<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \,serif";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
h4
{mso-style-priority:9;
mso-style-link:"Heading 4 Char";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
span.Heading4Char
{mso-style-name:"Heading 4 Char";
mso-style-priority:9;
mso-style-link:"Heading 4";
font-family:"Calibri Light",sans-serif;
color:#2F5496;
font-style:italic;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle26
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:113184886;
mso-list-template-ids:1853533598;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:174006136;
mso-list-template-ids:-122286000;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:263464074;
mso-list-template-ids:-723898778;}
@list l2:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3
{mso-list-id:285427925;
mso-list-template-ids:-1453698172;}
@list l3:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4
{mso-list-id:375282124;
mso-list-template-ids:2052204190;}
@list l4:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l5
{mso-list-id:634142425;
mso-list-template-ids:2113800954;}
@list l5:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l5:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l5:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l5:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l5:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l5:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l5:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l5:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l5:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l6
{mso-list-id:1774591928;
mso-list-template-ids:1071011360;}
@list l6:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l6:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l6:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l6:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l6:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l6:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l6:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l6:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l6:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=en-SE link="#0563C1" vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>Thank you all for contributing to this discussion. The more I think about it, I’m also of the belief that we may need to split out the difference between a key compromise and Suspect Code. While one can easily lead to the other, it seems different timelines for both, as well as different approaches for the CRL revocation date, may be what we need here.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>That said, I do think it stands to reason to turn this into a complete revocation section overhaul, rather than “just” the suspect code bits. <o:p></o:p></span></p><p class=MsoNormal><span lang=en-SE style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Ian McMillan <ianmcm@microsoft.com> <br><b>Sent:</b> Thursday, 2 February 2023 21:32<br><b>To:</b> Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr>; cscwg-public@cabforum.org; Bruce Morton <Bruce.Morton@entrust.com>; Martijn Katerbarg <martijn.katerbarg@sectigo.com><br><b>Subject:</b> RE: [EXTERNAL] Re: [Cscwg-public] Proposal to make changes to revocation based on malware<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=EN-US style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Hi Bruce, Dimitris, and Martijn,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>In general, I agree with the most of what is here. Let me provide my perspective to some of the specific items in this thread.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><i><span lang=EN-US style='font-size:11.0pt'>“If the CA has reasonable assurance that a Certificate was used to sign Suspect Code, then the CA shall revoke the Certificate within 24h and set a revocation date to a date and time before the signing of the Suspect Code”<o:p></o:p></span></i></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I am in support of this statement as it is written and would not like us to get hung up on “reasonable assurance” and trying to define it. CA’s should be given the ability to define that “reasonable assurance” themselves, and if it an incident is out of line with Application Software Supplier’s view they may invoke 4.9.1.1 as it is in the CSBRs today. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><i><span lang=EN-US style='font-size:11.0pt'>“We rarely see non-timestamped code out there but Ian might be able to share some more insight with real numbers (timestamped code executed vs non-timestamped).”<o:p></o:p></span></i></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>With regards to code not being countersigned with a timestamp, I have rarely seen this to be the case with good-natured code or Suspect Code (malware authors have figured out TS endpoints are free not a threat to their evasion tactics). <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><i><span lang=EN-US style='font-size:11.0pt'>“It would be great if after this ballot and the ballot that Dimitris is doing is if we had just sections 4.9.1.1 for 24-hour revocation and 4.9.1.2 for 7-day revocation. This would align the sections with the SSL and S/MIME BRs and probably our CPS documents.