<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:63531771;
mso-list-template-ids:-267214044;}
@list l0:level1
{mso-level-start-at:3;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:405227729;
mso-list-template-ids:1736054886;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2
{mso-list-id:509372282;
mso-list-template-ids:-150046534;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:723479714;
mso-list-template-ids:-1039646974;}
@list l3:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4
{mso-list-id:1166628184;
mso-list-template-ids:-1887302228;}
@list l4:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l5
{mso-list-id:1167597196;
mso-list-template-ids:792339830;}
@list l6
{mso-list-id:1850606300;
mso-list-template-ids:-1591994200;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=en-SE link="#0563C1" vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>All, <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>I just pushed a new commit (<a href="https://github.com/cabforum/code-signing/pull/10/commits/8e7e3b4e57960994edea267f0e753358aad99574">https://github.com/cabforum/code-signing/pull/10/commits/8e7e3b4e57960994edea267f0e753358aad99574</a>) based on the discussions and comments I’ve had and received. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'>The complete ballot “redline” in GitHub is available for review on</span><span lang=en-SE style='mso-fareast-language:EN-US'> </span><span lang=EN-US style='mso-fareast-language:EN-US'><a href="https://github.com/cabforum/code-signing/pull/10/files">https://github.com/cabforum/code-signing/pull/10/files</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Cscwg-public <cscwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Monday, 26 September 2022 11:58<br><b>To:</b> Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr>; cscwg-public@cabforum.org<br><b>Subject:</b> Re: [Cscwg-public] Proposal to make changes to revocation based on malware<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=en-SE style='font-size:10.0pt;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><span lang=en-SE style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>Thank you Dimitris. That makes sense. I’ve pushed an update to the draft-PR<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via Cscwg-public<br><b>Sent:</b> Friday, 23 September 2022 18:47<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] Proposal to make changes to revocation based on malware<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=en-SE><o:p> </o:p></span></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=en-SE style='font-size:10.0pt;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><span lang=en-SE style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=en-SE>I posted some proposed changes for consistency and accuracy.<o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3'><span lang=en-SE><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%23pullrequestreview-1118760785&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cf2e920d96a194144e92408da9fa588be%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637997830583026640%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=g7AF3wOHsz1IJTPhpeQDNecAXi9ECjGwndir1vOyh%2Bo%3D&reserved=0">https://github.com/cabforum/code-signing/pull/10#pullrequestreview-1118760785</a><o:p></o:p></span></li></ul><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=en-SE><br>Thanks,<br>Dimitris.<o:p></o:p></span></p><div><p class=MsoNormal><span lang=en-SE>On 23/9/2022 3:55 μ.μ., Bruce Morton via Cscwg-public wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=en-SE>Hi Martjin,<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>I will endorse the ballot.<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>Thanks, Bruce.<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=en-SE>From:</span></b><span lang=en-SE> Cscwg-public <a href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Friday, September 23, 2022 3:44 AM<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [EXTERNAL] Re: [Cscwg-public] Proposal to make changes to revocation based on malware<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>WARNING: This email originated outside of Entrust.<br>DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=en-SE><hr size=1 width="100%" align=center></span></div><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'>All,</span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'> </span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'>As discussed on yesterdays call, the latest changes which Tim and I were discussing are pushed into Github. </span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'> </span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'>The complete change can be found at <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cf2e920d96a194144e92408da9fa588be%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637997830583026640%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2B%2BPhPxD7FCmgWwu8lewFgwJ3HsqVaQG8xHqh9rDwT0A%3D&reserved=0">https://github.com/cabforum/code-signing/pull/10/files</a> for review.</span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'> </span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'>Bruce, Ian, since I earlier had your endorsements, please let me know if they still stand. The changes since the endorsements, are captured in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F90fa38ab4dc5e5f9b25fce844b750d693f7256b7&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cf2e920d96a194144e92408da9fa588be%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637997830583026640%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UGEioAAK0aSj7XRMu5ZHpxJoBjcUwlTp9d2c9c3X%2BWI%3D&reserved=0">https://github.com/cabforum/code-signing/pull/10/commits/90fa38ab4dc5e5f9b25fce844b750d693f7256b7</a></span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'> </span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'>If there are no other comments, then hopefully we can start a ballot process on this.</span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=en-SE style='mso-fareast-language:EN-US'><br>Regards,</span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'>Martijn</span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'> </span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'> </span><span lang=en-SE><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=en-SE>From:</span></b><span lang=en-SE> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Tuesday, 19 July 2022 09:22<br><b>To:</b> Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] Proposal to make changes to revocation based on malware<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=en-SE style='font-size:10.0pt;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><span lang=en-SE><o:p></o:p></span></p></div><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><div><p class=MsoNormal><span lang=en-SE>Thanks Tim,<o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt;text-indent:-18.0pt'><span lang=en-SE> <o:p></o:p></span></p><ol style='margin-top:0cm' start=1 type=1><li class=MsoListParagraph style='margin-left:0cm;mso-list:l3 level1 lfo6'><span lang=en-SE>What is the motivation for allowing a waiver if approved by just “at least one” of the stakeholders, instead of all of them?