<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Calibri">Actalis votes "YES"<br>
<br>
</font>
<div class="moz-cite-prefix">Il 10/09/2014 09:43, Rémi Pifaut ha
scritto:<br>
</div>
<blockquote
cite="mid:9abc0174.00001994.00000015@remipifautnew.keynectis-sa.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Microsoft YaHei UI";
panose-1:2 11 5 3 2 2 4 2 2 4;}
@font-face
{font-family:"\@Microsoft YaHei UI";
panose-1:2 11 5 3 2 2 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Texte de bulles Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.TextedebullesCar
{mso-style-name:"Texte de bulles Car";
mso-style-priority:99;
mso-style-link:"Texte de bulles";
font-family:"Segoe UI","sans-serif";}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
p.BalloonText, li.BalloonText, div.BalloonText
{mso-style-name:"Balloon Text";
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.a, li.a, div.a
{mso-style-name:批注框文本;
mso-style-link:"批注框文本 Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.Char
{mso-style-name:"批注框文本 Char";
mso-style-priority:99;
mso-style-link:批注框文本;
font-family:"Microsoft YaHei UI","sans-serif";}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.u
{mso-style-name:u;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Arial","sans-serif";
color:windowtext;
text-decoration:none none;}
span.EmailStyle29
{mso-style-type:personal;
font-family:"Arial","sans-serif";
color:windowtext;}
span.EmailStyle30
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle31
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle33
{mso-style-type:personal;
font-family:"Arial","sans-serif";
color:windowtext;}
span.EmailStyle34
{mso-style-type:personal-compose;
font-family:"Arial","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US">OpenTrust
votes Yes.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial","sans-serif"">Rémi.</span><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;color:#1F497D" lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-left:solid blue
1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> <a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ben Wilson<br>
<b>Sent:</b> 02 September 2014 17:30<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a>
(<a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a>)<br>
<b>Subject:</b> [cabfpub] Ballot 132 - EV Code
Signing Timestamp Validity Period<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="line867"><strong><span lang="EN-US">Ballot 132 -
EV Code Signing Timestamp Validity Period</span></strong><span
lang="EN-US"> <o:p></o:p></span></p>
<p class="line867"><strong><span lang="EN-US">Rationale for
Ballot 132</span></strong><span lang="EN-US"> <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">1. Ideally, TSA
services should be consistent across the multiple
services that rely on them (Code Signing, EV Code
Signing, AATLs, etc.) <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">2. Time stamps are
used not just to time-stamp code, but other objects,
such as signed financial reports and other digital
objects. <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">3 The EV Guidelines
and some government archival systems require that
signatures be capable of automatic verification for
approximately ten years. <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">4. When the EV
Guidelines for code signing were developed, it was
thought that a 123-month period would provide a
three-month cushion (120 months plus 3). But because the
BRs for Code Signing anticipate that a new key pair will
be cycled every 15 months, then a 15-month period should
be added to the 10-year TSA certificate validity, not
just for code signing, but for all other uses where
those extra months can add a longer period for automatic
validation of the time-stamp. This would equal 135
months (120 months plus 15). <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">5. A longer validity
period for the TSA certificate is also justified because
the requirement of a new key pair every 15 months will
reduce the risk severity due to a key compromise. <o:p></o:p></span></p>
<p class="line862"><span lang="EN-US">6. There are
additional reasons to allow a longer period, including
from Japan, the time-stamping regulations of the METI
pursuant to Article 435 of the Japanese Companies Act,
subsection 2 (Preparation and Retention of Financial
Statements, etc.), subsection 4 (financial schedules to
be retained for ten years from the time of preparation).
