[Cscwg-public] [EXTERNAL]Re: Ballot CSC-7: Update to merge EV and Non-EV clauses
Bruce Morton
Bruce.Morton at entrust.com
Thu Dec 17 21:48:22 UTC 2020
Attached is the draft update for ballot CSC-7. This update addresses Dimitris’ comments and proposes an effectivity date of 1 July 2021, which will allow CAs to implement the changes.
Dimitris has said that he would endorse the ballot, so I am just looking for one more endorsement. If I get the endorsement soon, I would plan to propose the formal ballot for discussion the week of 4 January 2021.
All the best, Bruce.
From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Bruce Morton via Cscwg-public
Sent: Thursday, December 17, 2020 9:47 AM
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>; cscwg-public at cabforum.org
Subject: Re: [Cscwg-public] [EXTERNAL]Re: Ballot CSC-7: Update to merge EV and Non-EV clauses
Hi Dimitris,
Thanks for your comments. I agree with all of them.
To make it easier for all changes, perhaps we should just add an effectivity date to the ballot. We could make it 1 July 2020, which will give all CAs time to make any changes. We can discuss the date on the call or just add a number of months from ballot approval. This should cover your comments to sections 14.1 and 16.2.
For 11.8, yes this was a typo.
For 17.5, I will make some changes that will state:
* self-audits against a randomly selected sample of at least three percent of the Non-EV Code Signing Certificates and at least three percent of the EV Code Signing Certificates it has issued in the period beginning immediately after the last sample was taken.
* self-audits against a randomly selected sample of at least six percent of both the Non-EV Code Signing Certificates and at least six percent of the EV Code Signing Certificates it has issued in the period beginning immediately after the last sample was taken.
Thanks, Bruce.
From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Dimitris Zacharopoulos (HARICA) via Cscwg-public
Sent: Wednesday, December 16, 2020 1:55 AM
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL]Re: [Cscwg-public] Ballot CSC-7: Update to merge EV and Non-EV clauses
WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
In section 11.8 we point to section 11.12 of the EV Guidelines. Perhaps this is a typo and we intend to point to 11.13 "Final Cross-Correlation and Due Diligence".
The change in 14.1 might probably require an effective date for CAs issuing non-EV Code Signing Certificates. That's because if they hadn't vetted their staff with the provisions of 14.1 of the EV Guidelines, they will probably need to re-vet them. If we intend this to be a "going forward" requirement, perhaps we can update this section to state that until date X, the older provisions applied and after date X the new provisions apply.
The same applies for 16.2. It is possible that CAs operating a Signing Service for non-EV Certificates, were not using FIPS 140-2 level 2 crypto modules and will be non-compliant as soon as this ballot becomes effective.
I'd also like a clarification on section 17.5.
"a randomly selected sample of at least three percent of both the Non-EV and the EV Code Signing Certificates"
On first read, I wasn't sure if this means that CAs must calculate a 3% for all Non-EV Certificates issued and another 3% for EV Certificates, or a 3% of a population which includes Non-EV and EV Certificates.
I think this language needs to be updated to make it unambiguously clear that we intend for the former. Similarly for the 6%.
Hoping that the above can be addressed, I'd be happy to endorse the ballot :-)
Dimitris.
On 6/11/2020 10:34 μ.μ., Bruce Morton via Cscwg-public wrote:
Purpose of Ballot CSC-7:
The CSC-2 merger of the Code Signing BRs and the EV Code Signing Guidelines was done without technical changes. The result is that we have some sections where there is different text for Non-EV and EV Code Signing certificates. In many cases there was no reason to have two different requirements. In other cases, it made sense that they both have the same requirement. There were of course some items where EV is different and these clauses were not touched for now. These items were all discussed in our bi-weekly meetings.
Other minor changes were the adding in a table for document revision and history and another table for effective dates within the BRs. There were also some errors corrected from the merger.
The proposed changes are redlined in the attached document. I am looking for two endorsers.
Thanks, Bruce.
_______________________________________________
Cscwg-public mailing list
Cscwg-public at cabforum.org<mailto:Cscwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20201217/bca32923/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Baseline Requirements for the Issuance and Management of Code Signing - CSC-7 v3.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 129263 bytes
Desc: Baseline Requirements for the Issuance and Management of Code Signing - CSC-7 v3.docx
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20201217/bca32923/attachment-0001.docx>
More information about the Cscwg-public
mailing list