</span></i><i><span lang=EN-US><o:p></o:p></span></i></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I am good with alignment with SSL and S/MIME BRs, but taking 4.9.1.1 and 4.9.1.2 from the SSL BRs we’d have to clean out some of the items that do not apply (e.g. v1.8.6 of the SSL BR 4.9.1.1(5) regarding domain validation evidence doesn’t make sense for CSBRs). <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:18.0pt'><i><span lang=EN-US style='font-size:11.0pt'>“If Ian is ok with not requiring long delays for Subscriber impact assessments and contacting Application Software Suppliers at a Global level (which in my opinion wouldn't really scale), we could do the following:<o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:54.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span lang=EN-US style='font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><i><span lang=EN-US style='font-size:11.0pt'>set the revocation timelines according to 4.9.1.1 and 4.9.1.2 to align with TLS and S/MIME BR numbering, setting the "revocation date/time" at "current time"<o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:54.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span lang=EN-US style='font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><i><span lang=EN-US style='font-size:11.0pt'>AND provide an option with a hard 7-days deadline after a Certificate Problem Report is received only to set the best "revocation time". The output of this second process will be either a "revocation time" before the signing of the Suspect Code, or a "more appropriate" one.”<o:p></o:p></span></i></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I agree with both bullets above and agree that contacting all Application Software Suppliers at a Global level will not scale for the normal incidents. In the rare instances where a more “all parties involved" type response maybe needed are handled case by case without the CSBRs covering all possible scenarios for these rare instances.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Cheers,<br>Ian<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via Cscwg-public<br><b>Sent:</b> Thursday, February 2, 2023 12:12 PM<br><b>To:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>>; Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [EXTERNAL] Re: [Cscwg-public] Proposal to make changes to revocation based on malware<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US>On 2/2/2023 5:56 μ.μ., Bruce Morton wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Hi Martijn,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I don’t think I can endorse the current proposal as it does not appear to be meeting the goal I was hoping for, which was to simplify the process. I do like the way that the requirements are defined in the SSL and S/MIME BRs. These documents give revocation time deadlines and reasons for each deadline.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I do understand that signing of suspect code is a little more complicated as the Subscriber may have good signatures, but then get compromised. I think we tried to address this issue, by providing 7-days to revoke a certificate which has signed suspect code. This would allow the CA, Subscriber and perhaps the Application Software Supplier to provide the earliest revocation date. Note, with private keys in hardware, the Subscriber will more likely be an attacker and will not respond.</span><span lang=EN-US><o:p></o:p></span></p></blockquote><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'><br>If there is no response, then the CA revokes and can set the revocation date to the date before the signing of the Suspect Code. My suggestion on a previous meeting was the following:<o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'>If the CA has reasonable assurance that a Certificate was used to sign Suspect Code, then the CA shall revoke the Certificate within 24h and set a revocation date to a date and time before the signing of the Suspect Code.<o:p></o:p></span></li></ul><p><span lang=EN-US>There were concerns raised that this backdate revocation might invalidate other Code, not classified as "Suspect" and may cause more harm than good. I can't really see why we should allow Suspect Code to be executed and risk user's safety and personal data, because that Subscriber has signed other "good" Code after signing the Suspect Code.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Note, I don’t believe “Revoking a certificate at current time has absolutely no impact on existing signed malware” is true. If the suspect code is not time-stamped, then revoking at the current time will impact the suspect code signature and all other signatures which are not time-stamped. This might be the easiest and quickest way to deal with non-time-stamped signatures on suspect code. </span><span lang=EN-US><o:p></o:p></span></p></blockquote><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'><br>We rarely see non-timestamped code out there but Ian might be able to share some more insight with real numbers (timestamped code executed vs non-timestamped).<br><br>I don't disagree with revoking immediately (at "current date") and setting a revocation date in the past after 5, 7 or 10 days to further mitigate the Relying Party risk.<br><br><o:p></o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>On the other hand, 7-days would allow the Subscriber to resign code they did not time-stamp. Although, I am not really in favor of providing extra time for Subscribers which are not time-stamping.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p></blockquote><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'>Agreed. Please see my previous comment.<br><br><o:p></o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>It would be great if after this ballot and the ballot that Dimitris is doing is if we had just sections 4.9.1.1 for 24-hour revocation and 4.9.1.2 for 7-day revocation. This would align the sections with the SSL and S/MIME BRs and probably our CPS documents.