<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 24/1/2023 11:47 π.μ., Martijn
Katerbarg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MW5PR17MB60125A7CF879ED400239DFB1E3C99@MW5PR17MB6012.namprd17.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}@font-face
{font-family:"Times New Roman \,serif";}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}h4
{mso-style-priority:9;
mso-style-link:"Heading 4 Char";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;
font-weight:bold;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.Heading4Char
{mso-style-name:"Heading 4 Char";
mso-style-priority:9;
mso-style-link:"Heading 4";
font-family:"Calibri Light",sans-serif;
color:#2F5496;
font-style:italic;}span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0cm;}ul
{margin-bottom:0cm;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">Thanks for the proposal Dimitris.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">I have a few remarks on this:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">“<i>The CA SHALL request the Subscriber to
respond with an impact assessment of affected Relying
Parties if the revocation date is set before the time that
the Private Key became compromised or likely used to sign
Suspect Code, and to state the associated Application
Software Supplier(s).”</i><br>
I’d like to propose we change this into:<br>
“<i>The CA SHALL request the Subscriber to respond with an
acknowledgement and SHOULD request the Subscriber to
respond with an impact assessment of affected Relying
Parties if the revocation date is set before the time that
the Private Key became compromised or likely used to sign
Suspect Code, and to state the associated Application
Software Supplier(s).</i>”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">This offers CA’s the option not to request an
impact assessment if they deem the evidence clear enough
warranting revocation right away. </span></p>
</div>
</blockquote>
<br>
There is nothing preventing the CA to revoke a certificate right
away. Revoking a certificate <b>at current time</b> has absolutely
no impact on existing signed malware. The impact assessment affects
cases of backdating the revocation. I'm afraid this "SHOULD" is just
going to be ignored, unless you feel that the CA has enough evidence
to backdate revoke a certificate and does not want to wait for an
impact assessment of affected Relying Parties by the Subscriber. If
it's the latter, I agree but we need to write it a bit clearer.<br>
<br>
<blockquote type="cite"
cite="mid:MW5PR17MB60125A7CF879ED400239DFB1E3C99@MW5PR17MB6012.namprd17.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">I’m also wondering on the interpretation of the
following 2 clauses:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">“<i>2. Based on the feedback received, the CA
MAY determine a more appropriate revocation date to be
associated with the revocation of the Certificate.<o:p></o:p></i></span></p>
<p class="MsoNormal"><i><span style="mso-fareast-language:EN-US"
lang="EN-US">3. The CA SHALL revoke the Certificate within
7 days after the CA received the Certificate Problem
Report.</span></i><span style="mso-fareast-language:EN-US"
lang="EN-US">”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">I like to think this means that even with a
plan submitted to the Application Software Suppliers,
revocation MUST occur no later than 7 days after the CPR was
received. Is that what you also intend here?</span></p>
</div>
</blockquote>
<br>
Yes. 7 days seem reasonable to pause the revocation process waiting
for a response from the Application Software Supplier but IMO no
more than that.<br>
<br>
<blockquote type="cite"
cite="mid:MW5PR17MB60125A7CF879ED400239DFB1E3C99@MW5PR17MB6012.namprd17.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><br>
In my option that should be the maximum time before
revocation needs to happen, however, it feels like the whole
impact assessment may be a lot of work for a Subscriber, in
order to only get 48 hours of extra time before a revocation
needs to happen (Although to be fair these may be the very
few edge cases, for which it could be useful). <br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">Thoughts?</span></p>
</div>
</blockquote>
<br>
We may need some more feedback from CAs that have actually
experienced such cases. From my perspective, 48 hours for an quick
impact assessment, seems reasonable considering the impact of a
malware to millions of users worldwide that could be stopped by a
single backdate revocation action from the CA.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:MW5PR17MB60125A7CF879ED400239DFB1E3C99@MW5PR17MB6012.namprd17.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="en-SE"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On Behalf
Of </b>Dimitris Zacharopoulos (HARICA) via
Cscwg-public<br>
<b>Sent:</b> Thursday, 15 December 2022 14:27<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to make
changes to revocation based on malware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt
2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black">CAUTION: This email
originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender
and know the content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 12/15/2022 11:59 AM, Martijn Katerbarg
via Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">All,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">We had a good discussion on the malware
proposal during the last call. I believe we’re nearly
there. Trevoli and Tim you had suggestions (and thank you
Dean for spelling it out in the minutes!) to make is more
clear and also allow for the exceptional cases where
revoking a CS cert would do more damage then not. <br>
<br>
Based on this, it seems we were leaning into making the
following changes:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><br>
Change:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"> a. If the Subscriber responds within 72
hours, the CA and Subscriber MAY determine a "reasonable
date" to revoke the certificate. The revocation date MUST
NOT be more than 7 calendar days after the CA received the
