<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Dear Members,<br>
<br>
Following up on the work of importing the references to the EV
Guidelines and specifically the latest version (1.8.0) with the
exception of the CA/B Forum organization identifier extension as
agreed in previous meetings, the resulting redline (based on CSBR
version 3.4.0) is available in the following link:<br>
<ul>
<li><a class="moz-txt-link-freetext" href="https://github.com/cabforum/code-signing/compare/main...importEVG">https://github.com/cabforum/code-signing/compare/main...importEVG</a><br>
</li>
</ul>
<p>We can easily rebase to version 3.5.0 which is the latest CSBR
version, but the focus should be more on the import of the
existing EV references.</p>
<p>The redline contains several formatting improvements as well,
like removal of double spaces and tabs that break the conversion.</p>
<p>Here are my notes from the conversion:</p>
<p><br>
</p>
<p>- CSBR section 3.2.2.2 points to EV Guidelines <br>
- Section 10.1.2 for specific roles (done)<br>
- Section 11.2 for Legal Existence and Identity (done)<br>
- Section 11.3 for Assumed Name (done)<br>
- Section 11.4 for Physical Existence (done)<br>
- Section 11.5 for Method of Communication (done)<br>
- Section 11.6 for Operational Existence (done)<br>
- Section 11.8 for Name, Title and Authority of Contract Signer
and Certificate Approver (done)<br>
- Section 11.9 for Signature on Subscriber Agreement and EV CS
Certificate Requests (done)<br>
- Section 11.10 for Approval of EV CS Certificate Request (done)<br>
- Section 11.11 for Certain Information Sources (done)<br>
- Section 11.12.3 for Parent/Subsidiary/Affiliate Relationship
(done)<br>
- CSBR section 4.1.1 points to EV Guidelines section 11.12.2 for
"suspicious" certificate requests (done new section 3.2.8)<br>
- CSBR section 4.2.1 points to EV Guidelines <br>
- section 11.13 for the "due diligence" verification (done new
section 3.2.9)<br>
- section 11.14 for the usage periods of documents, data and
previous validations performed per section 3.2. (done with new
section 4.2.1.1)<br>
- CSBR section 5.2.4 points to EV Guidelines section 11.13 for the
Final Cross-Correlation and Due Diligence steps (done by pointing
to the new section 3.2.9)<br>
- CSBR section 5.3.3 points to EV Guidelines in general for the
Validation Specialist training and internal examination (done)<br>
- CSBR section 7.1.4.2.4 points to EV Guidelines sections 9.2.1
(done), 9.2.3 (done), 9.2.4 (done, section 11.1.3 disclosure of
verification sources migrated to 3.2.10), 9.2.5 (done), 9.2.6
(done), 9.2.8 (done updated reference to 9.2.4 to 7.1.4.2.4 (c))
for subject information<br>
- CSBR section 9.2.1 points to EV Guidelines section 8.4 for
insurance coverage (done)</p>
<p><br>
</p>
<p>9.8.2 --> Do not import<br>
11.11.1 --> 3.2.2.2.10.1<br>
11.11.4 --> 3.2.2.2.12<br>
11.13 --> 3.2.9<br>
14.1.1, 14.1.2 --> 5.3 (Training and background checks)<br>
14.1.3 --> 5.2.4 (separation of duties)<br>
14.2 --> 1.3.2.1 (new section)<br>
</p>
We still need to do a thorough check for the import of the proper
definitions and acronyms and remove the ones that are not use in the
CSBRs with the first letter capitalized.<br>
<br>
I have not completed a full mapping of the import of the EVGs into
the CSBRs but that's my next target. Please note that some
destination sections are different from what Inigo has decided for
the <a
href="https://github.com/cabforum/servercert/compare/90a98dc7c1131eaab01af411968aa7330d315b9b...238ff99fbe04f2aa24f2c58910d8133f2283f11e">conversion
of the EVGs into the RFC 3647 format</a>. We can compare notes
with Inigo after we get some initial feedback by Members.<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 2/10/2023 11:56 μ.μ., Dimitris
Zacharopoulos (HARICA) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ffbe878c-2e05-4f2b-b6ee-04c89589be2d@harica.gr">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<br>
Dear Members,<br>
<br>
At a previous Teleconference I volunteered to search the CSBRs and
find references to the EV Guidelines that could be discussed at
the upcoming F2F. We can then decide if we want to import all or
some of them to the CSBRs.<br>
<p style="page-break-inside: avoid;">The EV Guidelines that is
-supposed to be- referenced is version 1.7.1.</p>
<ul style="page-break-inside: avoid;">
<li style="page-break-inside: avoid;">CSBR section 3.2.2.2
points to EV Guideline:
<ul style="page-break-inside: avoid;">
<li style="page-break-inside: avoid;">Section 10.1.2 for
specific roles</li>
<li style="page-break-inside: avoid;">Section 11.2 for Legal
Existence and Identity</li>
<li style="page-break-inside: avoid;">Section 11.3 for
Assumed Name</li>
<li style="page-break-inside: avoid;">Section 11.4 for
Physical Existence</li>
<li style="page-break-inside: avoid;">Section 11.5 for
Method of Communication</li>
<li style="page-break-inside: avoid;">Section 11.6 for
Operational Existence</li>
<li style="page-break-inside: avoid;">Section 11.8 for Name,
Title and Authority of Contract Signer and Certificate
Approver</li>
<li style="page-break-inside: avoid;">Section 11.9 for
Signature on Subscriber Agreement and EV CS Certificate
Requests</li>
<li style="page-break-inside: avoid;">Section 11.10 for
Approval of EV CS Certificate Request</li>
<li style="page-break-inside: avoid;">Section 11.11 for
Certain Information Sources</li>
<li style="page-break-inside: avoid;">Section 11.12.3 for
Parent/Subsidiary/Affiliate Relationship</li>
</ul>
</li>
<li style="page-break-inside: avoid;">CSBR section 4.1.1 points
to EV Guidelines section 11.12.2 for "suspicious" certificate
requests</li>
<li style="page-break-inside: avoid;">CSBR section 4.2.1 points
to EV Guidelines:
<ul style="page-break-inside: avoid;">
<li style="page-break-inside: avoid;">section 11.13 for the
"due diligence" verification</li>
<li style="page-break-inside: avoid;">section 11.14 for the
usage periods of documents, data and previous validations
performed per section 3.2</li>
</ul>
</li>
<li style="page-break-inside: avoid;">CSBR section 5.2.4 points
to EV Guidelines section 11.13 for the Final Cross-Correlation
and Due Diligence steps</li>
<li style="page-break-inside: avoid;">CSBR section 5.3.3 points
to EV Guidelines in general for the Validation Specialist
training and internal examination</li>
<li style="page-break-inside: avoid;">CSBR section 7.1.4.2.4
points to EV Guidelines sections 9.2.1, 9.2.3, 9.2.4, 9.2.5,
9.2.6 for subject information</li>
<li style="page-break-inside: avoid;">CSBR section 9.2.1 points
to EV Guidelines section 8.4 for insurance coverage</li>
</ul>
<p>During this process, I also noticed that we have a capitalized
term "EV Process" without a corresponding definition. I will add
an issue on GitHub for the next cleanup ballot.</p>
<p>I would appreciate a second review in case I missed something.</p>
<p><br>
</p>
<p>Thank you,<br>
</p>
<p>Dimitris.<br>
</p>
</blockquote>
<br>
</body>
</html>