<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
margin-top:0in;
margin-right:0in;
margin-bottom:11.0pt;
margin-left:.75in;
text-indent:-.75in;
page-break-after:avoid;
mso-list:l3 level1 lfo2;
font-size:16.0pt;
font-family:"Cambria",serif;
mso-fareast-language:EN-US;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
margin-top:0in;
margin-right:0in;
margin-bottom:11.0pt;
margin-left:1.0in;
text-indent:-1.0in;
page-break-after:avoid;
mso-list:l3 level2 lfo2;
font-size:12.0pt;
font-family:"Cambria",serif;
mso-fareast-language:EN-US;
font-style:italic;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
margin-top:0in;
margin-right:0in;
margin-bottom:11.0pt;
margin-left:.75in;
text-indent:-.25in;
page-break-after:avoid;
mso-list:l3 level3 lfo2;
font-size:11.0pt;
font-family:"Cambria",serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Cambria",serif;
mso-fareast-language:EN-US;
font-weight:bold;
font-style:italic;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:115411319;
mso-list-template-ids:2046968942;}
@list l1
{mso-list-id:129980817;
mso-list-template-ids:1594529998;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:278296876;
mso-list-template-ids:-945136056;}
@list l2:level1
{mso-level-start-at:17;
mso-level-text:%1;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:22.8pt;
text-indent:-22.8pt;}
@list l2:level2
{mso-level-text:"%1\.%2";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:22.8pt;
text-indent:-22.8pt;}
@list l2:level3
{mso-level-text:"%1\.%2\.%3";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.5in;
text-indent:-.5in;}
@list l2:level4
{mso-level-text:"%1\.%2\.%3\.%4";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.75in;}
@list l2:level5
{mso-level-text:"%1\.%2\.%3\.%4\.%5";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.75in;}
@list l2:level6
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-1.0in;}
@list l2:level7
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-1.0in;}
@list l2:level8
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-1.25in;}
@list l2:level9
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8\.%9";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-1.25in;}
@list l3
{mso-list-id:1168407073;
mso-list-template-ids:-1546361960;}
@list l3:level1
{mso-level-style-link:"Heading 1";
mso-level-tab-stop:.75in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.5in;}
@list l3:level2
{mso-level-style-link:"Heading 2";
mso-level-legal-format:yes;
mso-level-text:"%1\.%2";
mso-level-tab-stop:.75in;
mso-level-number-position:left;
text-indent:-.75in;}
@list l3:level3
{mso-level-style-link:"Heading 3";
mso-level-legal-format:yes;
mso-level-text:"%1\.%2\.%3";
mso-level-tab-stop:1.25in;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;}
@list l3:level4
{mso-level-legal-format:yes;
mso-level-text:"%1\.%2\.%3\.%4";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.5in;}
@list l3:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.75in;}
@list l3:level6
{mso-level-legal-format:yes;
mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.75in;}
@list l3:level7
{mso-level-legal-format:yes;
mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-1.0in;}
@list l3:level8
{mso-level-legal-format:yes;
mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-1.0in;}
@list l3:level9
{mso-level-legal-format:yes;
mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8\.%9";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-1.25in;}
@list l4
{mso-list-id:1184250754;
mso-list-template-ids:1594529998;}
@list l4:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5
{mso-list-id:1355110343;
mso-list-template-ids:1594529998;}
@list l5:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Here is a proposal to allow the new WebTrust audit scheme, which is based on CSBR 2.0 or later. The proposal is to allow the older WebTrust audits to continue for audit periods which start before 1 November 2020. There is no date on the
CSBR 2.0 audit scheme, which allows it also to be used for audit periods starting before 1 November 2021.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Delete </b>the following text from Section 17.1 from the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates”, which currently reads as follows:<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="mso-list:l4 level1 lfo7">“WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Publicly Trusted Code Signing Certificates v1.0.1 or newer”; or
<o:p></o:p></li><li class="MsoNormal" style="mso-list:l4 level1 lfo7">“WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Extended Validation Code Signing v1.4.1 or newer”; or
<o:p></o:p></li><li class="MsoNormal" style="mso-list:l4 level1 lfo7">ETSI EN 319 411-1, which includes normative references to ETSI EN 319 401 (the latest version of the referenced ETSI documents should be applied); or<o:p></o:p></li><li class="MsoNormal" style="mso-list:l4 level1 lfo7">If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either (a) encompasses all requirements of one of the above
schemes or (b) consists of comparable criteria that are available for public review.<o:p></o:p></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Insert </b>the following text from Section 17.1 from the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates”, which currently reads as follows:<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="mso-list:l5 level1 lfo8"><span style="background:yellow;mso-highlight:yellow">For Audit Periods starting before 1 November 2020,</span> “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Publicly Trusted
Code Signing Certificates v1.0.1 or newer”; or <o:p></o:p></li><li class="MsoNormal" style="mso-list:l5 level1 lfo8"><span style="background:yellow;mso-highlight:yellow">For Audit Periods starting before 1 November 2020,</span> “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Extended Validation
Code Signing v1.4.1 or newer”; or <o:p></o:p></li><li class="MsoNormal" style="mso-list:l5 level1 lfo8"><span style="background:yellow;mso-highlight:yellow">“WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities – Code Signing Baseline Requirements v2.0 or newer”; or
<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l5 level1 lfo8">ETSI EN 319 411-1, which includes normative references to ETSI EN 319 401 (the latest version of the referenced ETSI documents should be applied); or<o:p></o:p></li><li class="MsoNormal" style="mso-list:l5 level1 lfo8">If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either (a) encompasses all requirements of one of the above
schemes or (b) consists of comparable criteria that are available for public review.<o:p></o:p></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If there are no comments and two endorsers, I can prepare a ballot for this change. This will also help Ben and the CCADB.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <cscwg-public-bounces@cabforum.org>
