<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
I posted some proposed changes for consistency and accuracy.<br>
<ul>
<li><a class="moz-txt-link-freetext" href="https://github.com/cabforum/code-signing/pull/10#pullrequestreview-1118760785">https://github.com/cabforum/code-signing/pull/10#pullrequestreview-1118760785</a><br>
</li>
</ul>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 23/9/2022 3:55 μ.μ., Bruce Morton
via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:010001836a6b13f5-50f0c7af-3d1e-413b-b70e-da0b01b9324e-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Martjin,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I will endorse the ballot.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks, Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br>
<b>Sent:</b> Friday, September 23, 2022 3:44 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public] Proposal to
make changes to revocation based on malware<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">WARNING: This email originated outside of
Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender
and know the content is safe.<o:p></o:p></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr width="100%" size="2" align="center">
</div>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">All,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">As
discussed on yesterdays call, the latest changes which Tim
and I were discussing are pushed into Github.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">The
complete change can be found at
<a
href="https://github.com/cabforum/code-signing/pull/10/files"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/code-signing/pull/10/files</a>
for review.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Bruce,
Ian, since I earlier had your endorsements, please let me
know if they still stand. The changes since the
endorsements, are captured in
<a
href="https://github.com/cabforum/code-signing/pull/10/commits/90fa38ab4dc5e5f9b25fce844b750d693f7256b7"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://github.com/cabforum/code-signing/pull/10/commits/90fa38ab4dc5e5f9b25fce844b750d693f7256b7</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">If
there are no other comments, then hopefully we can start a
ballot process on this.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="mso-fareast-language:EN-US"><br>
Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Martijn<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br>
<b>Sent:</b> Tuesday, 19 July 2022 09:22<br>
<b>To:</b> Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true" class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to make
changes to revocation based on malware<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt
2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black">CAUTION: This email
originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender
and know the content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Thanks Tim,<o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:.5in;text-indent:-.25in"><o:p> </o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo3">What is
the motivation for allowing a waiver if approved by just
“at least one” of the stakeholders, instead of all of
them?<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo3">I’m a bit
concerned that language might be increasingly troublesome
as we continue to expand the scope and participation of
this group.<o:p></o:p></li>
</ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I believe it might be difficult to get
approval from all stakeholders within a certain amount of
time, meaning the CA would possibly never get all approvals,
and never be able to utilize the waiver.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Considering that signed code is often
(but not exclusively) targeted for a specific platform,
stakeholders of other platforms might not be inclined to
give approval for something that does not even affect them.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I do share your concern, but I also don’t
see a better path towards the same goal.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo3">Similarly,
I’m unsure how I feel about making compliance distinctions
based on whether a particular root program has decided to
have a contractual relationship with its issuers or not.
That seems like an implementation detail of the
relationship that the guidelines should remain silent on.
But I appreciate what that definition is intended to do,
and would like to perhaps find a different way to express
the same intent.<o:p></o:p></li>
</ul>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Good
point, and maybe the word “contract” is too much here?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Although
I would note this language is already part of the
“Certificate Beneficiaries” definition right now.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">I’m
open for a different suggestion
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true" class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>
<br>
<b>Sent:</b> Friday, 15 July 2022 18:18<br>
<b>To:</b> Martijn Katerbarg <<a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true" class="moz-txt-link-freetext">martijn.katerbarg@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> RE: [Cscwg-public] Proposal to make
changes to revocation based on malware<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt
2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black">CAUTION: This email
originated from outside of the organization. Do not
click links or open attachments unless you recognize the
sender and know the content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">What is the motivation for allowing a
waiver if approved by just “at least one” of the
stakeholders, instead of all of them?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m a bit concerned that language might
be increasingly troublesome as we continue to expand the
scope and participation of this group.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Similarly, I’m unsure how I feel about
making compliance distinctions based on whether a
particular root program has decided to have a contractual
relationship with its issuers or not. That seems like an
implementation detail of the relationship that the
guidelines should remain silent on. But I appreciate what
that definition is intended to do, and would like to
perhaps find a different way to express the same intent.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-Tim<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Monday, June 27, 2022 10:04 AM<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [Cscwg-public] Proposal to make
changes to revocation based on malware<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">All,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As already hinted during the last
meeting during the F2F, Ian and I, have been working on
a proposal affecting the guidelines regarding malware
based revocation.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The intent of this change is to:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo7">Limit
the number of days before a certificate needs to be
revoked, especially when the subscriber is not
responding to inquiries<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo7">Remove
the OCSP log analysis requirements<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo7">Simplify
the process that has to be followed<o:p></o:p></li>
</ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have attached 3 documents: one with
the current language, one with the proposed language, as
well as a redlined version.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The changes have been made based on
upcoming version 3.0 of the CSCBRs. In case you wish to
compare with version 2.8, the relevant section is
13.1.5.3. Besides to that section, there is also a
change to the “Suspect Code” definition, as well as a
new definition in the proposal.<o:p></o:p></p>
<p class="MsoNormal">Once <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F6&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0a91a06103a94b96adf008da69575c2d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637938121195022126%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BaODhyht2Dvw56UXKIt47jk14XlswOCarDkBIOJs72U%3D&reserved=0"
moz-do-not-send="true">
PR6</a> has been merged, I will also prepare the
changes in GIT for those that prefer comparing there.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Looking forward to comments to this
and move towards a potential ballot.<br>
<br>
Regards,<br>
<br>
Martijn<o:p></o:p></p>
</div>
</div>
</div>
</div>
<i>Any email and files/attachments transmitted with it are
confidential and are intended solely for the use of the
individual or entity to whom they are addressed. If this message
has been sent to you in error, you must not copy, distribute or
disclose of the information it contains. <u>Please notify
Entrust immediately</u> and delete the message from your
system.</i>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>