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p></blockquote><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'><br>If Ian is ok with not requiring long delays for Subscriber impact assessments and contacting Application Software Suppliers at a Global level (which in my opinion wouldn't really scale), we could do the following:<o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'>set the revocation timelines according to 4.9.1.1 and 4.9.1.2 to align with TLS and S/MIME BR numbering, setting the "revocation date/time" at "current time"<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'>AND provide an option with a hard 7-days deadline after a Certificate Problem Report is received only to set the best "revocation time". The output of this second process will be either a "revocation time" before the signing of the Suspect Code, or a "more appropriate" one.<o:p></o:p></span></li></ul><p><span lang=EN-US>Does that seem to work?<o:p></o:p></span></p><p><span lang=EN-US>Thanks,<o:p></o:p></span></p><p><span lang=EN-US>Dimitris.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'><br><br><o:p></o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Bruce.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Cscwg-public <a href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Friday, January 27, 2023 6:04 AM<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Dimitris Zacharopoulos (HARICA) <a href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a><br><b>Subject:</b> [EXTERNAL] Re: [Cscwg-public] Proposal to make changes to revocation based on malware</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>WARNING: This email originated outside of Entrust.<br>DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.</span><span lang=EN-US><o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN-US style='font-size:11.0pt'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal><span class=EmailStyle22><span lang=EN-US style='font-size:11.0pt'>All, the language has been updated and is available on <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C84589800536443ceeacf08db055c8422%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638109667153861321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FqLeQfGrIURrb2aFYwK%2BDyhFovUlzIU4kYdda7hd28U%3D&reserved=0">https://github.com/cabforum/code-signing/pull/10/files</a> for review</span></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span lang=EN-US style='font-size:12.0pt;color:black'>From: </span></b><span lang=EN-US style='font-size:12.0pt;color:black'>Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> on behalf of Martijn Katerbarg via Cscwg-public <<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>><br><b>Date: </b>Tuesday, 24 January 2023 at 22:45<br><b>To: </b>Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>>, <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a> <<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>><br><b>Subject: </b>Re: [Cscwg-public] Proposal to make changes to revocation based on malware</span><span lang=EN-US><o:p></o:p></span></p></div><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=EN-US style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'>> There is nothing preventing the CA to revoke a certificate right away. Revoking a certificate <b>at current time</b> has absolutely no impact on existing signed malware. The impact assessment affects cases of backdating the revocation. I'm afraid this "SHOULD" is just going to be ignored, unless you feel that the CA has enough evidence to backdate revoke a certificate and does not want to wait for an impact assessment of affected Relying Parties by the Subscriber. If it's the latter, I agree but we need to write it a bit clearer.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>That latter case is indeed the one I’d like to address. I’ll take a look at appropriate language for it.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'>> Yes. 7 days seem reasonable to pause the revocation process waiting for a response from the Application Software Supplier but IMO no more than that.<br><br></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>No objection from my end with that approach, but I would then like to combine bullet 2 and 3 into one since they are strongly connected. It takes away any doubt in interpretation.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I’ll get on adding these changes in GH</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>> <br><b>Sent:</b> Tuesday, 24 January 2023 16:25<br><b>To:</b> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] Proposal to make changes to revocation based on malware</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=EN-US style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'> </span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>On 24/1/2023 11:47 π.μ., Martijn Katerbarg wrote:</span><span lang=EN-US><o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Thanks for the proposal Dimitris.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I have a few remarks on this:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>“<i>The CA SHALL request the Subscriber to respond with an impact assessment of affected Relying Parties if the revocation date is set before the time that the Private Key became compromised or likely used to sign Suspect Code, and to state the associated Application Software Supplier(s).”