<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 28/11/2022 2:50 μ.μ., Martijn
Katerbarg via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:01000184be4a111a-f12bf3e9-89dc-4385-8518-82c412b114ed-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0cm;}ul
{margin-bottom:0cm;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">All, <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">I just pushed a new commit (<a
href="https://github.com/cabforum/code-signing/pull/10/commits/8e7e3b4e57960994edea267f0e753358aad99574"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/code-signing/pull/10/commits/8e7e3b4e57960994edea267f0e753358aad99574</a>)
based on the discussions and comments I’ve had and received.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="en-SE">The complete ballot “redline” in GitHub is
available for review on</span><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><span
style="mso-fareast-language:EN-US" lang="EN-US"><a
href="https://github.com/cabforum/code-signing/pull/10/files"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/code-signing/pull/10/files</a></span></p>
</div>
</blockquote>
<br>
If the CA confirms that a Subscriber has signed "Suspect Code", how
would the group feel with a proposal to require CAs to <b>backdate
revoke</b> the Code Signing Certificate to a date and time that
would neutralize the Suspect Code? If this date and time is unlikely
to be determined, backdate revoke 1'' after the notBefore date and
time of the Code Signing Certificate?<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:01000184be4a111a-f12bf3e9-89dc-4385-8518-82c412b114ed-000000@email.amazonses.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="en-SE"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On Behalf
Of </b>Martijn Katerbarg via Cscwg-public<br>
<b>Sent:</b> Monday, 26 September 2022 11:58<br>
<b>To:</b> Dimitris Zacharopoulos (HARICA)
<a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a>; <a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to make
changes to revocation based on malware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt
2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black" lang="en-SE">CAUTION:
This email originated from outside of the organization. Do
not click links or open attachments unless you recognize
the sender and know the content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif" lang="en-SE"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">Thank you Dimitris. That makes sense. I’ve
pushed an update to the draft-PR<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="en-SE"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA)
via Cscwg-public<br>
<b>Sent:</b> Friday, 23 September 2022 18:47<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to make
changes to revocation based on malware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"><o:p> </o:p></span></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt
2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black" lang="en-SE">CAUTION:
This email originated from outside of the organization.
Do not click links or open attachments unless you
recognize the sender and know the content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif" lang="en-SE"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="en-SE">I posted some
proposed changes for consistency and accuracy.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level1 lfo3"><span lang="en-SE"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%23pullrequestreview-1118760785&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cf2e920d96a194144e92408da9fa588be%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637997830583026640%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=g7AF3wOHsz1IJTPhpeQDNecAXi9ECjGwndir1vOyh%2Bo%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10#pullrequestreview-1118760785</a><o:p></o:p></span></li>
</ul>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="en-SE"><br>
Thanks,<br>
Dimitris.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="en-SE">On 23/9/2022 3:55
μ.μ., Bruce Morton via Cscwg-public wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="en-SE">Hi Martjin,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">I will endorse the
ballot.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">Thanks, Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="en-SE">From:</span></b><span
lang="en-SE"> Cscwg-public <a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Friday, September 23, 2022 3:44 AM<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public]
Proposal to make changes to revocation based on
malware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">WARNING: This
email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the
sender and know the content is safe.<o:p></o:p></span></p>
<div class="MsoNormal" style="text-align:center"
align="center"><span lang="en-SE">
<hr width="100%" size="1" align="center"></span></div>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">All,</span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">As
discussed on yesterdays call, the latest changes which
Tim and I were discussing are pushed into Github. </span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">The
complete change can be found at <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cf2e920d96a194144e92408da9fa588be%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637997830583026640%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2B%2BPhPxD7FCmgWwu8lewFgwJ3HsqVaQG8xHqh9rDwT0A%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10/files</a>
for review.</span><span lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">Bruce,
Ian, since I earlier had your endorsements, please let
me know if they still stand. The changes since the
endorsements, are captured in <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F90fa38ab4dc5e5f9b25fce844b750d693f7256b7&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cf2e920d96a194144e92408da9fa588be%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637997830583026640%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UGEioAAK0aSj7XRMu5ZHpxJoBjcUwlTp9d2c9c3X%2BWI%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10/commits/90fa38ab4dc5e5f9b25fce844b750d693f7256b7</a></span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">If
there are no other comments, then hopefully we can
start a ballot process on this.</span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="mso-fareast-language:EN-US" lang="en-SE"><br>
Regards,</span><span lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">Martijn</span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><span
lang="en-SE"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="en-SE">From:</span></b><span
lang="en-SE"> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Tuesday, 19 July 2022 09:22<br>
<b>To:</b> Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to
make changes to revocation based on malware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt
2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black" lang="en-SE">CAUTION:
This email originated from outside of the
organization. Do not click links or open attachments
unless you recognize the sender and know the content
is safe.</span><span lang="en-SE"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="en-SE">Thanks Tim,<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:36.0pt;text-indent:-18.0pt"><span
lang="en-SE"> <o:p></o:p></span></p>