Certificate Problem Report.<br>
Into:<br>
a. If the Subscriber responds within 72 hours, the CA
MAY determine a "reasonable date" to revoke the
certificate. The CA:</span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:54.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo1"><!--[if !supportLists]--><span
style="mso-list:Ignore">1.<span style="font:7.0pt
"Times New Roman""> </span></span><!--[endif]--><span
style="mso-fareast-language:EN-US" lang="EN-US">MUST
revoke the certificate no later than 7 calendar days after
the CA received the Certificate Problem Report; or,</span><o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:54.0pt;text-indent:-18.0pt;mso-list:l1
level1 lfo1"><!--[if !supportLists]--><span
style="mso-list:Ignore">2.<span style="font:7.0pt
"Times New Roman""> </span></span><!--[endif]--><span
style="mso-fareast-language:EN-US" lang="EN-US">MUST
submit a plan for revocation to all Application Software
Suppliers based on discussions with the Subscriber no
later than 7 calendar days after the CA received the
Certificate Problem Report</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"><br>
Thoughts on this?<br>
The one thought I have on this is, are Application
Software Suppliers (i.e Certificate Consumers, but that’s
not a CSCBR defined term) willing to take on these plans
and provide responses to the CA? <br>
Cause if they don’t, it seems we again have a loop hole in
which revocation can be done much later based upon
subscriber request…</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
I have the same concerns with the second bullet. And how do
we determine "all" Suppliers? CAs have no visibility on
Relying Party software.<br>
<br>
I believe that the reason to "contact negatively-affected
Application Software Suppliers" is to determine the proper
"reasonable date" that would invalidate the malware
signatures and not affect other "good signatures" that would
have a significant impact on Relying Parties. If there is no
response from the Application Software Supplier, the CA
should revoke with a "reasonable date" based on its
investigation at the time.<br>
<br>
Please take a look at the following proposal. I'd appreciate
feedback and language improvements to describe the process
accurately and safely in order to protect Relying Parties
from executing Suspect Code as much as possible. Worse case,
CAs will revoke the Certificate with a revocation date set
at the time of the revocation event which does not affect
any previously signed code, including the Suspect Code which
will be executed successfully by Relying Parties even after
the revocation of the Certificate.<o:p></o:p></span></p>
<h4><i>4.9.1.3 Revocation Based on Reported or Detected
Compromise or Use in Suspect Code</i><o:p></o:p></h4>
<p><i>Except for cases that fall under Section 4.9.1.1, if,
while investigating a Certificate Problem Report, the CA
determines the Subscriber's Private Key is compromised or
likely being used for Suspect Code, the CA SHALL revoke the
corresponding Code Signing Certificate in accordance with
and within the following maximum time frames. Nothing herein
prohibits a CA from revoking a Code Signing Certificate
prior to these time frames.</i><o:p></o:p></p>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level1 lfo6"><i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">The CA SHALL contact the Subscriber
within 24 hours after the CA received the Certificate
Problem Report, notifying that the Certificate is
scheduled to be revoked with a revocation date set
before the time that the Private Key became compromised
or likely used to sign Suspect Code. This revocation
date is set in the past to prevent Relying Parties from
executing Suspect Code signed with the affected Code
Signing Certificate.</span></i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level1 lfo6"><i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">The CA SHALL request the Subscriber
to respond with an impact assessment of affected Relying
Parties if the revocation date is set before the time
that the Private Key became compromised or likely used
to sign Suspect Code, and to state the associated
Application Software Supplier(s).</span></i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level1 lfo6"><i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">The CA SHALL request the Subscriber
to respond to the CA within 72 hours of the CA sending
the notification. </span></i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level1 lfo6"><i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">If the Subscriber responds within 72
hours, </span></i><i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:EN-US"
lang="EN-US">then based on the Subscriber's impact
assessment:</span></i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p></o:p></span></li>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level2 lfo6"><i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:EN-US"
lang="EN-US">the CA MAY submit a revocation plan to
associated Application Software Suppliers no later
than 7 calendar days after the CA received the
Certificate Problem Report. The revocation plan:</span></i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p></o:p></span></li>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level3 lfo6"><i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:EN-US"
lang="EN-US">SHALL contain informing about the
planned revocation date to be set for the
to-be-revoked Certificate; and</span></i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level3 lfo6"><i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:EN-US"
lang="EN-US">SHALL request suggestions for a "more
appropriate" revocation date in case the proposed
revocation date has a significant impact on Relying
Parties associated with that particular Application
Software Supplier. </span></i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level3 lfo6"><i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:EN-US"
lang="EN-US">The CA SHALL request the Application
Software Supplier to respond within 72 hours.</span></i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p></o:p></span></li>
