[Cscwg-public] Interesting divergence between EV and EV CS Guidelines
Christopher Kemmerer
chris at ssl.com
Mon Feb 17 10:32:06 MST 2020
Hello all,
I found some minor issues in the design and references of the Extended
Validation for Code Signing Guidelines (EVCS GL) [1] (mainly when
referring to corresponding section of the Extended Validation Guidelines
(EV GL) [2]) and am posting my findings here for discussion.
The TL:DR is that 1) no subsection for "Verified Method of
Communication" exists in the EVCS GL 2) some references in the EVCS GL
are to incorrect sections of the EV GL and 3) some references to other
policies diverge between the EVCS GL and EV GL.
(There's also a slight formatting issue in the EVCS GL Table of Contents
for Section 12, but that's to one side.)
Originally I stumbled across issues in Section 11, then went ahead and
reviewed the entire EVCS GL, and have found and documented the
following. (Note that I am not considering the severity or practical
impact of these issues, just reporting what I've found.)
[1] https://cabforum.org/wp-content/uploads/EV-Code-Signing-v.1.4.pdf
[2]
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-v1.7.1.pdf
---------------------------------------
8 EV Code Signing Policies
- 8.2.1 Implementation, item (B)(ii): some divergence in allowable ETSI
audits (EVCS GL lists "ETSI TS 102 042 v2.1.1 audit", EV GL shows "ETSI
TS 102 042 audit for EVCP" and "ETSI EN 319 411-1 audit for EVCP policy")
- 8.2.2 Disclosure: some divergence in public disclosure requirements
(EVCS GL lists "as required by either WebTrust for CAs or ETSI TS 102
042 V2.1.1", EV GL punts to "to the extent required by the CA's selected
audit scheme").
---------------------------------------
9 EV Certificate Content and Profile
References are slightly off in Section 9.2:
- 9.2.4 Subject Business Category Field: SHOULD refer to EV GL 9.2.3
- 9.2.5 Subject Jurisdiction of Incorporation or Registration Field:
SHOULD refer to EV GL 9.2.4
- 9.2.6 Subject Registration Number Field: SHOULD refer to EV GL 9.2.5
- 9.2.7 Subject Physical Address of Place of Business Field: SHOULD
refer to EV GL 9.2.6
---------------------------------------
11 Verification Requirements
- Many of the subsections in Section 11 refer the reader to
corresponding sections in the EV GL. Such references are okay (i.e, map
one to one) through 11.4 but are off after 11.5.
Looks like the subsections drift thus:
- in 11.5 in EVCS GL = "Verification of Applicant’s Operational
Existence" but refers the reader to EV GL 11.5 = "Verified Method of
Communication";
- in EVCS GL 11.6 = "Verification of Applicant’s Domain Name" while EV
GL 11.6 = "Verification of Applicant’s Operational Existence";
- in EVCS GL 11.7 = "Verification of Name, Title, and Authority of
Contract Signer and Certificate Approver" but EV GL 11.7 is
"Verification of Applicant’s Domain Name";
- ...and so forth, so starting w/11.8 each EVCS GL reference to EVGLs is
one off (so where EVCS GL says 1.8, SHOULD refer to EV GL 11.9).
- The EVCS GL also stops at 11.13 "Requirements for Re-use of Existing
Documentation", which maps to EV GL 11.14.
---------------------------------------
15 Data Records
- slight divergence in reference to Baseline Requirements (EVCS GL
refers to Section 5.4.1, EV GL refers to BR 5.4)
---------------------------------------
17 Audit
- 17.1 Eligible Audit Schemes: some divergence in allowable ETSI audits
(EVCS GL lists "ETSI TS 102 042 v2.1.1 audit", EV GL shows "ETSI TS 102
042 audit for EVCP" and "ETSI EN 319 411-1 audit for EVCP policy")
- 17.5 Regular Self Audits: refers to Section 11.12 to cover Final
Cross-Correlation and Due Diligence (SHOULD refer to 11.13).
---------------------------------------
csk
--
Chris Kemmerer
Manager of Operations
SSL.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~ To find the reefs, look~~~~~~~~
~~~~ for the wrecks. ~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
More information about the Cscwg-public
mailing list