</i><br>I’d like to propose we change this into:<br>“<i>The CA SHALL request the Subscriber to respond with an acknowledgement and SHOULD request the Subscriber to respond with an impact assessment of affected Relying Parties if the revocation date is set before the time that the Private Key became compromised or likely used to sign Suspect Code, and to state the associated Application Software Supplier(s).</i>”</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>This offers CA’s the option not to request an impact assessment if they deem the evidence clear enough warranting revocation right away. </span><span lang=EN-US><o:p></o:p></span></p></blockquote><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'><br>There is nothing preventing the CA to revoke a certificate right away. Revoking a certificate <b>at current time</b> has absolutely no impact on existing signed malware. The impact assessment affects cases of backdating the revocation. I'm afraid this "SHOULD" is just going to be ignored, unless you feel that the CA has enough evidence to backdate revoke a certificate and does not want to wait for an impact assessment of affected Relying Parties by the Subscriber. If it's the latter, I agree but we need to write it a bit clearer.<br><br><br></span><span lang=EN-US><o:p></o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I’m also wondering on the interpretation of the following 2 clauses:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>“<i>2. Based on the feedback received, the CA MAY determine a more appropriate revocation date to be associated with the revocation of the Certificate.</i></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><i><span lang=EN-US style='font-size:11.0pt'>3. The CA SHALL revoke the Certificate within 7 days after the CA received the Certificate Problem Report.</span></i><span lang=EN-US style='font-size:11.0pt'>”</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I like to think this means that even with a plan submitted to the Application Software Suppliers, revocation MUST occur no later than 7 days after the CPR was received. Is that what you also intend here?</span><span lang=EN-US><o:p></o:p></span></p></blockquote><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'><br>Yes. 7 days seem reasonable to pause the revocation process waiting for a response from the Application Software Supplier but IMO no more than that.<br><br><br></span><span lang=EN-US><o:p></o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:11.0pt'><br>In my option that should be the maximum time before revocation needs to happen, however, it feels like the whole impact assessment may be a lot of work for a Subscriber, in order to only get 48 hours of extra time before a revocation needs to happen (Although to be fair these may be the very few edge cases, for which it could be useful). <br><br><br></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Thoughts?</span><span lang=EN-US><o:p></o:p></span></p></blockquote><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'><br>We may need some more feedback from CAs that have actually experienced such cases. From my perspective, 48 hours for an quick impact assessment, seems reasonable considering the impact of a malware to millions of users worldwide that could be stopped by a single backdate revocation action from the CA.<br><br><br>Thanks,<br>Dimitris.<br><br><br></span><span lang=EN-US><o:p></o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Cscwg-public <a href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via Cscwg-public<br><b>Sent:</b> Thursday, 15 December 2022 14:27<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] Proposal to make changes to revocation based on malware</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=EN-US style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>On 12/15/2022 11:59 AM, Martijn Katerbarg via Cscwg-public wrote:</span><span lang=EN-US><o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>All,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>We had a good discussion on the malware proposal during the last call. I believe we’re nearly there. Trevoli and Tim you had suggestions (and thank you Dean for spelling it out in the minutes!) to make is more clear and also allow for the exceptional cases where revoking a CS cert would do more damage then not. <br><br>Based on this, it seems we were leaning into making the following changes:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><br>Change:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> a. If the Subscriber responds within 72 hours, the CA and Subscriber MAY determine a "reasonable date" to revoke the certificate. The revocation date MUST NOT be more than 7 calendar days after the CA received the Certificate Problem Report.<br>Into:<br> a. If the Subscriber responds within 72 hours, the CA MAY determine a "reasonable date" to revoke the certificate. The CA:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:54.0pt;text-indent:-18.0pt;mso-list:l4 level1 lfo3'><![if !supportLists]><span lang=EN-US><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-size:11.0pt'>MUST revoke the certificate no later than 7 calendar days after the CA received the Certificate Problem Report; or,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:54.0pt;text-indent:-18.0pt;mso-list:l4 level1 lfo3'><![if !supportLists]><span lang=EN-US><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-size:11.0pt'>MUST submit a plan for revocation to all Application Software Suppliers based on discussions with the Subscriber no later than 7 calendar days after the CA received the Certificate Problem Report</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><br>Thoughts on this?