<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
In section 11.8 we point to section 11.12 of the EV Guidelines.
Perhaps this is a typo and we intend to point to 11.13 "Final
Cross-Correlation and Due Diligence".<br>
<br>
The change in 14.1 might probably require an effective date for CAs
issuing <b>non-EV</b> Code Signing Certificates. That's because if
they hadn't vetted their staff with the provisions of 14.1 of the EV
Guidelines, they will probably need to re-vet them. If we intend
this to be a "going forward" requirement, perhaps we can update this
section to state that until date X, the older provisions applied and
after date X the new provisions apply.<br>
<br>
The same applies for 16.2. It is possible that CAs operating a
Signing Service for non-EV Certificates, were not using FIPS 140-2
level 2 crypto modules and will be non-compliant as soon as this
ballot becomes effective.<br>
<br>
I'd also like a clarification on section 17.5.<br>
<br>
"a randomly selected sample of at least three percent of <b>both </b>the
<b>Non-EV and the</b> EV Code Signing Certificates"<br>
<br>
On first read, I wasn't sure if this means that CAs must calculate a
3% for all Non-EV Certificates issued and another 3% for EV
Certificates, or a 3% of a population which includes Non-EV and EV
Certificates.<br>
<br>
I think this language needs to be updated to make it unambiguously
clear that we intend for the former. Similarly for the 6%.<br>
<br>
Hoping that the above can be addressed, I'd be happy to endorse the
ballot :-)<br>
<br>
<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 6/11/2020 10:34 μ.μ., Bruce Morton
via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SN6PR11MB2656E1F989D01C573F57716782ED0@SN6PR11MB2656.namprd11.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
{font-family:"\@MS PGothic";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"MS PGothic",sans-serif;
mso-fareast-language:JA;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Purpose of Ballot CSC-7:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The CSC-2 merger of the Code Signing BRs
and the EV Code Signing Guidelines was done without technical
changes. The result is that we have some sections where there
is different text for Non-EV and EV Code Signing certificates.
In many cases there was no reason to have two different
requirements. In other cases, it made sense that they both
have the same requirement. There were of course some items
where EV is different and these clauses were not touched for
now. These items were all discussed in our bi-weekly meetings.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Other minor changes were the adding in a
table for document revision and history and another table for
effective dates within the BRs. There were also some errors
corrected from the merger.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The proposed changes are redlined in the
attached document. I am looking for two endorsers.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Bruce.<o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>