<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Dear Members,<br>
<br>
Apologies for sending this late. Here is the mapping document for
the import of the EV Guidelines into the CS Baseline Requirements.<br>
<br>
The process started from sections of the CSBRs that point to
sections of the EV Guidelines. In some cases, the referenced EVG
section, contained additional references within the EVG. The
spreadsheet tried to capture and follow all those references to
ensure we didn't miss anything.<br>
<br>
I hope this document will help the review process so we can proceed
with a ballot. Before we do the ballot, we will have to rebase to
the latest CSBR version and resolve any conflicts that may be caused
by the last 2 ballots. My goal is to get this ready for a ballot
after the next F2F meeting.<br>
<br>
<br>
Thank you,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 8/1/2024 3:06 μ.μ., Dimitris
Zacharopoulos (HARICA) via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018ce92e4788-bc2dabd5-a686-4268-bbd8-8355a7c2877e-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Dear Members,<br>
<br>
Following up on the work of importing the references to the EV
Guidelines and specifically the latest version (1.8.0) with the
exception of the CA/B Forum organization identifier extension as
agreed in previous meetings, the resulting redline (based on CSBR
version 3.4.0) is available in the following link:<br>
<ul>
<li><a class="moz-txt-link-freetext"
href="https://github.com/cabforum/code-signing/compare/main...importEVG"
moz-do-not-send="true">https://github.com/cabforum/code-signing/compare/main...importEVG</a><br>
</li>
</ul>
<p>We can easily rebase to version 3.5.0 which is the latest CSBR
version, but the focus should be more on the import of the
existing EV references.</p>
<p>The redline contains several formatting improvements as well,
like removal of double spaces and tabs that break the
conversion.</p>
<p>Here are my notes from the conversion:</p>
<p><br>
</p>
<p>- CSBR section 3.2.2.2 points to EV Guidelines <br>
- Section 10.1.2 for specific roles (done)<br>
- Section 11.2 for Legal Existence and Identity (done)<br>
- Section 11.3 for Assumed Name (done)<br>
- Section 11.4 for Physical Existence (done)<br>
- Section 11.5 for Method of Communication (done)<br>
- Section 11.6 for Operational Existence (done)<br>
- Section 11.8 for Name, Title and Authority of Contract
Signer and Certificate Approver (done)<br>
- Section 11.9 for Signature on Subscriber Agreement and EV CS
Certificate Requests (done)<br>
- Section 11.10 for Approval of EV CS Certificate Request
(done)<br>
- Section 11.11 for Certain Information Sources (done)<br>
- Section 11.12.3 for Parent/Subsidiary/Affiliate Relationship
(done)<br>
- CSBR section 4.1.1 points to EV Guidelines section 11.12.2 for
"suspicious" certificate requests (done new section 3.2.8)<br>
- CSBR section 4.2.1 points to EV Guidelines <br>
- section 11.13 for the "due diligence" verification (done
new section 3.2.9)<br>
- section 11.14 for the usage periods of documents, data and
previous validations performed per section 3.2. (done with new
section 4.2.1.1)<br>
- CSBR section 5.2.4 points to EV Guidelines section 11.13 for
the Final Cross-Correlation and Due Diligence steps (done by
pointing to the new section 3.2.9)<br>
- CSBR section 5.3.3 points to EV Guidelines in general for the
Validation Specialist training and internal examination (done)<br>
- CSBR section 7.1.4.2.4 points to EV Guidelines sections 9.2.1
(done), 9.2.3 (done), 9.2.4 (done, section 11.1.3 disclosure of
verification sources migrated to 3.2.10), 9.2.5 (done), 9.2.6
(done), 9.2.8 (done updated reference to 9.2.4 to 7.1.4.2.4 (c))
for subject information<br>
- CSBR section 9.2.1 points to EV Guidelines section 8.4 for
insurance coverage (done)</p>
<p><br>
</p>
<p>9.8.2 --> Do not import<br>
11.11.1 --> 3.2.2.2.10.1<br>
11.11.4 --> 3.2.2.2.12<br>
11.13 --> 3.2.9<br>
14.1.1, 14.1.2 --> 5.3 (Training and background checks)<br>
14.1.3 --> 5.2.4 (separation of duties)<br>