<br>The one thought I have on this is, are Application Software Suppliers (i.e Certificate Consumers, but that’s not a CSCBR defined term) willing to take on these plans and provide responses to the CA? <br>Cause if they don’t, it seems we again have a loop hole in which revocation can be done much later based upon subscriber request…</span><span lang=EN-US><o:p></o:p></span></p></blockquote><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'><br>I have the same concerns with the second bullet. And how do we determine "all" Suppliers? CAs have no visibility on Relying Party software.<br><br>I believe that the reason to "contact negatively-affected Application Software Suppliers" is to determine the proper "reasonable date" that would invalidate the malware signatures and not affect other "good signatures" that would have a significant impact on Relying Parties. If there is no response from the Application Software Supplier, the CA should revoke with a "reasonable date" based on its investigation at the time.<br><br>Please take a look at the following proposal. I'd appreciate feedback and language improvements to describe the process accurately and safely in order to protect Relying Parties from executing Suspect Code as much as possible. Worse case, CAs will revoke the Certificate with a revocation date set at the time of the revocation event which does not affect any previously signed code, including the Suspect Code which will be executed successfully by Relying Parties even after the revocation of the Certificate.</span><span lang=EN-US><o:p></o:p></span></p><h4><i><span lang=EN-US>4.9.1.3 Revocation Based on Reported or Detected Compromise or Use in Suspect Code</span></i><span lang=EN-US><o:p></o:p></span></h4><p><i><span lang=EN-US>Except for cases that fall under Section 4.9.1.1, if, while investigating a Certificate Problem Report, the CA determines the Subscriber's Private Key is compromised or likely being used for Suspect Code, the CA SHALL revoke the corresponding Code Signing Certificate in accordance with and within the following maximum time frames. Nothing herein prohibits a CA from revoking a Code Signing Certificate prior to these time frames.</span></i><span lang=EN-US><o:p></o:p></span></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo4'><i><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'>The CA SHALL contact the Subscriber within 24 hours after the CA received the Certificate Problem Report, notifying that the Certificate is scheduled to be revoked with a revocation date set before the time that the Private Key became compromised or likely used to sign Suspect Code. This revocation date is set in the past to prevent Relying Parties from executing Suspect Code signed with the affected Code Signing Certificate.</span></i><span lang=EN-US><o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo4'><i><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'>The CA SHALL request the Subscriber to respond with an impact assessment of affected Relying Parties if the revocation date is set before the time that the Private Key became compromised or likely used to sign Suspect Code, and to state the associated Application Software Supplier(s).</span></i><span lang=EN-US><o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo4'><i><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'>The CA SHALL request the Subscriber to respond to the CA within 72 hours of the CA sending the notification. </span></i><span lang=EN-US><o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo4'><i><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'>If the Subscriber responds within 72 hours, </span></i><i><span lang=EN-US style='font-size:12.0pt'>then based on the Subscriber's impact assessment:</span></i><span lang=EN-US><o:p></o:p></span></li></ol><ol start=4 type=1><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level2 lfo4'><i><span lang=EN-US style='font-size:12.0pt'>the CA MAY submit a revocation plan to associated Application Software Suppliers no later than 7 calendar days after the CA received the Certificate Problem Report. The revocation plan:</span></i><span lang=EN-US><o:p></o:p></span></li></ol></ol><ol start=4 type=1><ol start=1 type=1><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level3 lfo4'><i><span lang=EN-US style='font-size:12.0pt'>SHALL contain informing about the planned revocation date to be set for the to-be-revoked Certificate; and</span></i><span lang=EN-US><o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level3 lfo4'><i><span lang=EN-US style='font-size:12.0pt'>SHALL request suggestions for a "more appropriate" revocation date in case the proposed revocation date has a significant impact on Relying Parties associated with that particular Application Software Supplier. </span></i><span lang=EN-US><o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level3 lfo4'><i><span lang=EN-US style='font-size:12.0pt'>The CA SHALL request the Application Software Supplier to respond within 72 hours.</span></i><span lang=EN-US><o:p></o:p></span></li></ol></ol></ol><ol start=4 type=1><ol start=2 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level2 lfo4'><i><span lang=EN-US style='font-size:12.0pt'>Based on the feedback received, the CA MAY determine a more appropriate revocation date to be associated with the revocation of the Certificate.</span></i><span lang=EN-US><o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level2 lfo4'><i><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'>The CA SHALL revoke the Certificate within 7 days after the CA received the Certificate Problem Report.