</ol>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level2 lfo6"><i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;mso-fareast-language:EN-US"
lang="EN-US">Based on the feedback received, the CA
MAY determine a more appropriate revocation date to be
associated with the revocation of the Certificate.</span></i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level2 lfo6"><i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">The CA SHALL revoke the Certificate
within 7 days after the CA received the Certificate
Problem Report.</span></i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p></o:p></span></li>
</ol>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2
level1 lfo6"><i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">If the CA does not receive a response
from the Subscriber, then the CA SHALL revoke the
Certificate within 24 hours from the end of the response
period.</span></i><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p></o:p></span></li>
</ol>
<p><i>A CA revoking a Certificate because the Certificate was
associated with signed Suspect Code or other fraudulent or
illegal conduct SHOULD provide all relevant information and
risk indicators to other CAs, Application Software
Suppliers, or industry groups. The CA SHOULD contact the
Application Software Suppliers within 24 hours after the CA
received the Certificate Problem Report.</i><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
Thanks,<br>
Dimitris.<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US">Note: I won’t be able to attend todays call,
but feel free to discuss.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"
lang="en-SE"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Cscwg-public <a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA)
via Cscwg-public<br>
<b>Sent:</b> Tuesday, 29 November 2022 10:13<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to make
changes to revocation based on malware</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt
2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black">CAUTION: This email
originated from outside of the organization. Do not
click links or open attachments unless you recognize the
sender and know the content is safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman
\,serif""> </span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On 28/11/2022 2:50 μ.μ., Martijn
Katerbarg via Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US">All, </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US">I just
pushed a new commit (<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F8e7e3b4e57960994edea267f0e753358aad99574&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cac3b5415ec5b408303cf08dadea00c1d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638067076260946675%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fwiFBw8%2FI76EPcC4BH62G3gPH3NkISSWcU%2BK1EUJFy4%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10/commits/8e7e3b4e57960994edea267f0e753358aad99574</a>)
based on the discussions and comments I’ve had and
received. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">The
complete ballot “redline” in GitHub is available for
review on </span><span
style="mso-fareast-language:EN-US" lang="EN-US"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cac3b5415ec5b408303cf08dadea00c1d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638067076260946675%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YNKaeEXVYewUNLoZ3Xxeq6fCHIK8GMbVKqaErOPZXR0%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10/files</a></span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman \,serif""><br>
If the CA confirms that a Subscriber has signed "Suspect
Code", how would the group feel with a proposal to
require CAs to <b>backdate revoke</b> the Code Signing
Certificate to a date and time that would neutralize the
Suspect Code? If this date and time is unlikely to be
determined, backdate revoke 1'' after the notBefore date
and time of the Code Signing Certificate?<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Cscwg-public <a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Monday, 26 September 2022 11:58<br>
<b>To:</b> Dimitris Zacharopoulos (HARICA) <a
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true"><dzacharo@harica.gr></a>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to
make changes to revocation based on malware</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt
2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black" lang="en-SE">CAUTION:
This email originated from outside of the
organization. Do not click links or open attachments
unless you recognize the sender and know the content
is safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif" lang="en-SE"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="EN-US">Thank
you Dimitris. That makes sense. I’ve pushed an
update to the draft-PR</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Dimitris Zacharopoulos
(HARICA) via Cscwg-public<br>
<b>Sent:</b> Friday, 23 September 2022 18:47<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to
make changes to revocation based on malware</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt
2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black" lang="en-SE">CAUTION:
This email originated from outside of the
organization. Do not click links or open
attachments unless you recognize the sender and
know the content is safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif" lang="en-SE"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="en-SE">I posted some
proposed changes for consistency and accuracy.</span><o:p></o:p></p>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo3"><span lang="en-SE"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%23pullrequestreview-1118760785&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cac3b5415ec5b408303cf08dadea00c1d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638067076260946675%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Wa8%2B%2Bsc0OyZpA%2FTF6%2B9XdGRkedLQ0fSZj1lXlSxxTg8%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10#pullrequestreview-1118760785</a></span><o:p></o:p></li>
