<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 12/15/2022 11:59 AM, Martijn
Katerbarg via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:010001851539d34e-6f3fa2a0-ec36-4c15-b176-5d3ac91cbdd6-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}@font-face
{font-family:"Times New Roman \,serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0cm;}ul
{margin-bottom:0cm;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">All,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">We had a good discussion on the malware
proposal during the last call. I believe we’re nearly there.
Trevoli and Tim you had suggestions (and thank you Dean for
spelling it out in the minutes!) to make is more clear and
also allow for the exceptional cases where revoking a CS
cert would do more damage then not. <br>
<br>
Based on this, it seems we were leaning into making the
following changes:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><br>
Change:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"> a. If the Subscriber responds within 72
hours, the CA and Subscriber MAY determine a "reasonable
date" to revoke the certificate. The revocation date MUST
NOT be more than 7 calendar days after the CA received the
Certificate Problem Report.<br>
Into:<br>
a. If the Subscriber responds within 72 hours, the CA
MAY determine a "reasonable date" to revoke the certificate.
The CA:<o:p></o:p></span></p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoListParagraph"
style="margin-left:18.0pt;mso-list:l6 level1 lfo11"><span
style="mso-fareast-language:EN-US" lang="EN-US">MUST
revoke the certificate no later than 7 calendar days after
the CA received the Certificate Problem Report; or,<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:18.0pt;mso-list:l6 level1 lfo11"><span
style="mso-fareast-language:EN-US" lang="EN-US">MUST
submit a plan for revocation to all Application Software
Suppliers based on discussions with the Subscriber no
later than 7 calendar days after the CA received the
Certificate Problem Report<o:p></o:p></span></li>
</ul>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><br>
Thoughts on this?<br>
The one thought I have on this is, are Application Software
Suppliers (i.e Certificate Consumers, but that’s not a CSCBR
defined term) willing to take on these plans and provide
responses to the CA? <br>
Cause if they don’t, it seems we again have a loop hole in
which revocation can be done much later based upon
subscriber request…</span></p>
</div>
</blockquote>
<br>
I have the same concerns with the second bullet. And how do we
determine "all" Suppliers? CAs have no visibility on Relying Party
software.<br>
<br>
I believe that the reason to "contact negatively-affected
Application Software Suppliers" is to determine the proper
"reasonable date" that would invalidate the malware signatures and
not affect other "good signatures" that would have a significant
impact on Relying Parties. If there is no response from the
Application Software Supplier, the CA should revoke with a
"reasonable date" based on its investigation at the time.<br>
<br>
Please take a look at the following proposal. I'd appreciate
feedback and language improvements to describe the process
accurately and safely in order to protect Relying Parties from
executing Suspect Code as much as possible. Worse case, CAs will
revoke the Certificate with a revocation date set at the time of the
revocation event which does not affect any previously signed code,
including the Suspect Code which will be executed successfully by
Relying Parties even after the revocation of the Certificate.<br>
<br>
<h4 dir="auto"><i>4.9.1.3 Revocation Based on Reported or Detected
Compromise or Use in Suspect Code</i></h4>
<i>
</i>
<p dir="auto"><i>Except for cases that fall under Section 4.9.1.1,
if, while investigating a Certificate Problem Report, the CA
determines the Subscriber's Private Key is compromised or likely
being used for Suspect Code, the CA SHALL revoke the
corresponding Code Signing Certificate in accordance with and
within the following maximum time frames. Nothing herein
prohibits a CA from revoking a Code Signing Certificate prior to
these time frames.</i></p>
<i>
</i>
<ol dir="auto">
<li><i>The CA SHALL contact the Subscriber within 24 hours after
the CA received the Certificate Problem Report, notifying that
the Certificate is scheduled to be revoked with a </i><i>revocation
date set before the time that the </i><i>Private Key became
compromised or likely used to sign Suspect Code</i><i>. This
revocation date is set in the past to prevent Relying Parties
from executing Suspect Code signed with the affected Code
Signing Certificate.</i><i><br>
</i></li>
<li><i>The CA SHALL request the Subscriber to respond with an
impact assessment of affected Relying Parties if the
revocation date is set before the time </i><i>that the
Private Key became compromised or likely used to sign Suspect
Code</i><i>, and to state the associated Application Software
Supplier(s).</i></li>
<li><i>The CA SHALL request the Subscriber to respond to the CA
within 72 hours of the CA sending the notification. </i><i><br>
</i></li>
<li><i>If the Subscriber responds within 72 hours, </i><i><span
style="mso-fareast-language:EN-US" lang="EN-US">then based
on the Subscriber's impact assessment:</span></i></li>
<ol>
<li><i><span style="mso-fareast-language:EN-US" lang="EN-US">the
CA MAY submit a revocation plan to associated Application
Software Suppliers no later than 7 calendar days after the