</span></i><span lang=EN-US><o:p></o:p></span></li></ol></ol><ol start=5 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo4'><i><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'>If the CA does not receive a response from the Subscriber, then the CA SHALL revoke the Certificate within 24 hours from the end of the response period.</span></i><span lang=EN-US><o:p></o:p></span></li></ol><p><i><span lang=EN-US>A CA revoking a Certificate because the Certificate was associated with signed Suspect Code or other fraudulent or illegal conduct SHOULD provide all relevant information and risk indicators to other CAs, Application Software Suppliers, or industry groups. The CA SHOULD contact the Application Software Suppliers within 24 hours after the CA received the Certificate Problem Report.</span></i><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'><br>Thanks,<br>Dimitris.<br><br><br></span><span lang=EN-US><o:p></o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Note: I won’t be able to attend todays call, but feel free to discuss.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Cscwg-public <a href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via Cscwg-public<br><b>Sent:</b> Tuesday, 29 November 2022 10:13<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] Proposal to make changes to revocation based on malware</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=EN-US style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'> </span><span lang=EN-US><o:p></o:p></span></p><div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>On 28/11/2022 2:50 μ.μ., Martijn Katerbarg via Cscwg-public wrote:</span><span lang=EN-US><o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>All, </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I just pushed a new commit (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F8e7e3b4e57960994edea267f0e753358aad99574&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C84589800536443ceeacf08db055c8422%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638109667154017520%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nq7zUrcY6K9hFiplYi2hC%2Fo9Ft2LvatxW4YVhSE5Mfo%3D&reserved=0">https://github.com/cabforum/code-signing/pull/10/commits/8e7e3b4e57960994edea267f0e753358aad99574</a>) based on the discussions and comments I’ve had and received. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>The complete ballot “redline” in GitHub is available for review on <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C84589800536443ceeacf08db055c8422%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638109667154017520%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0VnUV9dRu1DGMPbvt3S9hX2feP6yeVYqslym0yaNw2g%3D&reserved=0">https://github.com/cabforum/code-signing/pull/10/files</a></span><span lang=EN-US><o:p></o:p></span></p></blockquote><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'><br>If the CA confirms that a Subscriber has signed "Suspect Code", how would the group feel with a proposal to require CAs to <b>backdate revoke</b> the Code Signing Certificate to a date and time that would neutralize the Suspect Code? If this date and time is unlikely to be determined, backdate revoke 1'' after the notBefore date and time of the Code Signing Certificate?<br><br><br>Thanks,<br>Dimitris.<br><br><br><br><br><br></span><span lang=EN-US><o:p></o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Cscwg-public <a href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Monday, 26 September 2022 11:58<br><b>To:</b> Dimitris Zacharopoulos (HARICA) <a href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] Proposal to make changes to revocation based on malware</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=EN-US style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'> </span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Thank you Dimitris. That makes sense. I’ve pushed an update to the draft-PR</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via Cscwg-public<br><b>Sent:</b> Friday, 23 September 2022 18:47<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] Proposal to make changes to revocation based on malware</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=EN-US style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'> </span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I posted some proposed changes for consistency and accuracy.</span><span lang=EN-US><o:p></o:p></span></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo5'><span lang=EN-US style='font-size:11.0pt'><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%23pullrequestreview-1118760785&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C84589800536443ceeacf08db055c8422%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638109667154017520%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OZ2i8pN7ZHlbfLPvd5824BBgrmc1pKkjC7bfCUuzPyE%3D&reserved=0">https://github.com/cabforum/code-signing/pull/10#pullrequestreview-1118760785</a></span><span lang=EN-US><o:p></o:p></span></li></ol><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:11.0pt'><br>Thanks,<br>Dimitris.</span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>On 23/9/2022 3:55 μ.μ., Bruce Morton via Cscwg-public wrote:</span><span lang=EN-US><o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Hi Martjin,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I will endorse the ballot.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Thanks, Bruce.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Cscwg-public <a href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Friday, September 23, 2022 3:44 AM<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [EXTERNAL] Re: [Cscwg-public] Proposal to make changes to revocation based on malware</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>WARNING: This email originated outside of Entrust.