[Cscwg-public] [EXTERNAL]Re: Ballot CSC-7: Update to merge EV and Non-EV clauses

Adriano Santoni adriano.santoni at staff.aruba.it
Mon Jan 11 07:53:28 UTC 2021 

Hi all,

I have a couple of doubts on the current text; I beg your pardon if 
these have been discussed before:

* Section 9.2.1 (Subject Alternative Name Extension) provides "No 
stipulation". Written that way, it implies that a code signing 
certificate with (say) a FQDN in its SAN would be okay, which perhaps is 
not intended (?).

* Section 11.8 (Due diligence) just refers to Section 11.13 of the EV 
Guidelines. It's not specified, though, if this requirement applies to 
both EV and non-EV certificates. As written, it seems to imply that it 
applies to both, which I suppose is not intended (?).

Adriano


Il 11/01/2021 07:40, Dimitris Zacharopoulos (HARICA) via Cscwg-public ha 
scritto:
>
>
> On 8/1/2021 10:22 π.μ., Dimitris Zacharopoulos (HARICA) via 
> Cscwg-public wrote:
>> On 7/1/2021 10:28 μ.μ., Bruce Morton wrote:
>>>
>>> Hi Dimitris,
>>>
>>> Can you please propose a text change to help fix the issue?
>>>
>>
>> Sure, I will try to get something on the list early next week.
>
> Attached. I also updated table 2.2 adding these two dates as new rows. 
> Please review.
>
>
> Best regards,
> Dimitris.
>
>>
>>
>> Dimitris.
>>
>>
>>> Thanks, Bruce.
>>>
>>> *From:*Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
>>> *Sent:* Thursday, January 7, 2021 2:33 AM
>>> *To:* Bruce Morton <Bruce.Morton at entrust.com>; cscwg-public at cabforum.org
>>> *Subject:* [EXTERNAL]Re: [Cscwg-public] Ballot CSC-7: Update to 
>>> merge EV and Non-EV clauses
>>>
>>> *WARNING:* This email originated outside of Entrust.
>>> *DO NOT CLICK* links or attachments unless you trust the sender and 
>>> know the content is safe.
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> Bruce,
>>>
>>> Some of my concerns raised in 2020-12-16 are still unaddressed.
>>>
>>> 14.1 still seems to be a bit ambiguous. It points directly to the EV 
>>> Guidelines section 14.1 but does it also apply for Employees that 
>>> vet non-EV Code Signing? The answer seems to be "yes" which makes 
>>> non-EV CS issuers non-conformant as soon as this becomes effective.
>>>
>>> The same applies for 16.2. We need an effective date for non-EV 
>>> issuers to migrate to the stronger EV requirements.
>>>
>>> I would be fine with any effective date. 2021-06-01 seems to be an 
>>> effective date for some changes regarding the key sizes so CAs 
>>> already have their attention to this deadline. I suggest we have 
>>> those two requirements phased-in for non-EV code signing certificate 
>>> issuers.
>>>
>>>
>>> Dimitris.
>>>
>>> On 4/1/2021 4:52 μ.μ., Bruce Morton via Cscwg-public wrote:
>>>
>>>     *Ballot CSC-7: Update to merge EV and Non-EV clauses*
>>>
>>>     Purpose of the Ballot:
>>>
>>>     The CSC-2 merger of the Code Signing BRs and the EV Code Signing
>>>     Guidelines was done without technical changes. The result is
>>>     that we have some sections where there is different text for
>>>     Non-EV and EV Code Signing certificates. In many cases there was
>>>     no reason to have two different requirements. In other cases, it
>>>     made sense that they both have the same requirement. There were
>>>     of course some items where EV is different and these clauses
>>>     were not touched for now. These items were all discussed in our
>>>     bi-weekly meetings. Other minor changes were the adding in a
>>>     table for document revision and history and another table for
>>>     effective dates within the BRs. There were also some errors
>>>     corrected from the merger.
>>>
>>>     The following motion has been proposed by Bruce Morton of
>>>     Entrust, and endorsed by Dimitris Zacharopoulos of HARICA and
>>>     Dean Coclin of DigiCert.
>>>
>>>     --- MOTION BEGINS ---
>>>
>>>     This ballot modifies the “Baseline Requirements for the Issuance
>>>     and Management of Publicly‐Trusted Code Signing Certificates"
>>>     version 2.1 according to the attached redline.
>>>
>>>     --- MOTION ENDS ---
>>>
>>>     The procedure for approval of this ballot is as follows:
>>>
>>>     Discussion (7+ days)
>>>     Start Time: 2021-01-04, 10:00 am Eastern Time (US)
>>>     End Time: not before 2021-01-11, 10:00 am Eastern Time (US)
>>>
>>>     Vote for approval (7 days)
>>>
>>>     Start Time: TBD
>>>
>>>     End Time: TBD
>>>
>>>
>>>
>>>     _______________________________________________
>>>
>>>     Cscwg-public mailing list
>>>
>>>     Cscwg-public at cabforum.org  <mailto:Cscwg-public at cabforum.org>
>>>
>>>     https://lists.cabforum.org/mailman/listinfo/cscwg-public  <https://lists.cabforum.org/mailman/listinfo/cscwg-public>
>>>
>>
>>
>> _______________________________________________
>> Cscwg-public mailing list
>> Cscwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/cscwg-public
>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210111/730b5a42/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210111/730b5a42/attachment.p7s>

More information about the Cscwg-public mailing list