<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"Times New Roman \, serif";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Segoe UI","sans-serif";
color:#993366;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">I think I found a typo in the latest draft.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Section 9.2.1, item 4: I believe the second instance of “Unicode 2D” should be “Unicode 20”, which is the correct code for space.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Dean Coclin<br>
<b>Sent:</b> Thursday, August 13, 2015 11:46 AM<br>
<b>To:</b> Rich Smith<br>
<b>Cc:</b> codesigning@cabforum.org; 'CABFPub'<br>
<b>Subject:</b> Re: [cabfpub] [cabfc_s] Code Signing Baseline Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Rich,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">We’ll be discussing another proposed update on today’s call which is at noon EST if you want to join.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Dean<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Rich Smith [<a href="mailto:richard.smith@comodo.com">mailto:richard.smith@comodo.com</a>]
<br>
<b>Sent:</b> Thursday, August 13, 2015 9:24 AM<br>
<b>To:</b> Dean Coclin<br>
<b>Cc:</b> Jody Cloutier; Ben Wilson; 'CABFPub'; <a href="mailto:codesigning@cabforum.org">
codesigning@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] [cabfc_s] Code Signing Baseline Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">OK, thanks Dean. It seemed like it had been further back than February, and I was concerned that perhaps the document had undergone significant changes since the public review. That seems not to be the case,
so I'm fine with moving forward.<br>
-Rich<o:p></o:p></p>
<div>
<p class="MsoNormal">On 8/12/2015 5:10 PM, Dean Coclin wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D">Hi Rich,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Yes, we did put out a version for public comment in February. We took those comments back along with others that surfaced during the re-review process and have come out with this document. So technically this
is not another review period. Having said that, we never say no to any comments which the group feels need to be addressed.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Dean</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Jody Cloutier [<a href="mailto:jodycl@microsoft.com">mailto:jodycl@microsoft.com</a>]
<br>
<b>Sent:</b> Wednesday, August 12, 2015 12:00 PM<br>
<b>To:</b> Ben Wilson; <a href="mailto:richard.smith@comodo.com">richard.smith@comodo.com</a>; Dean Coclin; 'CABFPub'<br>
<b>Cc:</b> <a href="mailto:codesigning@cabforum.org">codesigning@cabforum.org</a><br>
<b>Subject:</b> RE: [cabfpub] [cabfc_s] Code Signing Baseline Requirements</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">What is the purpose of the additional review period? Are we accepting modifications during this timeframe?
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ben Wilson<br>
<b>Sent:</b> Wednesday, August 12, 2015 8:58 AM<br>
<b>To:</b> <a href="mailto:richard.smith@comodo.com">richard.smith@comodo.com</a>; 'Dean Coclin' <<a href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a>>; 'CABFPub' <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Cc:</b> <a href="mailto:codesigning@cabforum.org">codesigning@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] [cabfc_s] Code Signing Baseline Requirements<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">I think we’ve already done that, unless you’re suggesting that we go out for another 30-day review period. It would be good to map out proposed dates when everything is supposed to occur.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> <a href="mailto:codesigning-bounces@cabforum.org">
codesigning-bounces@cabforum.org</a> [<a href="mailto:codesigning-bounces@cabforum.org">mailto:codesigning-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Rich Smith<br>
<b>Sent:</b> Wednesday, August 12, 2015 9:48 AM<br>
<b>To:</b> 'Dean Coclin' <<a href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a>>; 'CABFPub' <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Cc:</b> <a href="mailto:codesigning@cabforum.org">codesigning@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfc_s] [cabfpub] Code Signing Baseline Requirements<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Dean said:</span><o:p></o:p></p>
<p class="MsoNormal">The Working Group would like to have the Forum approve these Baseline Requirements by ballot which will be put forth at the next teleconference. Discussion will start at that time, followed by a formal vote.<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Dean, as this is an entirely new full set of guidelines, this seems fast for a ballot and vote. With the BRs as I recall, we circulated to the public and had, I believe, a 30 day public comment period, after
which time it was brought back in house to address any issues before being then proposed for final ballot review and approval. Shouldn't we do the same here?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">-Rich</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Dean Coclin<br>
<b>Sent:</b> Tuesday, August 11, 2015 4:31 PM<br>
<b>To:</b> CABFPub<br>
<b>Cc:</b> <a href="mailto:codesigning@cabforum.org">codesigning@cabforum.org</a><br>
<b>Subject:</b> [cabfpub] Code Signing Baseline Requirements</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The Code Signing Working Group of the CA/Browser Forum is pleased to announce the release of the final version of the Code Signing Baseline Requirements. The Working Group has been meeting over the last 2 years to develop and bring this
topic to the Forum for approval. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The Working Group would like to have the Forum approve these Baseline Requirements by ballot which will be put forth at the next teleconference. Discussion will start at that time, followed by a formal vote.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">This Working Group was chartered by the Forum at the Mozilla face to face meeting in February 2013 and has brought together forum members and outside participants to craft a document which we believe will help improve the security of the
ecosystem. Forum members in the working group include: Comodo, Digicert, Entrust, ETSI, Federal PKI, Firmaprofessional, Globalsign, Izenpe, Microsoft, Starcom, SwissSign, Symantec, Trend Micro, WoSign as well as non-members: Cacert, Intarsys, OTA, Richter,
and Travelport.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The stated goal of the group was to: “Create a set of baseline requirements for code signing that will reduce the incidence of signed malware”. We strived to work on 3 sub goals, which are by no means 100% solved. However we feel that the
document reflects progress towards these goals which were:<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in">1.<span style="font-size:7.0pt;font-family:"Times New Roman \, serif"">
</span>Minimize private key theft by moving toward more secure key storage (protection of private keys)<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in">2.<span style="font-size:7.0pt;font-family:"Times New Roman \, serif"">
</span>Baseline authentication and vetting procedures for all parties<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in">3.<span style="font-size:7.0pt;font-family:"Times New Roman \, serif"">
</span>Information sharing (notification/revocation) for fraud detection. This piece was moved to the Information Sharing Working Group<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">We ask all members to review the document and provide feedback for discussion to the forum. The guidelines would go into effect one year after forum approval.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><br>
Dean Coclin and Jeremy Rowley<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">on behalf of the<o:p></o:p></p>
<p class="MsoNormal">Code Signing Working Group<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information
contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.<br>
</font>
</body>
</html>