CA received the Certificate Problem Report. The revocation
plan:</span></i></li>
<ol>
<li><i><span style="mso-fareast-language:EN-US" lang="EN-US">SHALL
contain informing about the planned revocation date to
be set for the to-be-revoked Certificate; and<br>
</span></i></li>
<li><i><span style="mso-fareast-language:EN-US" lang="EN-US">SHALL
request suggestions for a "more appropriate" revocation
date in case the proposed revocation date has a
significant impact on Relying Parties associated with
that particular Application Software Supplier. <br>
</span></i></li>
<li><i><span style="mso-fareast-language:EN-US" lang="EN-US">The
CA SHALL request the Application Software Supplier to
respond within 72 hours.</span></i></li>
</ol>
<li><i><span style="mso-fareast-language:EN-US" lang="EN-US">Based
on the feedback received, the CA MAY determine a more
appropriate revocation date to be associated with the
revocation of the Certificate.<br>
</span></i></li>
<li><i>The CA SHALL revoke the Certificate within 7 days after
the CA received the Certificate Problem Report.</i></li>
</ol>
<li><i>If the CA does not receive a response from the Subscriber,
then the CA SHALL revoke the Certificate within 24 hours from
the end of the response period.</i></li>
</ol>
<i>
</i>
<p dir="auto"><i>A CA revoking a Certificate because the Certificate
was associated with signed Suspect Code or other fraudulent or
illegal conduct SHOULD provide all relevant information and risk
indicators to other CAs, Application Software Suppliers, or
industry groups. The CA SHOULD contact the Application Software
Suppliers within 24 hours after the CA received the Certificate
Problem Report.</i></p>
<br>
Thanks,<br>
Dimitris.<br>
<blockquote type="cite"
cite="mid:010001851539d34e-6f3fa2a0-ec36-4c15-b176-5d3ac91cbdd6-000000@email.amazonses.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">Note: I won’t be able to attend todays call,
but feel free to discuss.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="en-SE"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On Behalf
Of </b>Dimitris Zacharopoulos (HARICA) via
Cscwg-public<br>
<b>Sent:</b> Tuesday, 29 November 2022 10:13<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to make
changes to revocation based on malware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt
2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black">CAUTION: This email
originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender
and know the content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal">On 28/11/2022 2:50 μ.μ., Martijn
Katerbarg via Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US">All, </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US">I just
pushed a new commit (<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F8e7e3b4e57960994edea267f0e753358aad99574&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fmMYctSwa7cKcJfXrsPDsXKb7nVhgwyjxRSeVfVDnsA%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10/commits/8e7e3b4e57960994edea267f0e753358aad99574</a>)
based on the discussions and comments I’ve had and
received. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">The
complete ballot “redline” in GitHub is available for
review on </span><span
style="mso-fareast-language:EN-US" lang="EN-US"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1QRqX6%2BKdD03PVCikpIDCWswDsidAowjcZSiQVzEMQs%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10/files</a></span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
If the CA confirms that a Subscriber has signed "Suspect
Code", how would the group feel with a proposal to require
CAs to <b>backdate revoke</b> the Code Signing
Certificate to a date and time that would neutralize the
Suspect Code? If this date and time is unlikely to be
determined, backdate revoke 1'' after the notBefore date
and time of the Code Signing Certificate?<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Cscwg-public <a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Monday, 26 September 2022 11:58<br>
<b>To:</b> Dimitris Zacharopoulos (HARICA) <a
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true"><dzacharo@harica.gr></a>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to make
changes to revocation based on malware</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt
2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black" lang="en-SE">CAUTION:
This email originated from outside of the
organization. Do not click links or open attachments
unless you recognize the sender and know the content
is safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman ,serif",serif" lang="en-SE"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US">Thank
you Dimitris. That makes sense. I’ve pushed an update
to the draft-PR</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Dimitris Zacharopoulos
(HARICA) via Cscwg-public<br>
<b>Sent:</b> Friday, 23 September 2022 18:47<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to
make changes to revocation based on malware</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt
2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black" lang="en-SE">CAUTION:
This email originated from outside of the
organization. Do not click links or open attachments
unless you recognize the sender and know the content
is safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman ,serif",serif" lang="en-SE"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="en-SE">I posted some
