<div dir="ltr"><div>It seems that additional work is needed to replace the EV Guidelines for Code Signing. For instance, section 17.1 of the Baseline Requirements for Code Signing says that the eligible audit scheme (for Baseline) can be “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Extended Validation Code Signing v1.4.1 or newer”, but it doesn't seem to be the other way around (that the BRCS is sufficient for EVCS). Does this working group have plans to replace the EV Guidelines for Code Signing with a unified guideline document?<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 13, 2021 at 12:20 PM Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="overflow-wrap: break-word;" lang="EN-US">
<div class="gmail-m_722167501838786903WordSection1">
<p class="MsoNormal">Hi Ben,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Based on how I interpret the requirements for the new CSBR v2.0 audit criteria, it should be used for all audit periods starting on or after 1 November 2020. So that would mean that EVCS 1.4.1 could be used for periods starting before 1
November 2020. With a 3 month posting deadline, you could see EVCS 1.4.1 audit reports posted until 31 January 2022 (or later for late reports).<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">For example, if an audit period started on 1 October 2020 and ended on 30 September 2021, then the CA could use EVCS 1.4.1 and must post the report by 31 December 2021.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Bruce.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org" target="_blank">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ben Wilson via Cscwg-public<br>
<b>Sent:</b> Tuesday, July 13, 2021 1:55 PM<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org" target="_blank">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] [Cscwg-public] WebTrust - EV Code Signing v.1.4.1 and ALV in the CCADB<u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<u></u><u></u></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr width="100%" size="2" align="center">
</div>
<div>
<div>
<p class="MsoNormal">All,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">In reference to the Webtrust Principles and Criteria and the CCADB's ALV processing of audit letters, see<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><a href="https://urldefense.com/v3/__https:/www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria__;!!FJ-Y8qCqXTj2!Of1UlBnrsakPt5Col1B5EeWGfnEFVf6SGVSJAehLcnY117n7naUu9KBRjfK7BVUX7yk$" target="_blank">https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria</a>,
which mentions <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">WebTrust for EV CS v. 1.4.1. At what point will a requirement for v. 1.4.1 go away, if it will? The reason I ask is that the CCADB gave me an ALV error recently when it processed an EV CS audit letter because it did not specifically mention
WebTrust EV CS v. 1.4.1. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Thoughts?<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Ben<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div>
</div>
</blockquote></div>