<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l3 level1 lfo6'><span lang=en-SE>I’m a bit concerned that language might be increasingly troublesome as we continue to expand the scope and participation of this group.<o:p></o:p></span></li></ol><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>I believe it might be difficult to get approval from all stakeholders within a certain amount of time, meaning the CA would possibly never get all approvals, and never be able to utilize the waiver. <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>Considering that signed code is often (but not exclusively) targeted for a specific platform, stakeholders of other platforms might not be inclined to give approval for something that does not even affect them. <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>I do share your concern, but I also don’t see a better path towards the same goal.<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><ol style='margin-top:0cm' start=3 type=1><li class=MsoListParagraph style='margin-left:0cm;mso-list:l3 level1 lfo6'><span lang=en-SE>Similarly, I’m unsure how I feel about making compliance distinctions based on whether a particular root program has decided to have a contractual relationship with its issuers or not. That seems like an implementation detail of the relationship that the guidelines should remain silent on. But I appreciate what that definition is intended to do, and would like to perhaps find a different way to express the same intent.<o:p></o:p></span></li></ol><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'> </span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'>Good point, and maybe the word “contract” is too much here?</span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'>Although I would note this language is already part of the “Certificate Beneficiaries” definition right now.</span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'> </span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'>I’m open for a different suggestion </span><span lang=en-SE><o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='mso-fareast-language:EN-US'> </span><span lang=en-SE><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=en-SE>From:</span></b><span lang=en-SE> Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>> <br><b>Sent:</b> Friday, 15 July 2022 18:18<br><b>To:</b> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> RE: [Cscwg-public] Proposal to make changes to revocation based on malware<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=en-SE style='font-size:10.0pt;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><span lang=en-SE><o:p></o:p></span></p></div><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><div><p class=MsoNormal><span lang=en-SE>What is the motivation for allowing a waiver if approved by just “at least one” of the stakeholders, instead of all of them?<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>I’m a bit concerned that language might be increasingly troublesome as we continue to expand the scope and participation of this group.<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>Similarly, I’m unsure how I feel about making compliance distinctions based on whether a particular root program has decided to have a contractual relationship with its issuers or not. That seems like an implementation detail of the relationship that the guidelines should remain silent on. But I appreciate what that definition is intended to do, and would like to perhaps find a different way to express the same intent.<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>-Tim<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=en-SE>From:</span></b><span lang=en-SE> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Monday, June 27, 2022 10:04 AM<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [Cscwg-public] Proposal to make changes to revocation based on malware<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>All,<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>As already hinted during the last meeting during the F2F, Ian and I, have been working on a proposal affecting the guidelines regarding malware based revocation.<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>The intent of this change is to:<o:p></o:p></span></p><ol style='margin-top:0cm' start=1 type=1><li class=MsoListParagraph style='margin-left:0cm;mso-list:l4 level1 lfo10'><span lang=en-SE>Limit the number of days before a certificate needs to be revoked, especially when the subscriber is not responding to inquiries<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l4 level1 lfo10'><span lang=en-SE>Remove the OCSP log analysis requirements<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l4 level1 lfo10'><span lang=en-SE>Simplify the process that has to be followed<o:p></o:p></span></li></ol><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>I have attached 3 documents: one with the current language, one with the proposed language, as well as a redlined version.<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>The changes have been made based on upcoming version 3.0 of the CSCBRs. In case you wish to compare with version 2.8, the relevant section is 13.1.5.3. Besides to that section, there is also a change to the “Suspect Code” definition, as well as a new definition in the proposal.<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>Once <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F6&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cf2e920d96a194144e92408da9fa588be%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637997830583026640%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n4OEwF2wENZcybrM2xDM9EydxteMCnk3hFjz4ppMXM4%3D&reserved=0">PR6</a> has been merged, I will also prepare the changes in GIT for those that prefer comparing there.<o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE> <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE>Looking forward to comments to this and move towards a potential ballot.<br><br>Regards,<br><br>Martijn<o:p></o:p></span></p></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><i><span lang=en-SE style='font-size:12.0pt;font-family:"Times New Roman",serif'>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</span></i><span lang=en-SE style='font-size:12.0pt;font-family:"Times New Roman",serif'> <o:p></o:p></span></p><pre><span lang=en-SE>_______________________________________________<o:p></o:p></span></pre><pre><span lang=en-SE>Cscwg-public mailing list<o:p></o:p></span></pre><pre><span lang=en-SE><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a><o:p></o:p></span></pre><pre><span lang=en-SE><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cf2e920d96a194144e92408da9fa588be%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637997830583026640%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hiC5LDgFoTgEPpgOQvckJAi9u5LIynfoW8ZljlmlWxU%3D&reserved=0">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></span></pre></blockquote><p class=MsoNormal><span lang=en-SE style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div></div></div></body></html>