<ol style="margin-top:0cm" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l3 level1 lfo6"><span
lang="en-SE">What is the motivation for allowing a
waiver if approved by just “at least one” of the
stakeholders, instead of all of them?<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l3 level1 lfo6"><span
lang="en-SE">I’m a bit concerned that language
might be increasingly troublesome as we continue
to expand the scope and participation of this
group.<o:p></o:p></span></li>
</ol>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">I believe it
might be difficult to get approval from all
stakeholders within a certain amount of time,
meaning the CA would possibly never get all
approvals, and never be able to utilize the waiver.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">Considering that
signed code is often (but not exclusively) targeted
for a specific platform, stakeholders of other
platforms might not be inclined to give approval for
something that does not even affect them. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">I do share your
concern, but I also don’t see a better path towards
the same goal.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<ol style="margin-top:0cm" type="1" start="3">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l3 level1 lfo6"><span
lang="en-SE">Similarly, I’m unsure how I feel
about making compliance distinctions based on
whether a particular root program has decided to
have a contractual relationship with its issuers
or not. That seems like an implementation detail
of the relationship that the guidelines should
remain silent on. But I appreciate what that
definition is intended to do, and would like to
perhaps find a different way to express the same
intent.<o:p></o:p></span></li>
</ol>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">Good
point, and maybe the word “contract” is too much
here?</span><span lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">Although
I would note this language is already part of the
“Certificate Beneficiaries” definition right now.</span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">I’m
open for a different suggestion </span><span
lang="en-SE"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><span
lang="en-SE"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="en-SE">From:</span></b><span
lang="en-SE"> Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>
<br>
<b>Sent:</b> Friday, 15 July 2022 18:18<br>
<b>To:</b> Martijn Katerbarg <<a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">martijn.katerbarg@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> RE: [Cscwg-public] Proposal to
make changes to revocation based on malware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt
2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black" lang="en-SE">CAUTION:
This email originated from outside of the
organization. Do not click links or open
attachments unless you recognize the sender and
know the content is safe.</span><span lang="en-SE"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="en-SE">What is the
motivation for allowing a waiver if approved by
just “at least one” of the stakeholders, instead
of all of them?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">I’m a bit
concerned that language might be increasingly
troublesome as we continue to expand the scope and
participation of this group.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">Similarly, I’m
unsure how I feel about making compliance
distinctions based on whether a particular root
program has decided to have a contractual
relationship with its issuers or not. That seems
like an implementation detail of the relationship
that the guidelines should remain silent on. But
I appreciate what that definition is intended to
do, and would like to perhaps find a different way
to express the same intent.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="en-SE">From:</span></b><span
lang="en-SE"> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Monday, June 27, 2022 10:04 AM<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [Cscwg-public] Proposal to
make changes to revocation based on malware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">All,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">As already
hinted during the last meeting during the F2F,
Ian and I, have been working on a proposal
affecting the guidelines regarding malware based
revocation.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">The intent
of this change is to:<o:p></o:p></span></p>
<ol style="margin-top:0cm" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l4 level1 lfo10"><span
lang="en-SE">Limit the number of days before a
certificate needs to be revoked, especially
when the subscriber is not responding to
inquiries<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l4 level1 lfo10"><span
lang="en-SE">Remove the OCSP log analysis
requirements<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l4 level1 lfo10"><span
lang="en-SE">Simplify the process that has to
be followed<o:p></o:p></span></li>
</ol>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">I have
attached 3 documents: one with the current
language, one with the proposed language, as
well as a redlined version.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">The changes
have been made based on upcoming version 3.0 of
the CSCBRs. In case you wish to compare with
version 2.8, the relevant section is 13.1.5.3.
Besides to that section, there is also a change
to the “Suspect Code” definition, as well as a
new definition in the proposal.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">Once <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F6&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cf2e920d96a194144e92408da9fa588be%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637997830583026640%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n4OEwF2wENZcybrM2xDM9EydxteMCnk3hFjz4ppMXM4%3D&reserved=0"
moz-do-not-send="true">PR6</a> has been
merged, I will also prepare the changes in GIT
for those that prefer comparing there.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="en-SE">Looking
forward to comments to this and move towards a
potential ballot.<br>
<br>
Regards,<br>
<br>
Martijn<o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif" lang="en-SE">Any email and
files/attachments transmitted with it are
confidential and are intended solely for the use of
the individual or entity to whom they are addressed.
If this message has been sent to you in error, you
must not copy, distribute or disclose of the
information it contains. <u>Please notify Entrust
immediately</u> and delete the message from your
system.</span></i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif" lang="en-SE"> <o:p></o:p></span></p>
<pre><span lang="en-SE">_______________________________________________<o:p></o:p></span></pre>
<pre><span lang="en-SE">Cscwg-public mailing list<o:p></o:p></span></pre>
<pre><span lang="en-SE"><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></span></pre>
<pre><span lang="en-SE"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cf2e920d96a194144e92408da9fa588be%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637997830583026640%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hiC5LDgFoTgEPpgOQvckJAi9u5LIynfoW8ZljlmlWxU%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></span></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif" lang="en-SE"><o:p> </o:p></span></p>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>