[Cscwg-public] Code Signing Baseline Requirements references to the EV Guidelines

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Sun Apr 21 10:32:03 UTC 2024 


On 11/3/2024 6:20 μ.μ., Dimitris Zacharopoulos (HARICA) via Cscwg-public 
wrote:
>
> All,
>
> I re-based the importEVG branch to the latest CSBR (3.7.0). You can 
> see the ballot redline in 
> https://github.com/cabforum/code-signing/pull/38. Feel free to start a 
> review within the PR or reply to this thread with comments.
>
> Importing the EV Guidelines into the CSBRs ballot requires time to 
> review so I plan to give at least 2 weeks discussion period for 
> Members to check before starting the voting period.
>
> I have one remaining task which is to import the changes introduced by 
> Ballot SC68 <https://github.com/cabforum/servercert/pull/478>. Other 
> than that, we should be good to go. I would like to ask for 2 
> endorsers to reserve a ballot number.

I added the language of Ballot SC68, fixed some numbering issues and 
reformatted the tables. Everything seems to be all set. Martijn and 
Corey have kindly offered to review the PR and hopefully they will also 
be able to endorse the ballot. You can also download the artifacts 
(.docx, .pdf, redline pdf) 
<https://github.com/cabforum/code-signing/actions/runs/8771988767/artifacts/1433108820> 
produced based on the latest commit.

Please let me know if you have any questions or concerns.


Best regards,
Dimitris.