proposed changes for consistency and accuracy.</span><o:p></o:p></p>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level1 lfo3"><span lang="en-SE"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%23pullrequestreview-1118760785&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wO9AcofaTO8v%2FAESDc1gkugp4%2BpY70Sy1ijeptjsKwQ%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10#pullrequestreview-1118760785</a></span><o:p></o:p></li>
</ol>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="en-SE"><br>
Thanks,<br>
Dimitris.</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="en-SE">On 23/9/2022
3:55 μ.μ., Bruce Morton via Cscwg-public wrote:</span><o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="en-SE">Hi Martjin,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">I will endorse
the ballot.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">Thanks, Bruce.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="en-SE">From:</span></b><span
lang="en-SE"> Cscwg-public <a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Friday, September 23, 2022 3:44
AM<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public]
Proposal to make changes to revocation based
on malware</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">WARNING: This
email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust
the sender and know the content is safe.</span><o:p></o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center"><span lang="en-SE">
<hr width="100%" size="1" align="center"></span></div>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">All,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">As
discussed on yesterdays call, the latest changes
which Tim and I were discussing are pushed into
Github. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">The
complete change can be found at <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1QRqX6%2BKdD03PVCikpIDCWswDsidAowjcZSiQVzEMQs%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10/files</a>
for review.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">Bruce,
Ian, since I earlier had your endorsements, please
let me know if they still stand. The changes since
the endorsements, are captured in <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F90fa38ab4dc5e5f9b25fce844b750d693f7256b7&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Re1gbjxP7wuNZ7kScmID7HWlXgU0LW%2BnAepjnyWQ1q0%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10/commits/90fa38ab4dc5e5f9b25fce844b750d693f7256b7</a></span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">If
there are no other comments, then hopefully we can
start a ballot process on this.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="mso-fareast-language:EN-US" lang="en-SE"><br>
Regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">Martijn</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="en-SE">From:</span></b><span
lang="en-SE"> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Tuesday, 19 July 2022 09:22<br>
<b>To:</b> Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to
make changes to revocation based on malware</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt
2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black"
lang="en-SE">CAUTION: This email originated from
outside of the organization. Do not click links
or open attachments unless you recognize the
sender and know the content is safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="en-SE">Thanks Tim,</span><o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:36.0pt;text-indent:-18.0pt"><span
lang="en-SE"> </span><o:p></o:p></p>
<ol style="margin-top:0cm" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l7 level1 lfo6"><span
lang="en-SE">What is the motivation for
allowing a waiver if approved by just “at
least one” of the stakeholders, instead of all
of them?</span><o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l7 level1 lfo6"><span
lang="en-SE">I’m a bit concerned that language
might be increasingly troublesome as we
continue to expand the scope and participation
of this group.</span><o:p></o:p></li>
</ol>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">I believe it
might be difficult to get approval from all
stakeholders within a certain amount of time,
meaning the CA would possibly never get all
approvals, and never be able to utilize the
waiver. </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">Considering
that signed code is often (but not exclusively)
targeted for a specific platform, stakeholders
of other platforms might not be inclined to give
approval for something that does not even affect
them. </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">I do share
your concern, but I also don’t see a better path
towards the same goal.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<ol style="margin-top:0cm" type="1" start="3">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l7 level1 lfo6"><span
lang="en-SE">Similarly, I’m unsure how I feel
about making compliance distinctions based on
whether a particular root program has decided
to have a contractual relationship with its
issuers or not. That seems like an
implementation detail of the relationship that
the guidelines should remain silent on. But I
appreciate what that definition is intended to
do, and would like to perhaps find a different
way to express the same intent.</span><o:p></o:p></li>
</ol>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">Good
point, and maybe the word “contract” is too much
here?</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">Although
I would note this language is already part of