See <a moz-do-not-send="true"
href="http://www.dekyo.or.jp/tb/english/index.html">http://www.dekyo.or.jp/tb/english/index.html</a>
<o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">Steve Roylance of
Globalsign made the following motion and Ben Wilson of
Digicert and Rob Stradling of Comodo endorsed it: <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">--Motion Begins -- <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">In Sections 8.2.1 and
9.4 of the EV Code Signing Guidelines replace "one
hundred and twenty three months" with "one hundred and
thirty five months" (in three places in each section) as
follows:<o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">8.2.1 Implementation <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">Each Issuer MUST
develop, implement, enforce, display prominently on its
Web site, and periodically update as necessary its own
auditable EV Code Signing Object practices, policies and
procedures, such as a Certification Practice Statement
(CPS) and Certificate Policy (CP) that: <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">(A) Implement the
requirements of these Guidelines as they are revised
from time-to-time; <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">(B) Implement the
requirements of (i) the then-current WebTrust Program
for CAs, and (ii) the then-current WebTrust EV Program
or ETSI TS 102 042 V2.1.1; and <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">(C) Specify the
Issuer’s (and applicable Root CA’s) entire root
certificate hierarchy including all roots that its EV
Code Signing Certificates depend on for proof of those
EV Code Signing Certificates’ authenticity. With the
exception of revocation checking for time-stamped and
expired certificates, platforms are expected to validate
signed code in accordance with RFC 5280. <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">When a platform
encounters a certificate that fails to validate due to
revocation, the platform should reject the code. When a
platform encounters a certificate that fails to validate
for reasons other than revocation, the platform should
treat the code as it would if it had been unsigned.
Ordinarily, a code signature created by a Subscriber may
be considered valid for a period of up to thirty-nine
months. However, a code signature may be treated as
valid for a period of up to one hundred and <u>thirty
five</u> <s>twenty three</s> months by means of one
of the following methods: the “Timestamp” method or
the “Signing Authority” method. <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">(A) Timestamp Method:
In this method, the Subscriber signs the code, appends
its EV Code Signing Certificate (whose expiration time
is less than thirty-nine months in the future) and
submits it to an EV Timestamp Authority to be
time-stamped. The resulting package can be considered
valid up to the expiration time of the timestamp
certificate (which may be up to one hundred and <u>thirty
five</u> <s>twenty three</s> months in the future). <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">(B) Signing Authority
Method: In this method, the Subscriber submits the code,
or a digest of the code, to an EV Signing Authority for
signature. The resulting signature is valid up to the
expiration time of the Signing Authority certificate
(which may be up to one hundred and <u>thirty five</u>
<s>twenty three</s> months in the future). <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">9.4 Maximum Validity
Period For EV Code Signing Certificate<o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">Code may be signed at
any point in the development or distribution process,
either by a software publisher or a user organization.
Signed code may be verified at any time, including
during: download, unpacking, installation,
reinstallation, or execution, or during a forensic
investigation. Subscribers may obtain an EV Code Signing
Certificate with a validity period not exceeding
thirty-nine months. Timestamp Authorities and Signing
Authorities may obtain an EV Timestamp Certificate or EV
Code Signing Certificate (respectively) with a validity
period not exceeding one hundred and <u>thirty five</u>
<s>twenty three</s> months. The validity period for an
EV Code Signing Certificate issued to a Subscriber MUST
NOT exceed thirty-nine months. The validity period for
an EV Code Signing Certificate issued to a Signing
Authority that fully complies with these Guidelines MUST
NOT exceed one hundred and <u>thirty five</u> <s>twenty
three</s> months. The validity period for an EV
Timestamp Certificate issued to a Timestamp Authority
that fully complies with these Guidelines MUST NOT
exceed one hundred and <u>thirty five </u><s>twenty
three</s> months. <o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">-- Motion Ends --<o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">The review period for
this ballot shall commence at 2100 UTC on Tuesday, 2
September 2014, and will close at 2100 UTC on Tuesday, 9
September 2014. Unless the motion is withdrawn during
the review period, the voting period will start
immediately thereafter and will close at 2100 UTC on
Tuesday, 16 September 2014. Votes must be cast by
posting an on-list reply to this thread. <o:p></o:p></span></p>
<p class="line862"><span lang="EN-US">A vote in favor of the
motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response.
A vote to abstain must indicate a clear 'abstain' in the
response. Unclear responses will not be counted. The
latest vote received from any representative of a voting
member before the close of the voting period will be
counted. Voting members are listed here: <a
moz-do-not-send="true"
href="https://cabforum.org/members/">https://cabforum.org/members/</a>
<o:p></o:p></span></p>
<p class="line874"><span lang="EN-US">In order for the
motion to be adopted, two thirds or more of the votes
cast by members in the CA category and greater than 50%
of the votes cast by members in the browser category
must be in favor. Also, at least seven members must
participate in the ballot, either by voting in favor,
voting against, or abstaining. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<i><span style="font-family: Serif">Adriano Santoni</span></i>
</div>
</body>
</html>