<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 13/6/2024 3:56 μ.μ., Adriano Santoni
via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100019011ab740e-b8ddc64b-48ce-4967-9a21-53ea5b58f8c3-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p><font face="Calibri">Dimitris,</font></p>
<p><font face="Calibri">we are not against this ballot, per se,
but I wonder what is the point of regulating EV code signing
certificates considering that "Starting February 2024,
Microsoft will no longer accept or recognize EV Code Signing
Certificates" [1] and there are no platforms other than
Windows that treat EV code signing certificates differently
than plain (non-EV) code signing certificates, at least as far
as I know (I could be wrong).<br>
</font></p>
<p><font face="Calibri">Adriano<br>
</font></p>
<p><font face="Calibri">[1]
<a class="moz-txt-link-freetext"
href="https://learn.microsoft.com/en-us/security/trusted-root/program-requirements"
moz-do-not-send="true">https://learn.microsoft.com/en-us/security/trusted-root/program-requirements</a><br>
</font></p>
</blockquote>
<br>
Hi Adriano,<br>
<br>
This ballot merely tries to simplify the current requirements for
CAs and auditors so that they don't need to look a two different
locations for the actual requirements. The ballot also helps
identifying the exact applicable requirements instead of the
ambiguous current wording which points to EV Guidelines unless there
is more specific language in the CBRs.<br>
<br>
Microsoft still needs to describe a clear plan for deciding which
future form of identity validation is preferred over the current
options, and this will probably be done in a future ballot.<br>
<br>
BTW, Microsoft has clarified in F2F#61 that they will not have a
separate "trust-bit" for "EV Code Signing". That doesn't mean they
will discard an EV Code Signing Certificate if they see one :-) <br>
<br>
<br>
Hope this helps.<br>
Dimitris.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:0100019011ab740e-b8ddc64b-48ce-4967-9a21-53ea5b58f8c3-000000@email.amazonses.com">
<p><font face="Calibri"> </font></p>
<p><font face="Calibri"><br>
</font></p>
<div class="moz-cite-prefix">Il 12/06/2024 09:09, Dimitris
Zacharopoulos (HARICA) via Cscwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:010001900b48090a-44470727-22cc-4fbc-a44e-c7eab85c5cd8-000000@email.amazonses.com">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
<title></title>
<div align="center">
<table width="30%" cellspacing="2" cellpadding="2" border="1">
<tbody>
<tr>
<td valign="top" bgcolor="#ffff00"> <span
style="color: red;">NOTICE:</span> Pay attention -
external email - Sender is
<a
class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:010001900b48090a-44470727-22cc-4fbc-a44e-c7eab85c5cd8-000000@amazonses.com"
moz-do-not-send="true">010001900b48090a-44470727-22cc-4fbc-a44e-c7eab85c5cd8-000000@amazonses.com</a>
</td>
</tr>
</tbody>
</table>
<br>
</div>
<br>
Members can also review the INFORMATIVE attached documents,
which are produced by the automated markdown to PDF/DOCX
conversion process, implemented by the Infrastructure
Subcommittee. <br>
<br>
Dimitris. <br>
<br>
<div class="moz-cite-prefix">On 12/6/2024 10:04 π.μ., Dimitris
Zacharopoulos (HARICA) via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:010001900b439bb6-a47dbb86-7ddc-4a2c-b8db-dd3623782dcf-000000@email.amazonses.com">
<meta http-equiv="content-type"
content="text/html; charset=UTF-8">
<h1 class="break-text" id="bkmrk-page-title">CSC-25 Import EV
Guidelines into the Code Signing Baseline Requirements</h1>
<h2 id="bkmrk-summary"><strong>Purpose of the Ballot</strong></h2>
<p id="bkmrk-this-ballot-updates-" class="MsoNormal">This
ballot updates the “Baseline Requirements for the Issuance
and Management of Publicly‐Trusted Code Signing
Certificates“ version 3.7 in order to clarify language
regarding Timestamp Authority Private Key Protection. The
main goals of this ballot are to:</p>
<ol id="bkmrk-remove-dependencies-" type="1" start="1">
<li class="null"
style="mso-list: l0 level1 lfo1; tab-stops: list .5in;">Import
all CSBR references that point to the EV Guidelines with
the actual language of corresponding sections of version
1.8.0 of the EV Guidelines, in order to remove external
dependencies.</li>
<li class="null"
style="mso-list: l0 level1 lfo1; tab-stops: list .5in;">The
Code Signing Working Group decided not to import rules
related to the subject:organizationIdentifier field.</li>
</ol>
<p id="bkmrk-the-following-motion" class="MsoNormal">The
following motion has been proposed by Dimitris Zacharopoulos
of HARICA and endorsed by Martijn Katerbarg of Sectigo and
Corey Bonnell of Digicert.</p>
<p class="MsoNormal" id="bkmrk-you-can-view-the-git">You can
view the github pull request representing this ballot <a
href="https://github.com/cabforum/code-signing/pull/38"
moz-do-not-send="true">here</a>.<br>
</p>
<h2 id="bkmrk-motion-begins">Motion Begins</h2>
<p id="bkmrk-modify-the-%22baseline">MODIFY the “Baseline
Requirements for the Issuance and Management of
Publicly‐Trusted Code Signing Certificates” ("Code Signing
Baseline Requirements") based on version 3.7 as specified in
the following redline:<br>
</p>
<ul id="bkmrk-https%3A%2F%2Fgithub.com%2Fc">
<li class="null"><a
href="https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...d5af6d895b3666b5351509ad25d47ac5e87321fc"
class="moz-txt-link-freetext" moz-do-not-send="true">https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...d5af6d895b3666b5351509ad25d47ac5e87321fc</a></li>
</ul>
<h2 id="bkmrk-motion-ends">Motion Ends</h2>
<p id="bkmrk-this-ballot-proposes">This ballot proposes a
Final Maintenance Guideline. The procedure for approval of
this ballot is as follows:</p>
<h4 id="bkmrk-discussion-%2811%2B-days">Discussion (at least 7
days)</h4>
<ul id="bkmrk-start-time%3A-2024-01-">
<li class="null">Start time: 2024-06-12 07:00:00 UTC</li>
<li class="null">End time: on or after 2024-06-19 07:00:00
UTC</li>
</ul>
<h4 id="bkmrk-vote-for-approval-%287">Vote for approval (7
days)</h4>
<ul id="bkmrk-start-time%3A-tbd-end-">
<li class="null">Start time: TBD</li>
<li class="null">End time: TBD</li>
</ul>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext"
href="https://lists.cabforum.org/mailman/listinfo/cscwg-public"
moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext"
href="https://lists.cabforum.org/mailman/listinfo/cscwg-public"
moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>