<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
I see. I probably misunderstood the word "individual" to mean a
person associated with the organization.<br>
<br>
IMO the requirement for non-EV is poorly written as I don't think it
was ever the intent of this WG to forbid companies that are not 3
years old to obtain an OV Code Signing Certificate. If this was the
intent and you can point me to minutes or any public discussion, we
can certainly take a deeper look.<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 27/7/2021 8:20 μ.μ., Tim Hollebeek
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM8PR14MB523726F54001F9031609313E83E99@DM8PR14MB5237.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">I think what Corey is trying to point out
is that EVG 11.6 is weaker than the OV CSBR requirement, so it
in itself does not cover the EVCS gap we identified.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-Tim<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Dimitris Zacharopoulos
(HARICA) <a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a> <br>
<b>Sent:</b> Tuesday, July 27, 2021 12:35 AM<br>
<b>To:</b> Corey Bonnell
<a class="moz-txt-link-rfc2396E" href="mailto:Corey.Bonnell@digicert.com"><Corey.Bonnell@digicert.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Tim Hollebeek
<a class="moz-txt-link-rfc2396E" href="mailto:tim.hollebeek@digicert.com"><tim.hollebeek@digicert.com></a><br>
<b>Subject:</b> Re: [Cscwg-public] New companies and EV
Code Signing<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 27/7/2021 1:13 π.μ., Corey Bonnell
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi Dimitris,<o:p></o:p></p>
<p class="MsoNormal">Perhaps I’m missing some context, but
any of the four verification options set forth in EVG
11.6.2 will satisfy 11.6 (and in turn, CSBR 11.2.7).
Several of the verification options listed in that section
do not provide the level of assurance that the CSBRs
prescribe for individuals in section 11.1.2.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">With this in mind, I believe that
harmonizing the individual vetting for new organizations
requirement for OVCS with EVCS is a useful improvement.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Certainly, but that's not the topic we were discussing with
Tim, which was around the "3 years of existence" requirement
for an organization to be validated.<br>
<br>
Dimitris.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Corey<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA)
via Cscwg-public<br>
<b>Sent:</b> Saturday, July 24, 2021 4:13 AM<br>
<b>To:</b> Tim Hollebeek <a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"><tim.hollebeek@digicert.com></a>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] New companies and
EV Code Signing<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 22/7/2021 7:11 μ.μ., Tim Hollebeek
via Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I’m hearing from our code signing
validation people that 11.1.1, which refers to non-EV CS
certificates, has a requirement for additional
validation for companies less than three years old
(we’ve discussed this recently), but this requirement is
missing for EV code signing certificates.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Is that what we want? It seems very
odd that a higher level of validation has fewer
requirements.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Hi Tim,<br>
<br>
For EV CS certificates there is a direct reference to the
EV Guidelines. Specifically, 11.2.7 of the CSBRs point to
EVG 11.6.<br>
<br>
EVG 11.6.2 includes language for companies less than three
years old. I recall bringing this up in one of the
previous calls where it was pointed out that it's not
necessary for a company to be less than 3 years old if the
other verification methods described in 11.6.2 are used.<br>
<br>
Hope this helps.<br>
<br>
Dimitris.<br>
<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#1D1C1D;background:#F8F8F8">-Tim</span><o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/cscwg-public" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"> <o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</blockquote>
<br>
</body>
</html>