the “Certificate Beneficiaries” definition right
now.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">I’m
open for a different suggestion </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="en-SE">From:</span></b><span
lang="en-SE"> Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>
<br>
<b>Sent:</b> Friday, 15 July 2022 18:18<br>
<b>To:</b> Martijn Katerbarg <<a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">martijn.katerbarg@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> RE: [Cscwg-public] Proposal
to make changes to revocation based on
malware</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt
2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black"
lang="en-SE">CAUTION: This email originated
from outside of the organization. Do not click
links or open attachments unless you recognize
the sender and know the content is safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="en-SE">What is
the motivation for allowing a waiver if
approved by just “at least one” of the
stakeholders, instead of all of them?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">I’m a bit
concerned that language might be increasingly
troublesome as we continue to expand the scope
and participation of this group.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">Similarly,
I’m unsure how I feel about making compliance
distinctions based on whether a particular
root program has decided to have a contractual
relationship with its issuers or not. That
seems like an implementation detail of the
relationship that the guidelines should remain
silent on. But I appreciate what that
definition is intended to do, and would like
to perhaps find a different way to express the
same intent.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">-Tim</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="en-SE">From:</span></b><span
lang="en-SE"> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Martijn Katerbarg
via Cscwg-public<br>
<b>Sent:</b> Monday, June 27, 2022 10:04
AM<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [Cscwg-public] Proposal
to make changes to revocation based on
malware</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">All,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">As
already hinted during the last meeting
during the F2F, Ian and I, have been working
on a proposal affecting the guidelines
regarding malware based revocation.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">The
intent of this change is to:</span><o:p></o:p></p>
<ol style="margin-top:0cm" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l3 level1
lfo10"><span lang="en-SE">Limit the number
of days before a certificate needs to be
revoked, especially when the subscriber is
not responding to inquiries</span><o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l3 level1
lfo10"><span lang="en-SE">Remove the OCSP
log analysis requirements</span><o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l3 level1
lfo10"><span lang="en-SE">Simplify the
process that has to be followed</span><o:p></o:p></li>
</ol>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">I have
attached 3 documents: one with the current
language, one with the proposed language, as
well as a redlined version.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">The
changes have been made based on upcoming
version 3.0 of the CSCBRs. In case you wish
to compare with version 2.8, the relevant
section is 13.1.5.3. Besides to that
section, there is also a change to the
“Suspect Code” definition, as well as a new
definition in the proposal.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">Once <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F6&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YSpntkoKs70SbIFR%2FmTBQsrIdysIb4vtkHe9LyPhk80%3D&reserved=0"
moz-do-not-send="true">PR6</a> has been
merged, I will also prepare the changes in
GIT for those that prefer comparing there.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">Looking
forward to comments to this and move towards
a potential ballot.<br>
<br>
Regards,<br>
<br>
Martijn</span><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><i><span
style="font-size:12.0pt;font-family:"Times
New Roman ,serif",serif" lang="en-SE">Any
email and files/attachments transmitted with it
are confidential and are intended solely for the
use of the individual or entity to whom they are
addressed. If this message has been sent to you
in error, you must not copy, distribute or
disclose of the information it contains. <u>Please
notify Entrust immediately</u> and delete the
message from your system.</span></i><span
style="font-size:12.0pt;font-family:"Times
New Roman ,serif",serif" lang="en-SE"> </span><o:p></o:p></p>
<pre><span lang="en-SE">_______________________________________________</span><o:p></o:p></pre>
<pre><span lang="en-SE">Cscwg-public mailing list</span><o:p></o:p></pre>
<pre><span lang="en-SE"><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a></span><o:p></o:p></pre>
<pre><span lang="en-SE"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yvT%2FQrC0bJJ5uaO%2BFwQWsu4toMrodl752Tv39xs2caQ%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a></span><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman ,serif",serif" lang="en-SE"> </span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yvT%2FQrC0bJJ5uaO%2BFwQWsu4toMrodl752Tv39xs2caQ%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p> </o:p></span></p>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>