<br>DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.</span><span lang=EN-US><o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN-US style='font-size:11.0pt'><hr size=1 width="44%" align=center></span></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>All,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>As discussed on yesterdays call, the latest changes which Tim and I were discussing are pushed into Github. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>The complete change can be found at <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C84589800536443ceeacf08db055c8422%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638109667154017520%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=0VnUV9dRu1DGMPbvt3S9hX2feP6yeVYqslym0yaNw2g%3D&reserved=0">https://github.com/cabforum/code-signing/pull/10/files</a> for review.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Bruce, Ian, since I earlier had your endorsements, please let me know if they still stand. The changes since the endorsements, are captured in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F90fa38ab4dc5e5f9b25fce844b750d693f7256b7&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C84589800536443ceeacf08db055c8422%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638109667154017520%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ANjQgtJmzP6m8gYQ3m%2FgPTp44NFamPzO0qPAXxXL%2BKk%3D&reserved=0">https://github.com/cabforum/code-signing/pull/10/commits/90fa38ab4dc5e5f9b25fce844b750d693f7256b7</a></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>If there are no other comments, then hopefully we can start a ballot process on this.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:11.0pt'><br>Regards,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Martijn</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Tuesday, 19 July 2022 09:22<br><b>To:</b> Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] Proposal to make changes to revocation based on malware</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=EN-US style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Thanks Tim,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt;text-indent:-18.0pt'><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><ol style='margin-top:0cm' start=1 type=1><li class=MsoListParagraph style='margin-left:0cm;mso-list:l3 level1 lfo6'><span lang=EN-US style='font-size:11.0pt'>What is the motivation for allowing a waiver if approved by just “at least one” of the stakeholders, instead of all of them?</span><span lang=EN-US><o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l3 level1 lfo6'><span lang=EN-US style='font-size:11.0pt'>I’m a bit concerned that language might be increasingly troublesome as we continue to expand the scope and participation of this group.</span><span lang=EN-US><o:p></o:p></span></li></ol><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I believe it might be difficult to get approval from all stakeholders within a certain amount of time, meaning the CA would possibly never get all approvals, and never be able to utilize the waiver. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Considering that signed code is often (but not exclusively) targeted for a specific platform, stakeholders of other platforms might not be inclined to give approval for something that does not even affect them. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I do share your concern, but I also don’t see a better path towards the same goal.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><ol style='margin-top:0cm' start=3 type=1><li class=MsoListParagraph style='margin-left:0cm;mso-list:l3 level1 lfo6'><span lang=EN-US style='font-size:11.0pt'>Similarly, I’m unsure how I feel about making compliance distinctions based on whether a particular root program has decided to have a contractual relationship with its issuers or not. That seems like an implementation detail of the relationship that the guidelines should remain silent on. But I appreciate what that definition is intended to do, and would like to perhaps find a different way to express the same intent.</span><span lang=EN-US><o:p></o:p></span></li></ol><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Good point, and maybe the word “contract” is too much here?</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Although I would note this language is already part of the “Certificate Beneficiaries” definition right now.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I’m open for a different suggestion </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>> <br><b>Sent:</b> Friday, 15 July 2022 18:18<br><b>To:</b> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> RE: [Cscwg-public] Proposal to make changes to revocation based on malware</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=EN-US style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>What is the motivation for allowing a waiver if approved by just “at least one” of the stakeholders, instead of all of them?</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I’m a bit concerned that language might be increasingly troublesome as we continue to expand the scope and participation of this group.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Similarly, I’m unsure how I feel about making compliance distinctions based on whether a particular root program has decided to have a contractual relationship with its issuers or not. That seems like an implementation detail of the relationship that the guidelines should remain silent on. But I appreciate what that definition is intended to do, and would like to perhaps find a different way to express the same intent.