<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">ANF AC votes yes.<br>
<div class="moz-signature">
<p><img src="cid:part1.02040703.00020809@anf.es" alt="ANF
Autoridad de Certificación"></p>
<b>Enric Castillo</b><br>
Director Técnico<br>
+34 626818285<br>
+593 0 987684866<br>
ANF Autoridad de Certificación<br>
<a style="color: #007fa9;" href="https://www.anf.es">www.anf.es</a><br>
<br>
<b>Aviso</b>
<p style="font-size: x-small;">Este mensaje se dirige
exclusivamente a su destinatario y puede contener información
privilegiada o confidencial y/o datos de carácter personal,
cuya difusión está regulada por la Ley Orgánica de Protección
de Datos y la Ley de Servicios de la Sociedad de la
Información. Si usted no es el destinatario indicado (o el
responsable de la entrega al mismo), no debe copiar o entregar
este mensaje a terceros bajo ningún concepto. Si ha recibido
este mensaje por
error o lo ha conseguido por otros medios, le rogamos que nos
lo comunique inmediatamente por esta misma vía y proceda a su
eliminación irreversible. Las opiniones,
conclusiones y demás informaciones incluidas en este mensaje
que no estén relacionadas con asuntos profesionales de ANF
Autoridad de Certificación no están respaldadas por la
empresa.
</p>
</div>
El 02/09/2014 18:30, Ben Wilson escribió:<br>
</div>
<blockquote
cite="mid:f553e8e68ff44c3289758fc8a4c81cf8@EX2.corp.digicert.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.u
{mso-style-name:u;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="line867"><strong>Ballot 132 - EV Code Signing
Timestamp Validity Period</strong> <o:p></o:p></p>
<p class="line867"><strong>Rationale for Ballot 132</strong> <o:p></o:p></p>
<p class="line874">1. Ideally, TSA services should be consistent
across the multiple services that rely on them (Code Signing,
EV Code Signing, AATLs, etc.) <o:p></o:p></p>
<p class="line874">2. Time stamps are used not just to
time-stamp code, but other objects, such as signed financial
reports and other digital objects. <o:p></o:p></p>
<p class="line874">3 The EV Guidelines and some government
archival systems require that signatures be capable of
automatic verification for approximately ten years. <o:p></o:p></p>
<p class="line874">4. When the EV Guidelines for code signing
were developed, it was thought that a 123-month period would
provide a three-month cushion (120 months plus 3). But because
the BRs for Code Signing anticipate that a new key pair will
be cycled every 15 months, then a 15-month period should be
added to the 10-year TSA certificate validity, not just for
code signing, but for all other uses where those extra months
can add a longer period for automatic validation of the
time-stamp. This would equal 135 months (120 months plus 15).
<o:p></o:p></p>
<p class="line874">5. A longer validity period for the TSA
certificate is also justified because the requirement of a new
key pair every 15 months will reduce the risk severity due to
a key compromise. <o:p></o:p></p>
<p class="line862">6. There are additional reasons to allow a
longer period, including from Japan, the time-stamping
regulations of the METI pursuant to Article 435 of the
Japanese Companies Act, subsection 2 (Preparation and
Retention of Financial Statements, etc.), subsection 4
(financial schedules to be retained for ten years from the
time of preparation). See <a moz-do-not-send="true"
href="http://www.dekyo.or.jp/tb/english/index.html">http://www.dekyo.or.jp/tb/english/index.html</a>
<o:p></o:p></p>
<p class="line874">Steve Roylance of Globalsign made the
following motion and Ben Wilson of Digicert and Rob Stradling
of Comodo endorsed it: <o:p></o:p></p>
<p class="line874">--Motion Begins -- <o:p></o:p></p>
<p class="line874">In Sections 8.2.1 and 9.4 of the EV Code
Signing Guidelines replace "one hundred and twenty three
months" with "one hundred and thirty five months" (in three
places in each section) as follows:<o:p></o:p></p>
<p class="line874">8.2.1 Implementation <o:p></o:p></p>
<p class="line874">Each Issuer MUST develop, implement, enforce,
display prominently on its Web site, and periodically update
as necessary its own auditable EV Code Signing Object
practices, policies and procedures, such as a Certification
Practice Statement (CPS) and Certificate Policy (CP) that: <o:p></o:p></p>
<p class="line874">(A) Implement the requirements of these
Guidelines as they are revised from time-to-time; <o:p></o:p></p>
<p class="line874">(B) Implement the requirements of (i) the
then-current WebTrust Program for CAs, and (ii) the
then-current WebTrust EV Program or ETSI TS 102 042 V2.1.1;
and <o:p></o:p></p>