<b>On Behalf Of </b>Bruce Morton via Cscwg-public<br>
<b>Sent:</b> Wednesday, July 14, 2021 2:35 PM<br>
<b>To:</b> Ben Wilson <bwilson@mozilla.com><br>
<b>Cc:</b> cscwg-public@cabforum.org<br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] WebTrust - EV Code Signing v.1.4.1 and ALV in the CCADB<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Ben,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">WebTrust has created an audit scheme which covers both non-EV and EV Code Signing certificates. The CSCWG has not referenced the audit scheme in the CSBRs. Here is a draft of text, which would all EVCS 1.4.1 for audit periods starting before
1 November 2020, but require CSBR 2.0 for audit periods starting on or after 1 November 2020.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We would still need to discuss this with the CSCWG, but I have not heard of any negative feedback based on the position that WebTrust took when it generated the new audit criteria.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<h2 style="margin-left:22.8pt;text-indent:-22.8pt;mso-list:l2 level2 lfo4"><a name="_Toc402526161"></a><a name="_Toc17488559"></a><a name="_Toc63253260"><span style="mso-bookmark:_Toc17488559"><span style="mso-bookmark:_Toc402526161"><![if !supportLists]><span style="mso-list:Ignore">17.1<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]> Eligible Audit Schemes</span></span></a><o:p></o:p></h2>
<p class="MsoNormal">The CA MUST undergo a conformity assessment audit for compliance with these Requirements performed in accordance with one of the following schemes:
<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="margin-bottom:11.0pt;mso-list:l1 level1 lfo9"><span style="background:yellow;mso-highlight:yellow">For Audit Periods staring before 1 November 2020,</span> “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities
– Publicly Trusted Code Signing Certificates v1.0.1 or newer”; or <o:p></o:p></li><li class="MsoNormal" style="margin-bottom:11.0pt;mso-list:l1 level1 lfo9"><span style="background:yellow;mso-highlight:yellow">For Audit Periods staring before 1 November 2020,</span> “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities
– Extended Validation Code Signing v1.4.1 or newer”; or <o:p></o:p></li><li class="MsoNormal" style="margin-bottom:11.0pt;mso-list:l1 level1 lfo9"><span style="background:yellow;mso-highlight:yellow">For Audit Periods staring on or after 1 November 2020, “WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification Authorities
– Code Signing Baseline Requirements v2.0 or newer”; or <o:p></o:p></span></li><li class="MsoNormal" style="margin-bottom:11.0pt;mso-list:l1 level1 lfo9">ETSI EN 319 411-1, which includes normative references to ETSI EN 319 401 (the latest version of the referenced ETSI documents should be applied); or<o:p></o:p></li><li class="MsoNormal" style="margin-bottom:11.0pt;mso-list:l1 level1 lfo9">If a Government CA is required by its Certificate Policy to use a different internal audit scheme, it MAY use such scheme provided that the audit either (a) encompasses all requirements
of one of the above schemes or (b) consists of comparable criteria that are available for public review.<o:p></o:p></li></ol>
<p class="MsoNormal">I will add to the CSCWG agenda for tomorrow’s meeting.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Ben Wilson <<a href="mailto:bwilson@mozilla.com">bwilson@mozilla.com</a>>
<br>
<b>Sent:</b> Tuesday, July 13, 2021 4:01 PM<br>
<b>To:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>><br>
<b>Cc:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [EXTERNAL] [Cscwg-public] WebTrust - EV Code Signing v.1.4.1 and ALV in the CCADB<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">It seems that additional work is needed to replace the EV Guidelines for Code Signing. For instance, section 17.1 of the Baseline Requirements for Code Signing says that the eligible audit scheme (for Baseline) can be “WebTrust for CAs
v2.0 or newer” AND “WebTrust for Certification Authorities – Extended Validation Code Signing v1.4.1 or newer”, but it doesn't seem to be the other way around (that the BRCS is sufficient for EVCS). Does this working group have plans to replace the EV Guidelines
for Code Signing with a unified guideline document?<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Tue, Jul 13, 2021 at 12:20 PM Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi Ben,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Based on how I interpret the requirements for the new CSBR v2.0 audit criteria, it should be used for all audit periods starting on or after 1 November 2020. So that would mean
that EVCS 1.4.1 could be used for periods starting before 1 November 2020. With a 3 month posting deadline, you could see EVCS 1.4.1 audit reports posted until 31 January 2022 (or later for late reports).<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">For example, if an audit period started on 1 October 2020 and ended on 30 September 2021, then the CA could use EVCS 1.4.1 and must post the report by 31 December 2021.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Bruce.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div style="border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;border-color:currentcolor currentcolor">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>From:</b> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org" target="_blank">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ben Wilson via Cscwg-public<br>
<b>Sent:</b> Tuesday, July 13, 2021 1:55 PM<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org" target="_blank">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] [Cscwg-public] WebTrust - EV Code Signing v.1.4.1 and ALV in the CCADB<o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">All,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">In reference to the Webtrust Principles and Criteria and the CCADB's ALV processing of audit letters, see<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a href="https://urldefense.com/v3/__https:/www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria__;!!FJ-Y8qCqXTj2!Of1UlBnrsakPt5Col1B5EeWGfnEFVf6SGVSJAehLcnY117n7naUu9KBRjfK7BVUX7yk$" target="_blank">https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria</a>,
which mentions <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">WebTrust for EV CS v. 1.4.1. At what point will a requirement for v. 1.4.1 go away, if it will? The reason I ask is that the CCADB gave me an ALV error recently when it processed
an EV CS audit letter because it did not specifically mention WebTrust EV CS v. 1.4.1.
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thoughts?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Ben<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</body>
</html>