> A letsencrypt style signing process would be possible and would let people base the trust on the ownership of company.com instead of a regular cert. And for most use cases this seems good enough.
Except it seems that's not what they want at all.
LetsEncrypt works because we've worked out it's sufficient for purposes of HTTPS to attest that "you" own the domain company.com, which is verified by making you do something that can be done only when "you" are in control of what company.com DNS points at. The nature of "you" is immaterial, out of scope - only demonstrating control over a domain matters. This lends itself to automation.
What they want to do with code signing is to pin the code to a specific legal entity. That's crossing from data integrity/provenance straight to KYC/legal space - for users to be allowed to run your code, you must become an entity that can be easily served a lawsuit should the need arise. You can't automate that, for the same reason you can't automate renewing your national ID/passport or automate starting a company.
Except it seems that's not what they want at all.
LetsEncrypt works because we've worked out it's sufficient for purposes of HTTPS to attest that "you" own the domain company.com, which is verified by making you do something that can be done only when "you" are in control of what company.com DNS points at. The nature of "you" is immaterial, out of scope - only demonstrating control over a domain matters. This lends itself to automation.
What they want to do with code signing is to pin the code to a specific legal entity. That's crossing from data integrity/provenance straight to KYC/legal space - for users to be allowed to run your code, you must become an entity that can be easily served a lawsuit should the need arise. You can't automate that, for the same reason you can't automate renewing your national ID/passport or automate starting a company.