14.2 --> 1.3.2.1 (new section)<br>
</p>
We still need to do a thorough check for the import of the proper
definitions and acronyms and remove the ones that are not use in
the CSBRs with the first letter capitalized.<br>
<br>
I have not completed a full mapping of the import of the EVGs into
the CSBRs but that's my next target. Please note that some
destination sections are different from what Inigo has decided for
the <a
href="https://github.com/cabforum/servercert/compare/90a98dc7c1131eaab01af411968aa7330d315b9b...238ff99fbe04f2aa24f2c58910d8133f2283f11e"
moz-do-not-send="true">conversion of the EVGs into the RFC 3647
format</a>. We can compare notes with Inigo after we get some
initial feedback by Members.<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 2/10/2023 11:56 μ.μ., Dimitris
Zacharopoulos (HARICA) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ffbe878c-2e05-4f2b-b6ee-04c89589be2d@harica.gr">
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<br>
Dear Members,<br>
<br>
At a previous Teleconference I volunteered to search the CSBRs
and find references to the EV Guidelines that could be discussed
at the upcoming F2F. We can then decide if we want to import all
or some of them to the CSBRs.<br>
<p style="page-break-inside: avoid;">The EV Guidelines that is
-supposed to be- referenced is version 1.7.1.</p>
<ul style="page-break-inside: avoid;">
<li style="page-break-inside: avoid;">CSBR section 3.2.2.2
points to EV Guideline:
<ul style="page-break-inside: avoid;">
<li style="page-break-inside: avoid;">Section 10.1.2 for
specific roles</li>
<li style="page-break-inside: avoid;">Section 11.2 for
Legal Existence and Identity</li>
<li style="page-break-inside: avoid;">Section 11.3 for
Assumed Name</li>
<li style="page-break-inside: avoid;">Section 11.4 for
Physical Existence</li>
<li style="page-break-inside: avoid;">Section 11.5 for
Method of Communication</li>
<li style="page-break-inside: avoid;">Section 11.6 for
Operational Existence</li>
<li style="page-break-inside: avoid;">Section 11.8 for
Name, Title and Authority of Contract Signer and
Certificate Approver</li>
<li style="page-break-inside: avoid;">Section 11.9 for
Signature on Subscriber Agreement and EV CS Certificate
Requests</li>
<li style="page-break-inside: avoid;">Section 11.10 for
Approval of EV CS Certificate Request</li>
<li style="page-break-inside: avoid;">Section 11.11 for
Certain Information Sources</li>
<li style="page-break-inside: avoid;">Section 11.12.3 for
Parent/Subsidiary/Affiliate Relationship</li>
</ul>
</li>
<li style="page-break-inside: avoid;">CSBR section 4.1.1
points to EV Guidelines section 11.12.2 for "suspicious"
certificate requests</li>
<li style="page-break-inside: avoid;">CSBR section 4.2.1
points to EV Guidelines:
<ul style="page-break-inside: avoid;">
<li style="page-break-inside: avoid;">section 11.13 for
the "due diligence" verification</li>
<li style="page-break-inside: avoid;">section 11.14 for
the usage periods of documents, data and previous
validations performed per section 3.2</li>
</ul>
</li>
<li style="page-break-inside: avoid;">CSBR section 5.2.4
points to EV Guidelines section 11.13 for the Final
Cross-Correlation and Due Diligence steps</li>
<li style="page-break-inside: avoid;">CSBR section 5.3.3
points to EV Guidelines in general for the Validation
Specialist training and internal examination</li>
<li style="page-break-inside: avoid;">CSBR section 7.1.4.2.4
points to EV Guidelines sections 9.2.1, 9.2.3, 9.2.4, 9.2.5,
9.2.6 for subject information</li>
<li style="page-break-inside: avoid;">CSBR section 9.2.1
points to EV Guidelines section 8.4 for insurance coverage</li>
</ul>
<p>During this process, I also noticed that we have a
capitalized term "EV Process" without a corresponding
definition. I will add an issue on GitHub for the next cleanup
ballot.</p>
<p>I would appreciate a second review in case I missed
something.</p>
<p><br>
</p>
<p>Thank you,<br>
</p>
<p>Dimitris.<br>
</p>
</blockquote>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>