</ol>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="en-SE"><br>
Thanks,<br>
Dimitris.</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="en-SE">On 23/9/2022
3:55 μ.μ., Bruce Morton via Cscwg-public wrote:</span><o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="en-SE">Hi Martjin,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">I will
endorse the ballot.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">Thanks,
Bruce.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="en-SE">From:</span></b><span
lang="en-SE"> Cscwg-public <a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Friday, September 23, 2022 3:44
AM<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] Re:
[Cscwg-public] Proposal to make changes to
revocation based on malware</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">WARNING:
This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you
trust the sender and know the content is safe.</span><o:p></o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center"><span lang="en-SE">
<hr width="100%" size="1" align="center"></span></div>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">All,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">As
discussed on yesterdays call, the latest changes
which Tim and I were discussing are pushed into
Github. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">The
complete change can be found at <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cac3b5415ec5b408303cf08dadea00c1d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638067076260946675%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YNKaeEXVYewUNLoZ3Xxeq6fCHIK8GMbVKqaErOPZXR0%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10/files</a>
for review.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">Bruce,
Ian, since I earlier had your endorsements,
please let me know if they still stand. The
changes since the endorsements, are captured in
<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F90fa38ab4dc5e5f9b25fce844b750d693f7256b7&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cac3b5415ec5b408303cf08dadea00c1d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638067076260946675%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZxumKMoYS9YC52G8MXtYBhRMRf4sRrSfNR1nV63a55s%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10/commits/90fa38ab4dc5e5f9b25fce844b750d693f7256b7</a></span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">If
there are no other comments, then hopefully we
can start a ballot process on this.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="mso-fareast-language:EN-US" lang="en-SE"><br>
Regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE">Martijn</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US" lang="en-SE"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="en-SE">From:</span></b><span
lang="en-SE"> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Tuesday, 19 July 2022 09:22<br>
<b>To:</b> Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal
to make changes to revocation based on
malware</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt
2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black"
lang="en-SE">CAUTION: This email originated
from outside of the organization. Do not click
links or open attachments unless you recognize
the sender and know the content is safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="en-SE">Thanks
Tim,</span><o:p></o:p></p>
<p class="MsoNormal"
style="margin-left:36.0pt;text-indent:-18.0pt"><span
lang="en-SE"> </span><o:p></o:p></p>
<ol style="margin-top:0cm" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l5 level1
lfo4"><span lang="en-SE">What is the
motivation for allowing a waiver if approved
by just “at least one” of the stakeholders,
instead of all of them?</span><o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l5 level1
lfo4"><span lang="en-SE">I’m a bit concerned
that language might be increasingly
troublesome as we continue to expand the
scope and participation of this group.</span><o:p></o:p></li>
</ol>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">I believe
it might be difficult to get approval from all
stakeholders within a certain amount of time,
meaning the CA would possibly never get all
approvals, and never be able to utilize the
waiver. </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">Considering
that signed code is often (but not
exclusively) targeted for a specific platform,
stakeholders of other platforms might not be
inclined to give approval for something that
does not even affect them. </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">I do share
your concern, but I also don’t see a better
path towards the same goal.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<ol style="margin-top:0cm" type="1" start="3">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l5 level1
lfo4"><span lang="en-SE">Similarly, I’m unsure
how I feel about making compliance
distinctions based on whether a particular
root program has decided to have a
contractual relationship with its issuers or
not. That seems like an implementation
detail of the relationship that the
guidelines should remain silent on. But I
appreciate what that definition is intended
to do, and would like to perhaps find a
different way to express the same intent.</span><o:p></o:p></li>
</ol>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US"
lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US"
lang="en-SE">Good point, and maybe the word
“contract” is too much here?</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US"
lang="en-SE">Although I would note this
language is already part of the “Certificate
Beneficiaries” definition right now.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US"
lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US"
lang="en-SE">I’m open for a different
suggestion </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="mso-fareast-language:EN-US"
lang="en-SE"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="en-SE">From:</span></b><span
lang="en-SE"> Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>
