[Cscwg-public] Ballot CSC-7: Update to merge EV and Non-EV clauses

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Dec 16 06:54:03 UTC 2020 

In section 11.8 we point to section 11.12 of the EV Guidelines. Perhaps 
this is a typo and we intend to point to 11.13 "Final Cross-Correlation 
and Due Diligence".

The change in 14.1 might probably require an effective date for CAs 
issuing *non-EV* Code Signing Certificates. That's because if they 
hadn't vetted their staff with the provisions of 14.1 of the EV 
Guidelines, they will probably need to re-vet them. If we intend this to 
be a "going forward" requirement, perhaps we can update this section to 
state that until date X, the older provisions applied and after date X 
the new provisions apply.

The same applies for 16.2. It is possible that CAs operating a Signing 
Service for non-EV Certificates, were not using FIPS 140-2 level 2 
crypto modules and will be non-compliant as soon as this ballot becomes 
effective.

I'd also like a clarification on section 17.5.

"a randomly selected sample of at least three percent of *both *the 
*Non-EV and the* EV Code Signing Certificates"

On first read, I wasn't sure if this means that CAs must calculate a 3% 
for all Non-EV Certificates issued and another 3% for EV Certificates, 
or a 3% of a population which includes Non-EV and EV Certificates.

I think this language needs to be updated to make it unambiguously clear 
that we intend for the former. Similarly for the 6%.

Hoping that the above can be addressed, I'd be happy to endorse the 
ballot :-)


Dimitris.

On 6/11/2020 10:34 μ.μ., Bruce Morton via Cscwg-public wrote:
>
> Purpose of Ballot CSC-7:
>
> The CSC-2 merger of the Code Signing BRs and the EV Code Signing 
> Guidelines was done without technical changes. The result is that we 
> have some sections where there is different text for Non-EV and EV 
> Code Signing certificates. In many cases there was no reason to have 
> two different requirements. In other cases, it made sense that they 
> both have the same requirement. There were of course some items where 
> EV is different and these clauses were not touched for now. These 
> items were all discussed in our bi-weekly meetings.
>
> Other minor changes were the adding in a table for document revision 
> and history and another table for effective dates within the BRs. 
> There were also some errors corrected from the merger.
>
> The proposed changes are redlined in the attached document. I am 
> looking for two endorsers.
>
> Thanks, Bruce.
>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20201216/5bdb7039/attachment.html>

More information about the Cscwg-public mailing list