<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 27/7/2021 1:13 π.μ., Corey Bonnell
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM6PR14MB2186C06705CB3AA711B6379892E89@DM6PR14MB2186.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Dimitris,<o:p></o:p></p>
<p class="MsoNormal">Perhaps I’m missing some context, but any
of the four verification options set forth in EVG 11.6.2 will
satisfy 11.6 (and in turn, CSBR 11.2.7). Several of the
verification options listed in that section do not provide the
level of assurance that the CSBRs prescribe for individuals in
section 11.1.2.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">With this in mind, I believe that
harmonizing the individual vetting for new organizations
requirement for OVCS with EVCS is a useful improvement.</p>
</div>
</blockquote>
<br>
Certainly, but that's not the topic we were discussing with Tim,
which was around the "3 years of existence" requirement for an
organization to be validated.<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:DM6PR14MB2186C06705CB3AA711B6379892E89@DM6PR14MB2186.namprd14.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Corey<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On Behalf Of
</b>Dimitris Zacharopoulos (HARICA) via Cscwg-public<br>
<b>Sent:</b> Saturday, July 24, 2021 4:13 AM<br>
<b>To:</b> Tim Hollebeek
<a class="moz-txt-link-rfc2396E" href="mailto:tim.hollebeek@digicert.com"><tim.hollebeek@digicert.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] New companies and EV
Code Signing<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 22/7/2021 7:11 μ.μ., Tim Hollebeek via
Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I’m hearing from our code signing
validation people that 11.1.1, which refers to non-EV CS
certificates, has a requirement for additional validation
for companies less than three years old (we’ve discussed
this recently), but this requirement is missing for EV code
signing certificates.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Is that what we want? It seems very odd
that a higher level of validation has fewer requirements.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Hi Tim,<br>
<br>
For EV CS certificates there is a direct reference to the EV
Guidelines. Specifically, 11.2.7 of the CSBRs point to EVG
11.6.<br>
<br>
EVG 11.6.2 includes language for companies less than three
years old. I recall bringing this up in one of the previous
calls where it was pointed out that it's not necessary for a
company to be less than 3 years old if the other verification
methods described in 11.6.2 are used.<br>
<br>
Hope this helps.<br>
<br>
Dimitris.<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#1D1C1D;background:#F8F8F8">-Tim</span><o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/cscwg-public" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>