Re: CA Security Council...
Well, MS for one already has this service for quite a while in their Azure offering.
But I'm sure Amazon and others will have these too.
They're verified and certified by external independent companies and really following all security-related best-practices.
Why are they proposing this? well, a lot of malware and what have you now can be unsigned, or signed with a certificate you got from who knows where, without the need to identify yourself.
Now, in order to obtain such a code-signing certificate/service, you'll be obliged to identify yourself.
For using the service in Azure, you'll need to go though a MS partner, for obtaining the 'dongle', which shouldn't be from MS by the way, but any code-signing certificate from any trusted issuer can be used, like GlobalSign or whatever!
This already is done for signing certificates used for signing CRITICAL documents, and for signing PDF's with the Adobe AATL certificate, for long, having HW dongles was the only way.
Again, because you needed to identify yourself and physically obtain the dongle from the issuer at their premises.
So, if they deemed it necessary for signing documents, shouldn't it be wise to use it for signing software, which might have access to all personal data of a user, all bank accounts, too?
And indeed, then they can start blocking unsigned software, or at least indicate that that software is not signed with a trusted certificate, so it's the end-users responsability.
This is probably the only way to get rid of malicious software, distributed as safe to install sw, and without any means of identifying who was the creator/distributor of this sw.