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>-Tim</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt'>From:</span></b><span lang=EN-US style='font-size:11.0pt'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Monday, June 27, 2022 10:04 AM<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [Cscwg-public] Proposal to make changes to revocation based on malware</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>All,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>As already hinted during the last meeting during the F2F, Ian and I, have been working on a proposal affecting the guidelines regarding malware based revocation.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>The intent of this change is to:</span><span lang=EN-US><o:p></o:p></span></p><ol style='margin-top:0cm' start=1 type=1><li class=MsoListParagraph style='margin-left:0cm;mso-list:l6 level1 lfo7'><span lang=EN-US style='font-size:11.0pt'>Limit the number of days before a certificate needs to be revoked, especially when the subscriber is not responding to inquiries</span><span lang=EN-US><o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l6 level1 lfo7'><span lang=EN-US style='font-size:11.0pt'>Remove the OCSP log analysis requirements</span><span lang=EN-US><o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l6 level1 lfo7'><span lang=EN-US style='font-size:11.0pt'>Simplify the process that has to be followed</span><span lang=EN-US><o:p></o:p></span></li></ol><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>I have attached 3 documents: one with the current language, one with the proposed language, as well as a redlined version.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>The changes have been made based on upcoming version 3.0 of the CSCBRs. In case you wish to compare with version 2.8, the relevant section is 13.1.5.3. Besides to that section, there is also a change to the “Suspect Code” definition, as well as a new definition in the proposal.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Once <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F6&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C84589800536443ceeacf08db055c8422%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638109667154017520%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=kCKCaN1x23KGDG4xwtHaspwBYkepnRNoy6qAnp1qDq4%3D&reserved=0">PR6</a> has been merged, I will also prepare the changes in GIT for those that prefer comparing there.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'>Looking forward to comments to this and move towards a potential ballot.<br><br>Regards,<br><br>Martijn</span><span lang=EN-US><o:p></o:p></span></p></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><i><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</span></i><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'> </span><span lang=EN-US><o:p></o:p></span></p><pre><span lang=EN-US>_______________________________________________<o:p></o:p></span></pre><pre><span lang=EN-US>Cscwg-public mailing list<o:p></o:p></span></pre><pre><span lang=EN-US><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a><o:p></o:p></span></pre><pre><span lang=EN-US><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C84589800536443ceeacf08db055c8422%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638109667154017520%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GyGENnku46a6fmMHD2FpqJPGUZIe4vRsy%2BHdEazRgQ0%3D&reserved=0">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></span></pre></blockquote><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'> </span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'><br><br><br><br></span><span lang=EN-US><o:p></o:p></span></p><pre><span lang=EN-US>_______________________________________________<o:p></o:p></span></pre><pre><span lang=EN-US>Cscwg-public mailing list<o:p></o:p></span></pre><pre><span lang=EN-US><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a><o:p></o:p></span></pre><pre><span lang=EN-US><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C84589800536443ceeacf08db055c8422%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638109667154017520%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GyGENnku46a6fmMHD2FpqJPGUZIe4vRsy%2BHdEazRgQ0%3D&reserved=0">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></span></pre></blockquote><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'> </span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'><br><br><br></span><span lang=EN-US><o:p></o:p></span></p><pre><span lang=EN-US>_______________________________________________<o:p></o:p></span></pre><pre><span lang=EN-US>Cscwg-public mailing list<o:p></o:p></span></pre><pre><span lang=EN-US><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a><o:p></o:p></span></pre><pre><span lang=EN-US><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C84589800536443ceeacf08db055c8422%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638109667154017520%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GyGENnku46a6fmMHD2FpqJPGUZIe4vRsy%2BHdEazRgQ0%3D&reserved=0">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></span></pre></blockquote><div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'> </span><span lang=EN-US><o:p></o:p></span></p></div></blockquote><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman \,serif"'> </span><span lang=EN-US><o:p></o:p></span></p></div></div></blockquote><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div></div></body></html>