<p class="line874">(C) Specify the Issuer’s (and applicable Root
CA’s) entire root certificate hierarchy including all roots
that its EV Code Signing Certificates depend on for proof of
those EV Code Signing Certificates’ authenticity. With the
exception of revocation checking for time-stamped and expired
certificates, platforms are expected to validate signed code
in accordance with RFC 5280. <o:p></o:p></p>
<p class="line874">When a platform encounters a certificate that
fails to validate due to revocation, the platform should
reject the code. When a platform encounters a certificate that
fails to validate for reasons other than revocation, the
platform should treat the code as it would if it had been
unsigned. Ordinarily, a code signature created by a Subscriber
may be considered valid for a period of up to thirty-nine
months. However, a code signature may be treated as valid for
a period of up to one hundred and <u>thirty five</u> <s>twenty
three</s> months by means of one of the following methods:
the “Timestamp” method or the “Signing Authority” method. <o:p></o:p></p>
<p class="line874">(A) Timestamp Method: In this method, the
Subscriber signs the code, appends its EV Code Signing
Certificate (whose expiration time is less than thirty-nine
months in the future) and submits it to an EV Timestamp
Authority to be time-stamped. The resulting package can be
considered valid up to the expiration time of the timestamp
certificate (which may be up to one hundred and <u>thirty
five</u> <s>twenty three</s> months in the future). <o:p></o:p></p>
<p class="line874">(B) Signing Authority Method: In this method,
the Subscriber submits the code, or a digest of the code, to
an EV Signing Authority for signature. The resulting signature
is valid up to the expiration time of the Signing Authority
certificate (which may be up to one hundred and <u>thirty
five</u> <s>twenty three</s> months in the future). <o:p></o:p></p>
<p class="line874">9.4 Maximum Validity Period For EV Code
Signing Certificate<o:p></o:p></p>
<p class="line874">Code may be signed at any point in the
development or distribution process, either by a software
publisher or a user organization. Signed code may be verified
at any time, including during: download, unpacking,
installation, reinstallation, or execution, or during a
forensic investigation. Subscribers may obtain an EV Code
Signing Certificate with a validity period not exceeding
thirty-nine months. Timestamp Authorities and Signing
Authorities may obtain an EV Timestamp Certificate or EV Code
Signing Certificate (respectively) with a validity period not
exceeding one hundred and <u>thirty five</u> <s>twenty three</s>
months. The validity period for an EV Code Signing Certificate
issued to a Subscriber MUST NOT exceed thirty-nine months. The
validity period for an EV Code Signing Certificate issued to a
Signing Authority that fully complies with these Guidelines
MUST NOT exceed one hundred and <u>thirty five</u> <s>twenty
three</s> months. The validity period for an EV Timestamp
Certificate issued to a Timestamp Authority that fully
complies with these Guidelines MUST NOT exceed one hundred and
<u>thirty five </u><s>twenty three</s> months. <o:p></o:p></p>
<p class="line874">-- Motion Ends --<o:p></o:p></p>
<p class="line874">The review period for this ballot shall
commence at 2100 UTC on Tuesday, 2 September 2014, and will
close at 2100 UTC on Tuesday, 9 September 2014. Unless the
motion is withdrawn during the review period, the voting
period will start immediately thereafter and will close at
2100 UTC on Tuesday, 16 September 2014. Votes must be cast by
posting an on-list reply to this thread. <o:p></o:p></p>
<p class="line862">A vote in favor of the motion must indicate a
clear 'yes' in the response. A vote against must indicate a
clear 'no' in the response. A vote to abstain must indicate a
clear 'abstain' in the response. Unclear responses will not be
counted. The latest vote received from any representative of a
voting member before the close of the voting period will be
counted. Voting members are listed here: <a
moz-do-not-send="true" href="https://cabforum.org/members/">https://cabforum.org/members/</a>
<o:p></o:p></p>
<p class="line874">In order for the motion to be adopted, two
thirds or more of the votes cast by members in the CA category
and greater than 50% of the votes cast by members in the
browser category must be in favor. Also, at least seven
members must participate in the ballot, either by voting in
favor, voting against, or abstaining. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>