<br>
<b>Sent:</b> Friday, 15 July 2022 18:18<br>
<b>To:</b> Martijn Katerbarg <<a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">martijn.katerbarg@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> RE: [Cscwg-public]
Proposal to make changes to revocation
based on malware</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div style="border:solid black 1.0pt;padding:2.0pt
2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-size:10.0pt;color:black"
lang="en-SE">CAUTION: This email originated
from outside of the organization. Do not
click links or open attachments unless you
recognize the sender and know the content is
safe.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span lang="en-SE">What is
the motivation for allowing a waiver if
approved by just “at least one” of the
stakeholders, instead of all of them?</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">I’m a
bit concerned that language might be
increasingly troublesome as we continue to
expand the scope and participation of this
group.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">Similarly,
I’m unsure how I feel about making
compliance distinctions based on whether a
particular root program has decided to have
a contractual relationship with its issuers
or not. That seems like an implementation
detail of the relationship that the
guidelines should remain silent on. But I
appreciate what that definition is intended
to do, and would like to perhaps find a
different way to express the same intent.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">-Tim</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="en-SE">From:</span></b><span
lang="en-SE"> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Martijn Katerbarg
via Cscwg-public<br>
<b>Sent:</b> Monday, June 27, 2022
10:04 AM<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [Cscwg-public]
Proposal to make changes to revocation
based on malware</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">All,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">As
already hinted during the last meeting
during the F2F, Ian and I, have been
working on a proposal affecting the
guidelines regarding malware based
revocation.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">The
intent of this change is to:</span><o:p></o:p></p>
<ol style="margin-top:0cm" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l4 level1
lfo5"><span lang="en-SE">Limit the number
of days before a certificate needs to be
revoked, especially when the subscriber
is not responding to inquiries</span><o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l4 level1
lfo5"><span lang="en-SE">Remove the OCSP
log analysis requirements</span><o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l4 level1
lfo5"><span lang="en-SE">Simplify the
process that has to be followed</span><o:p></o:p></li>
</ol>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">I have
attached 3 documents: one with the current
language, one with the proposed language,
as well as a redlined version.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">The
changes have been made based on upcoming
version 3.0 of the CSCBRs. In case you
wish to compare with version 2.8, the
relevant section is 13.1.5.3. Besides to
that section, there is also a change to
the “Suspect Code” definition, as well as
a new definition in the proposal.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">Once <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F6&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cac3b5415ec5b408303cf08dadea00c1d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638067076260946675%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KWTNQAJF4EtXCjtfgtFDvLKfUcDMPQsc%2B%2FgzZSLrM90%3D&reserved=0"
moz-do-not-send="true">PR6</a> has been
merged, I will also prepare the changes in
GIT for those that prefer comparing there.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="en-SE">Looking
forward to comments to this and move
towards a potential ballot.<br>
<br>
Regards,<br>
<br>
Martijn</span><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><i><span
style="font-size:12.0pt;font-family:"Times New Roman",serif"
lang="en-SE">Any email and files/attachments
transmitted with it are confidential and are
intended solely for the use of the individual
or entity to whom they are addressed. If this
message has been sent to you in error, you
must not copy, distribute or disclose of the
information it contains. <u>Please notify
Entrust immediately</u> and delete the
message from your system.</span></i><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif" lang="en-SE"> </span><o:p></o:p></p>
<pre><span lang="en-SE">_______________________________________________</span><o:p></o:p></pre>
<pre><span lang="en-SE">Cscwg-public mailing list</span><o:p></o:p></pre>
<pre><span lang="en-SE"><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a></span><o:p></o:p></pre>
<pre><span lang="en-SE"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cac3b5415ec5b408303cf08dadea00c1d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638067076260946675%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bi1rZrMtEAphm5Kf0Cd%2F%2FcRd884opEaeep2XZ1xconQ%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a></span><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif" lang="en-SE"> </span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman \,serif""><br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cac3b5415ec5b408303cf08dadea00c1d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638067076260946675%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bi1rZrMtEAphm5Kf0Cd%2F%2FcRd884opEaeep2XZ1xconQ%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman \,serif""> </span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cac3b5415ec5b408303cf08dadea00c1d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638067076261102441%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eoyNrjimf5nsyDWDkbNGxbIvhcRxP2t2VKRvG4k75m8%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p> </o:p></span></p>
</div>
</div>
</blockquote>
<br>
</body>
</html>