issued new code signing baseline requirements that mandate generating and storing private keys in crypto hardware modules to prevent private key compromises. This puts more onus on public CAs to ensure that the organizations they issue code signing certificates to strictly adhere to strong and compliant private key protection.