<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Right – that’s because we haven’t updated the EVCS to reflect the CS discussions. That would happen after passing the CS BRs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Ryan Sleevi<br>
<b>Sent:</b> Tuesday, March 10, 2015 11:13 PM<br>
<b>To:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] Code Signing Baseline Requirements - Final Draft for public exposure<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Reposting with permission<o:p></o:p></p>
<div>
<p class="MsoNormal">On Mar 10, 2015 9:35 PM, "Peter Bowen" <<a href="mailto:pzbowen@gmail.com">pzbowen@gmail.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal">On Thu, Feb 5, 2015 at 9:11 AM, Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a>> wrote:<br>
> The Code Signing Working Group of the CA/Browser Forum announces the final<br>
> draft of the Code Signing Baseline Requirements. This version takes into<br>
> account comments received in the first round of public review as well as<br>
> comments from WebTrust auditors. Additional changes/corrections were<br>
> incorporated by the working group over the past 3 months.<br>
><br>
> This version is being sent out to the public mailing list and will be posted<br>
> on the CA/B Forum website for final comments until March 6th, 2015.<br>
<br>
Apologies for not reading these in detail until four days after the deadline.<br>
<br>
I am concerned that it seems that EV Code Signing certificates are not<br>
a super set of standard (Baseline) Code Signing certificates.<br>
Specifically, EVCS section 9.2.2 forbids subject alternative names in<br>
EVCS certificates while the BRCS section 9.2.1 requires a SAN.<br>
Similarly, EVCS 9.2.3 indicates common name is deprecated but BRCS<br>
9.2.2 makes it mandatory.<br>
<br>
My expectation is that EV certificates always meet the requirements of<br>
the non-EV certificate such that systems that don't differentiate<br>
between EV and non-EV certificates can use EV certificates as standard<br>
certificates.<br>
<br>
Thanks,<br>
Peter<o:p></o:p></p>
</blockquote>
</div>
</div>
</body>
</html>