<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>No, no, no.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Both EV and OV have various rules for the minimum requirements to get a certificate.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>OV has an additional requirement that companies younger than three years old must additionally validate the applicant. Those rules have been there for a long time.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>EV lacks that additional requirement (due to an oversight, it seems), and therefore, paradoxically, OV certificates are actually more strongly vetted than EV for such companies. That shouldn’t be the case.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>All we’re suggesting is that EV should have the same or better rules for new companies, instead of the weaker rules that are currently in place.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The concrete proposal is that the OV language for new companies be modified to include EV certificates as well, which I believe was the original intent.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr> <br><b>Sent:</b> Wednesday, July 28, 2021 12:51 PM<br><b>To:</b> Tim Hollebeek <tim.hollebeek@digicert.com>; Corey Bonnell <Corey.Bonnell@digicert.com>; cscwg-public@cabforum.org<br><b>Subject:</b> Re: [Cscwg-public] New companies and EV Code Signing<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On 28/7/2021 7:24 μ.μ., Tim Hollebeek wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>The intent isn’t to forbid it. Young companies just have additional validation requirements, which have been there for quite a long time. And you shouldn’t be able to get around those additional requirements simply by getting a different certificate type. The bar should be uniform across security products, and if anything, should be higher for EV instead of lower, like it currently is.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p></blockquote><p class=MsoNormal>Agreed for keeping the same level but I'm not sure what you are proposing. The EV process allows for new companies to get a certificate following specific validation rules. You and Corey seem to suggest that for OV according to 11.1.1(4), there is no way for a new company (less than 3 years old) to be allowed to get an OV certificate and I'm not sure you would like to see that for EV Certificates or expect to see the EV process being applied for OV applicants. Can you please clarify? It's quite possible I have misunderstood your position so please forgive me if this was far from what you intended to convey.<br><br>Dimitris.<br><br><br><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Dimitris Zacharopoulos (HARICA) <a href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a> <br><b>Sent:</b> Wednesday, July 28, 2021 2:10 AM<br><b>To:</b> Tim Hollebeek <a href="mailto:tim.hollebeek@digicert.com"><tim.hollebeek@digicert.com></a>; Corey Bonnell <a href="mailto:Corey.Bonnell@digicert.com"><Corey.Bonnell@digicert.com></a>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] New companies and EV Code Signing<o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'>I see. I probably misunderstood the word "individual" to mean a person associated with the organization.<br><br>IMO the requirement for non-EV is poorly written as I don't think it was ever the intent of this WG to forbid companies that are not 3 years old to obtain an OV Code Signing Certificate. If this was the intent and you can point me to minutes or any public discussion, we can certainly take a deeper look.<br><br>Thanks,<br>Dimitris.<o:p></o:p></p><div><p class=MsoNormal>On 27/7/2021 8:20 μ.μ., Tim Hollebeek wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>I think what Corey is trying to point out is that EVG 11.6 is weaker than the OV CSBR requirement, so it in itself does not cover the EVCS gap we identified.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Dimitris Zacharopoulos (HARICA) <a href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a> <br><b>Sent:</b> Tuesday, July 27, 2021 12:35 AM<br><b>To:</b> Corey Bonnell <a href="mailto:Corey.Bonnell@digicert.com"><Corey.Bonnell@digicert.com></a>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Tim Hollebeek <a href="mailto:tim.hollebeek@digicert.com"><tim.hollebeek@digicert.com></a><br><b>Subject:</b> Re: [Cscwg-public] New companies and EV Code Signing<o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'> <o:p></o:p></p><div><p class=MsoNormal>On 27/7/2021 1:13 π.μ., Corey Bonnell wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>Hi Dimitris,<o:p></o:p></p><p class=MsoNormal>Perhaps I’m missing some context, but any of the four verification options set forth in EVG 11.6.2 will satisfy 11.6 (and in turn, CSBR 11.2.7). Several of the verification options listed in that section do not provide the level of assurance that the CSBRs prescribe for individuals in section 11.1.2.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>With this in mind, I believe that harmonizing the individual vetting for new organizations requirement for OVCS with EVCS is a useful improvement.<o:p></o:p></p></blockquote><p class=MsoNormal><br>Certainly, but that's not the topic we were discussing with Tim, which was around the "3 years of existence" requirement for an organization to be validated.<br><br>Dimitris.<br><br><br><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Corey<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Cscwg-public <a href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via Cscwg-public<br><b>Sent:</b> Saturday, July 24, 2021 4:13 AM<br><b>To:</b> Tim Hollebeek <a href="mailto:tim.hollebeek@digicert.com"><tim.hollebeek@digicert.com></a>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] New companies and EV Code Signing<o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'> <o:p></o:p></p><div><p class=MsoNormal>On 22/7/2021 7:11 μ.μ., Tim Hollebeek via Cscwg-public wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>I’m hearing from our code signing validation people that 11.1.1, which refers to non-EV CS certificates, has a requirement for additional validation for companies less than three years old (we’ve discussed this recently), but this requirement is missing for EV code signing certificates.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Is that what we want? It seems very odd that a higher level of validation has fewer requirements.<o:p></o:p></p></blockquote><p class=MsoNormal><br>Hi Tim,<br><br>For EV CS certificates there is a direct reference to the EV Guidelines. Specifically, 11.2.7 of the CSBRs point to EVG 11.6.<br><br>EVG 11.6.2 includes language for companies less than three years old. I recall bringing this up in one of the previous calls where it was pointed out that it's not necessary for a company to be less than 3 years old if the other verification methods described in 11.6.2 are used.<br><br>Hope this helps.<br><br>Dimitris.<br><br><br><br><br><br><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#1D1C1D;background:#F8F8F8'>-Tim</span><o:p></o:p></p><p class=MsoNormal><br><br><br><br><br><o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Cscwg-public mailing list<o:p></o:p></pre><pre><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a><o:p></o:p></pre><pre><a href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre></blockquote><p class=MsoNormal> <o:p></o:p></p></blockquote><p class=MsoNormal> <o:p></o:p></p></div></blockquote><p class=MsoNormal> <o:p></o:p></p></div></blockquote><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>