<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 11/3/2024 6:20 μ.μ., Dimitris
Zacharopoulos (HARICA) via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018e2e505af0-23236d24-8375-4d3f-a137-58c870087851-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<br>
All,<br>
<br>
I re-based the importEVG branch to the latest CSBR (3.7.0). You
can see the ballot redline in <a class="moz-txt-link-freetext"
href="https://github.com/cabforum/code-signing/pull/38"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/38</a>.
Feel free to start a review within the PR or reply to this thread
with comments.<br>
<br>
Importing the EV Guidelines into the CSBRs ballot requires time to
review so I plan to give at least 2 weeks discussion period for
Members to check before starting the voting period.<br>
<br>
I have one remaining task which is to import the changes
introduced by Ballot <a
href="https://github.com/cabforum/servercert/pull/478"
moz-do-not-send="true">SC68</a>. Other than that, we should be
good to go. I would like to ask for 2 endorsers to reserve a
ballot number.<br>
</blockquote>
<br>
I added the language of Ballot SC68, fixed some numbering issues and
reformatted the tables. Everything seems to be all set. Martijn and
Corey have kindly offered to review the PR and hopefully they will
also be able to endorse the ballot. You can also download the <a
href="https://github.com/cabforum/code-signing/actions/runs/8771988767/artifacts/1433108820">artifacts
(.docx, .pdf, redline pdf)</a> produced based on the latest
commit.<br>
<br>
Please let me know if you have any questions or concerns.<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:0100018e2e505af0-23236d24-8375-4d3f-a137-58c870087851-000000@email.amazonses.com">
<br>
<br>
Thank you,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 2/2/2024 1:59 μ.μ., Dimitris
Zacharopoulos (HARICA) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:684cfe16-3378-4e39-ab80-a38f3bac86f9@harica.gr">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
Dear Members,<br>
<br>
Apologies for sending this late. Here is the mapping document
for the import of the EV Guidelines into the CS Baseline
Requirements.<br>
<br>
The process started from sections of the CSBRs that point to
sections of the EV Guidelines. In some cases, the referenced EVG
section, contained additional references within the EVG. The
spreadsheet tried to capture and follow all those references to
ensure we didn't miss anything.<br>
<br>
I hope this document will help the review process so we can
proceed with a ballot. Before we do the ballot, we will have to
rebase to the latest CSBR version and resolve any conflicts that
may be caused by the last 2 ballots. My goal is to get this
ready for a ballot after the next F2F meeting.<br>
<br>
<br>
Thank you,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 8/1/2024 3:06 μ.μ., Dimitris
Zacharopoulos (HARICA) via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018ce92e4788-bc2dabd5-a686-4268-bbd8-8355a7c2877e-000000@email.amazonses.com">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
Dear Members,<br>
<br>
Following up on the work of importing the references to the EV
Guidelines and specifically the latest version (1.8.0) with
the exception of the CA/B Forum organization identifier
extension as agreed in previous meetings, the resulting
redline (based on CSBR version 3.4.0) is available in the
following link:<br>
<ul>
<li><a class="moz-txt-link-freetext"
href="https://github.com/cabforum/code-signing/compare/main...importEVG"
moz-do-not-send="true">https://github.com/cabforum/code-signing/compare/main...importEVG</a><br>
</li>
</ul>
<p>We can easily rebase to version 3.5.0 which is the latest
CSBR version, but the focus should be more on the import of
the existing EV references.</p>
<p>The redline contains several formatting improvements as
well, like removal of double spaces and tabs that break the
conversion.</p>
<p>Here are my notes from the conversion:</p>
<p><br>
</p>
<p>- CSBR section 3.2.2.2 points to EV Guidelines <br>
- Section 10.1.2 for specific roles (done)<br>
- Section 11.2 for Legal Existence and Identity (done)<br>
- Section 11.3 for Assumed Name (done)<br>
- Section 11.4 for Physical Existence (done)<br>
- Section 11.5 for Method of Communication (done)<br>
- Section 11.6 for Operational Existence (done)<br>
- Section 11.8 for Name, Title and Authority of Contract
Signer and Certificate Approver (done)<br>
- Section 11.9 for Signature on Subscriber Agreement and
EV CS Certificate Requests (done)<br>
- Section 11.10 for Approval of EV CS Certificate Request
(done)<br>
- Section 11.11 for Certain Information Sources (done)<br>
- Section 11.12.3 for Parent/Subsidiary/Affiliate
Relationship (done)<br>
- CSBR section 4.1.1 points to EV Guidelines section 11.12.2
for "suspicious" certificate requests (done new section
3.2.8)<br>
- CSBR section 4.2.1 points to EV Guidelines <br>
- section 11.13 for the "due diligence" verification
(done new section 3.2.9)<br>
- section 11.14 for the usage periods of documents, data
and previous validations performed per section 3.2. (done