>
>
> Thank you,
> Dimitris.
>
> On 2/2/2024 1:59 μ.μ., Dimitris Zacharopoulos (HARICA) wrote:
>> Dear Members,
>>
>> Apologies for sending this late. Here is the mapping document for the 
>> import of the EV Guidelines into the CS Baseline Requirements.
>>
>> The process started from sections of the CSBRs that point to sections 
>> of the EV Guidelines. In some cases, the referenced EVG section, 
>> contained additional references within the EVG. The spreadsheet tried 
>> to capture and follow all those references to ensure we didn't miss 
>> anything.
>>
>> I hope this document will help the review process so we can proceed 
>> with a ballot. Before we do the ballot, we will have to rebase to the 
>> latest CSBR version and resolve any conflicts that may be caused by 
>> the last 2 ballots. My goal is to get this ready for a ballot after 
>> the next F2F meeting.
>>
>>
>> Thank you,
>> Dimitris.
>>
>> On 8/1/2024 3:06 μ.μ., Dimitris Zacharopoulos (HARICA) via 
>> Cscwg-public wrote:
>>> Dear Members,
>>>
>>> Following up on the work of importing the references to the EV 
>>> Guidelines and specifically the latest version (1.8.0) with the 
>>> exception of the CA/B Forum organization identifier extension as 
>>> agreed in previous meetings, the resulting redline (based on CSBR 
>>> version 3.4.0) is available in the following link:
>>>
>>>   * https://github.com/cabforum/code-signing/compare/main...importEVG
>>>
>>> We can easily rebase to version 3.5.0 which is the latest CSBR 
>>> version, but the focus should be more on the import of the existing 
>>> EV references.
>>>
>>> The redline contains several formatting improvements as well, like 
>>> removal of double spaces and tabs that break the conversion.
>>>
>>> Here are my notes from the conversion:
>>>
>>>
>>> - CSBR section 3.2.2.2 points to EV Guidelines
>>>   - Section 10.1.2 for specific roles (done)
>>>   - Section 11.2 for Legal Existence and Identity (done)
>>>   - Section 11.3 for Assumed Name (done)
>>>   - Section 11.4 for Physical Existence (done)
>>>   - Section 11.5 for Method of Communication (done)
>>>   - Section 11.6 for Operational Existence (done)
>>>   - Section 11.8 for Name, Title and Authority of Contract Signer 
>>> and Certificate Approver (done)
>>>   - Section 11.9 for Signature on Subscriber Agreement and EV CS 
>>> Certificate Requests (done)
>>>   - Section 11.10 for Approval of EV CS Certificate Request (done)
>>>   - Section 11.11 for Certain Information Sources (done)
>>>   - Section 11.12.3 for Parent/Subsidiary/Affiliate Relationship (done)
>>> - CSBR section 4.1.1 points to EV Guidelines section 11.12.2 for 
>>> "suspicious" certificate requests (done new section 3.2.8)
>>> - CSBR section 4.2.1 points to EV Guidelines
>>>    - section 11.13 for the "due diligence" verification (done new 
>>> section 3.2.9)
>>>    - section 11.14 for the usage periods of documents, data and 
>>> previous validations performed per section 3.2. (done with new 
>>> section 4.2.1.1)
>>> - CSBR section 5.2.4 points to EV Guidelines section 11.13 for the 
>>> Final Cross-Correlation and Due Diligence steps (done by pointing to 
>>> the new section 3.2.9)
>>> - CSBR section 5.3.3 points to EV Guidelines in general for the 
>>> Validation Specialist training and internal examination (done)
>>> - CSBR section 7.1.4.2.4 points to EV Guidelines sections 9.2.1 
>>> (done), 9.2.3 (done), 9.2.4 (done, section 11.1.3 disclosure of 
>>> verification sources migrated to 3.2.10), 9.2.5 (done), 9.2.6 
>>> (done), 9.2.8 (done updated reference to 9.2.4 to 7.1.4.2.4 (c)) for 
>>> subject information
>>> - CSBR section 9.2.1 points to EV Guidelines section 8.4 for 
>>> insurance coverage (done)
>>>
>>>
>>> 9.8.2 --> Do not import
>>> 11.11.1 --> 3.2.2.2.10.1
>>> 11.11.4 --> 3.2.2.2.12
>>> 11.13 --> 3.2.9
>>> 14.1.1, 14.1.2 --> 5.3 (Training and background checks)
>>> 14.1.3 --> 5.2.4 (separation of duties)
>>> 14.2 --> 1.3.2.1 (new section)
>>>
>>> We still need to do a thorough check for the import of the proper 
>>> definitions and acronyms and remove the ones that are not use in the 
>>> CSBRs with the first letter capitalized.
>>>
>>> I have not completed a full mapping of the import of the EVGs into 
>>> the CSBRs but that's my next target. Please note that some 
>>> destination sections are different from what Inigo has decided for 
>>> the conversion of the EVGs into the RFC 3647 format 
>>> <https://github.com/cabforum/servercert/compare/90a98dc7c1131eaab01af411968aa7330d315b9b...238ff99fbe04f2aa24f2c58910d8133f2283f11e>. 
>>> We can compare notes with Inigo after we get some initial feedback 
>>> by Members.
>>>
>>>
>>> Best regards,
>>> Dimitris.
>>>
>>> On 2/10/2023 11:56 μ.μ., Dimitris Zacharopoulos (HARICA) wrote:
>>>>
>>>> Dear Members,
>>>>
>>>> At a previous Teleconference I volunteered to search the CSBRs and 
>>>> find references to the EV Guidelines that could be discussed at the 
>>>> upcoming F2F. We can then decide if we want to import all or some 
>>>> of them to the CSBRs.
>>>>
>>>> The EV Guidelines that is -supposed to be- referenced is version 1.7.1.
>>>>
>>>>   * CSBR section 3.2.2.2 points to EV Guideline:
>>>>       o Section 10.1.2 for specific roles
>>>>       o Section 11.2 for Legal Existence and Identity
>>>>       o Section 11.3 for Assumed Name
>>>>       o Section 11.4 for Physical Existence
>>>>       o Section 11.5 for Method of Communication
>>>>       o Section 11.6 for Operational Existence
>>>>       o Section 11.8 for Name, Title and Authority of Contract
>>>>         Signer and Certificate Approver
>>>>       o Section 11.9 for Signature on Subscriber Agreement and EV
>>>>         CS Certificate Requests
>>>>       o Section 11.10 for Approval of EV CS Certificate Request
>>>>       o Section 11.11 for Certain Information Sources
>>>>       o Section 11.12.3 for Parent/Subsidiary/Affiliate Relationship
>>>>   * CSBR section 4.1.1 points to EV Guidelines section 11.12.2 for
>>>>     "suspicious" certificate requests
>>>>   * CSBR section 4.2.1 points to EV Guidelines:
>>>>       o section 11.13 for the "due diligence" verification
>>>>       o section 11.14 for the usage periods of documents, data and
>>>>         previous validations performed per section 3.2
>>>>   * CSBR section 5.2.4 points to EV Guidelines section 11.13 for
>>>>     the Final Cross-Correlation and Due Diligence steps
>>>>   * CSBR section 5.3.3 points to EV Guidelines in general for the
>>>>     Validation Specialist training and internal examination
>>>>   * CSBR section 7.1.4.2.4 points to EV Guidelines sections 9.2.1,
>>>>     9.2.3, 9.2.4, 9.2.5, 9.2.6 for subject information
>>>>   * CSBR section 9.2.1 points to EV Guidelines section 8.4 for
>>>>     insurance coverage
>>>>
>>>> During this process, I also noticed that we have a capitalized term 
>>>> "EV Process" without a corresponding definition. I will add an 
>>>> issue on GitHub for the next cleanup ballot.
>>>>
>>>> I would appreciate a second review in case I missed something.
>>>>
>>>>
>>>> Thank you,
>>>>
>>>> Dimitris.
>>>>
>>>
>>>
>>> _______________________________________________
>>> Cscwg-public mailing list
>>> Cscwg-public at cabforum.org
>>> https://lists.cabforum.org/mailman/listinfo/cscwg-public
>>
>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240421/1f8c8f6e/attachment.html>

More information about the Cscwg-public mailing list