<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 28/7/2021 7:24 μ.μ., Tim Hollebeek
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM8PR14MB5237C4A106379F6ACD9F486C83EA9@DM8PR14MB5237.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">The intent isn’t to forbid it. Young
companies just have additional validation requirements, which
have been there for quite a long time. And you shouldn’t be
able to get around those additional requirements simply by
getting a different certificate type. The bar should be
uniform across security products, and if anything, should be
higher for EV instead of lower, like it currently is.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
Agreed for keeping the same level but I'm not sure what you are
proposing. The EV process allows for new companies to get a
certificate following specific validation rules. You and Corey seem
to suggest that for OV according to 11.1.1(4), there is no way for a
new company (less than 3 years old) to be allowed to get an OV
certificate and I'm not sure you would like to see that for EV
Certificates or expect to see the EV process being applied for OV
applicants. Can you please clarify? It's quite possible I have
misunderstood your position so please forgive me if this was far
from what you intended to convey.<br>
<br>
Dimitris.<br>
<br>
<br>
<br>
<blockquote type="cite"
cite="mid:DM8PR14MB5237C4A106379F6ACD9F486C83EA9@DM8PR14MB5237.namprd14.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal">-Tim<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Dimitris Zacharopoulos
(HARICA) <a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a> <br>
<b>Sent:</b> Wednesday, July 28, 2021 2:10 AM<br>
<b>To:</b> Tim Hollebeek
<a class="moz-txt-link-rfc2396E" href="mailto:tim.hollebeek@digicert.com"><tim.hollebeek@digicert.com></a>; Corey Bonnell
<a class="moz-txt-link-rfc2396E" href="mailto:Corey.Bonnell@digicert.com"><Corey.Bonnell@digicert.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] New companies and EV
Code Signing<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">I see. I
probably misunderstood the word "individual" to mean a
person associated with the organization.<br>
<br>
IMO the requirement for non-EV is poorly written as I don't
think it was ever the intent of this WG to forbid companies
that are not 3 years old to obtain an OV Code Signing
Certificate. If this was the intent and you can point me to
minutes or any public discussion, we can certainly take a
deeper look.<br>
<br>
Thanks,<br>
Dimitris.<o:p></o:p></p>
<div>
<p class="MsoNormal">On 27/7/2021 8:20 μ.μ., Tim Hollebeek
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">I think what Corey is trying to point
out is that EVG 11.6 is weaker than the OV CSBR
requirement, so it in itself does not cover the EVCS gap
we identified.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">-Tim<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Dimitris
Zacharopoulos (HARICA) <a
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true"><dzacharo@harica.gr></a>
<br>
<b>Sent:</b> Tuesday, July 27, 2021 12:35 AM<br>
<b>To:</b> Corey Bonnell <a
href="mailto:Corey.Bonnell@digicert.com"
moz-do-not-send="true"><Corey.Bonnell@digicert.com></a>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a>;
Tim Hollebeek <a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"><tim.hollebeek@digicert.com></a><br>
<b>Subject:</b> Re: [Cscwg-public] New companies and
EV Code Signing<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 27/7/2021 1:13 π.μ., Corey
Bonnell wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi Dimitris,<o:p></o:p></p>
<p class="MsoNormal">Perhaps I’m missing some context,
but any of the four verification options set forth in
EVG 11.6.2 will satisfy 11.6 (and in turn, CSBR
11.2.7). Several of the verification options listed in
that section do not provide the level of assurance
that the CSBRs prescribe for individuals in section
11.1.2.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">With this in mind, I believe that
harmonizing the individual vetting for new
organizations requirement for OVCS with EVCS is a
useful improvement.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Certainly, but that's not the topic we were discussing
with Tim, which was around the "3 years of existence"
requirement for an organization to be validated.<br>
<br>
Dimitris.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Corey<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris Zacharopoulos
(HARICA) via Cscwg-public<br>
<b>Sent:</b> Saturday, July 24, 2021 4:13 AM<br>
<b>To:</b> Tim Hollebeek <a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"><tim.hollebeek@digicert.com></a>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] New companies
and EV Code Signing<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 22/7/2021 7:11 μ.μ., Tim
Hollebeek via Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I’m hearing from our code signing
validation people that 11.1.1, which refers to
non-EV CS certificates, has a requirement for
additional validation for companies less than three
years old (we’ve discussed this recently), but this
requirement is missing for EV code signing
certificates.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Is that what we want? It seems
very odd that a higher level of validation has fewer
requirements.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Hi Tim,<br>
<br>
For EV CS certificates there is a direct reference to
the EV Guidelines. Specifically, 11.2.7 of the CSBRs
point to EVG 11.6.<br>
<br>
EVG 11.6.2 includes language for companies less than
three years old. I recall bringing this up in one of
the previous calls where it was pointed out that it's
not necessary for a company to be less than 3 years
old if the other verification methods described in
11.6.2 are used.<br>
<br>
Hope this helps.<br>
<br>
Dimitris.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.5pt;font-family:"Arial",sans-serif;color:#1D1C1D;background:#F8F8F8">-Tim</span><o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://lists.cabforum.org/mailman/listinfo/cscwg-public" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"> <o:p></o:p></p>
</blockquote>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</blockquote>
<br>
</body>
</html>