with new section 4.2.1.1)<br>
- CSBR section 5.2.4 points to EV Guidelines section 11.13
for the Final Cross-Correlation and Due Diligence steps
(done by pointing to the new section 3.2.9)<br>
- CSBR section 5.3.3 points to EV Guidelines in general for
the Validation Specialist training and internal examination
(done)<br>
- CSBR section 7.1.4.2.4 points to EV Guidelines sections
9.2.1 (done), 9.2.3 (done), 9.2.4 (done, section 11.1.3
disclosure of verification sources migrated to 3.2.10),
9.2.5 (done), 9.2.6 (done), 9.2.8 (done updated reference to
9.2.4 to 7.1.4.2.4 (c)) for subject information<br>
- CSBR section 9.2.1 points to EV Guidelines section 8.4 for
insurance coverage (done)</p>
<p><br>
</p>
<p>9.8.2 --> Do not import<br>
11.11.1 --> 3.2.2.2.10.1<br>
11.11.4 --> 3.2.2.2.12<br>
11.13 --> 3.2.9<br>
14.1.1, 14.1.2 --> 5.3 (Training and background checks)<br>
14.1.3 --> 5.2.4 (separation of duties)<br>
14.2 --> 1.3.2.1 (new section)<br>
</p>
We still need to do a thorough check for the import of the
proper definitions and acronyms and remove the ones that are
not use in the CSBRs with the first letter capitalized.<br>
<br>
I have not completed a full mapping of the import of the EVGs
into the CSBRs but that's my next target. Please note that
some destination sections are different from what Inigo has
decided for the <a
href="https://github.com/cabforum/servercert/compare/90a98dc7c1131eaab01af411968aa7330d315b9b...238ff99fbe04f2aa24f2c58910d8133f2283f11e"
moz-do-not-send="true">conversion of the EVGs into the RFC
3647 format</a>. We can compare notes with Inigo after we
get some initial feedback by Members.<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 2/10/2023 11:56 μ.μ., Dimitris
Zacharopoulos (HARICA) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ffbe878c-2e05-4f2b-b6ee-04c89589be2d@harica.gr">
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<br>
Dear Members,<br>
<br>
At a previous Teleconference I volunteered to search the
CSBRs and find references to the EV Guidelines that could be
discussed at the upcoming F2F. We can then decide if we want
to import all or some of them to the CSBRs.<br>
<p style="page-break-inside: avoid;">The EV Guidelines that
is -supposed to be- referenced is version 1.7.1.</p>
<ul style="page-break-inside: avoid;">
<li style="page-break-inside: avoid;">CSBR section 3.2.2.2
points to EV Guideline:
<ul style="page-break-inside: avoid;">
<li style="page-break-inside: avoid;">Section 10.1.2
for specific roles</li>
<li style="page-break-inside: avoid;">Section 11.2 for
Legal Existence and Identity</li>
<li style="page-break-inside: avoid;">Section 11.3 for
Assumed Name</li>
<li style="page-break-inside: avoid;">Section 11.4 for
Physical Existence</li>
<li style="page-break-inside: avoid;">Section 11.5 for
Method of Communication</li>
<li style="page-break-inside: avoid;">Section 11.6 for
Operational Existence</li>
<li style="page-break-inside: avoid;">Section 11.8 for
Name, Title and Authority of Contract Signer and
Certificate Approver</li>
<li style="page-break-inside: avoid;">Section 11.9 for
Signature on Subscriber Agreement and EV CS
Certificate Requests</li>
<li style="page-break-inside: avoid;">Section 11.10
for Approval of EV CS Certificate Request</li>
<li style="page-break-inside: avoid;">Section 11.11
for Certain Information Sources</li>
<li style="page-break-inside: avoid;">Section 11.12.3
for Parent/Subsidiary/Affiliate Relationship</li>
</ul>
</li>
<li style="page-break-inside: avoid;">CSBR section 4.1.1
points to EV Guidelines section 11.12.2 for "suspicious"
certificate requests</li>
<li style="page-break-inside: avoid;">CSBR section 4.2.1
points to EV Guidelines:
<ul style="page-break-inside: avoid;">
<li style="page-break-inside: avoid;">section 11.13
for the "due diligence" verification</li>
<li style="page-break-inside: avoid;">section 11.14
for the usage periods of documents, data and
previous validations performed per section 3.2</li>
</ul>
</li>
<li style="page-break-inside: avoid;">CSBR section 5.2.4
points to EV Guidelines section 11.13 for the Final
Cross-Correlation and Due Diligence steps</li>
<li style="page-break-inside: avoid;">CSBR section 5.3.3
points to EV Guidelines in general for the Validation
Specialist training and internal examination</li>
<li style="page-break-inside: avoid;">CSBR section
7.1.4.2.4 points to EV Guidelines sections 9.2.1, 9.2.3,
9.2.4, 9.2.5, 9.2.6 for subject information</li>
<li style="page-break-inside: avoid;">CSBR section 9.2.1
points to EV Guidelines section 8.4 for insurance
coverage</li>
</ul>
<p>During this process, I also noticed that we have a
capitalized term "EV Process" without a corresponding
definition. I will add an issue on GitHub for the next
cleanup ballot.</p>
<p>I would appreciate a second review in case I missed
something.</p>
<p><br>
</p>
<p>Thank you,<br>
</p>
<p>Dimitris.<br>
</p>
</blockquote>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext"
href="https://lists.cabforum.org/mailman/listinfo/cscwg-public"
moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>