[Cscwg-public] [EXTERNAL]Re: Ballot CSC-7: Update to merge EV and Non-EV clauses

Bruce Morton Bruce.Morton at entrust.com
Thu Jan 7 20:28:03 UTC 2021


Hi Dimitris,

Can you please propose a text change to help fix the issue?

Thanks, Bruce.

From: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Sent: Thursday, January 7, 2021 2:33 AM
To: Bruce Morton <Bruce.Morton at entrust.com>; cscwg-public at cabforum.org
Subject: [EXTERNAL]Re: [Cscwg-public] Ballot CSC-7: Update to merge EV and Non-EV clauses

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________

Bruce,

Some of my concerns raised in 2020-12-16 are still unaddressed.

14.1 still seems to be a bit ambiguous. It points directly to the EV Guidelines section 14.1 but does it also apply for Employees that vet non-EV Code Signing? The answer seems to be "yes" which makes non-EV CS issuers non-conformant as soon as this becomes effective.

The same applies for 16.2. We need an effective date for non-EV issuers to migrate to the stronger EV requirements.

I would be fine with any effective date. 2021-06-01 seems to be an effective date for some changes regarding the key sizes so CAs already have their attention to this deadline. I suggest we have those two requirements phased-in for non-EV code signing certificate issuers.


Dimitris.

On 4/1/2021 4:52 μ.μ., Bruce Morton via Cscwg-public wrote:
Ballot CSC-7: Update to merge EV and Non-EV clauses

Purpose of the Ballot:

The CSC-2 merger of the Code Signing BRs and the EV Code Signing Guidelines was done without technical changes. The result is that we have some sections where there is different text for Non-EV and EV Code Signing certificates. In many cases there was no reason to have two different requirements. In other cases, it made sense that they both have the same requirement. There were of course some items where EV is different and these clauses were not touched for now. These items were all discussed in our bi-weekly meetings. Other minor changes were the adding in a table for document revision and history and another table for effective dates within the BRs. There were also some errors corrected from the merger.

The following motion has been proposed by Bruce Morton of Entrust, and endorsed by Dimitris Zacharopoulos of HARICA and Dean Coclin of DigiCert.

--- MOTION BEGINS ---

This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates" version 2.1 according to the attached redline.

--- MOTION ENDS ---

The procedure for approval of this ballot is as follows:

Discussion (7+ days)
Start Time: 2021-01-04, 10:00 am Eastern Time (US)
End Time: not before 2021-01-11, 10:00 am Eastern Time (US)

Vote for approval (7 days)
Start Time: TBD
End Time: TBD




_______________________________________________

Cscwg-public mailing list

Cscwg-public at cabforum.org<mailto:Cscwg-public at cabforum.org>

https://lists.cabforum.org/mailman/listinfo/cscwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210107/c4e21bc3/attachment.html>


More information about the Cscwg-public mailing list