[Cscwg-public] [EXTERNAL]Re: Ballot CSC-7: Update to merge EV and Non-EV clauses

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Jan 11 08:19:28 UTC 2021 


On 11/1/2021 9:57 π.μ., Adriano Santoni via Cscwg-public wrote:
>
> Hi all,
>
> I have a couple of doubts on the current text; I beg your pardon if 
> these have been discussed before:
>
> * Section 9.2.1 (Subject Alternative Name Extension) provides "No 
> stipulation". Written that way, it implies that a code signing 
> certificate with (say) a FQDN in its SAN would be okay, which perhaps 
> is not intended (?).
>

Hi Adriano,

This is a copy from the existing requirements. The goal of this ballot 
is to harmonize requirements between EV and Non EV Code Signing 
Certificates. Perhaps you can propose a new ballot to address any other 
concerns or improvements separately.

> * Section 11.8 (Due diligence) just refers to Section 11.13 of the EV 
> Guidelines. It's not specified, though, if this requirement applies to 
> both EV and non-EV certificates. As written, it seems to imply that it 
> applies to both, which I suppose is not intended (?).
>

It is intended. The previous (and existing) requirements for Non EV Code 
Signing Certificates required the same level of due diligence that 
applies for EV Code Signing Certificates (two-person rule) but used a 
slightly different language to describe the requirement. That's why the 
WG decided to refer to the EV Guidelines for both types of Code Signing 
Certificates to make it clearer.

Hope this helps.


Dimitris.


> Adriano
>
>
> Il 11/01/2021 07:40, Dimitris Zacharopoulos (HARICA) via Cscwg-public 
> ha scritto:
>>
>>
>> On 8/1/2021 10:22 π.μ., Dimitris Zacharopoulos (HARICA) via 
>> Cscwg-public wrote:
>>> On 7/1/2021 10:28 μ.μ., Bruce Morton wrote:
>>>>
>>>> Hi Dimitris,
>>>>
>>>> Can you please propose a text change to help fix the issue?
>>>>
>>>
>>> Sure, I will try to get something on the list early next week.
>>
>> Attached. I also updated table 2.2 adding these two dates as new 
>> rows. Please review.
>>
>>
>> Best regards,
>> Dimitris.
>>
>>>
>>>
>>> Dimitris.
>>>
>>>
>>>> Thanks, Bruce.
>>>>
>>>> *From:*Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
>>>> *Sent:* Thursday, January 7, 2021 2:33 AM
>>>> *To:* Bruce Morton <Bruce.Morton at entrust.com>; 
>>>> cscwg-public at cabforum.org
>>>> *Subject:* [EXTERNAL]Re: [Cscwg-public] Ballot CSC-7: Update to 
>>>> merge EV and Non-EV clauses
>>>>
>>>> *WARNING:* This email originated outside of Entrust.
>>>> *DO NOT CLICK* links or attachments unless you trust the sender and 
>>>> know the content is safe.
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> Bruce,
>>>>
>>>> Some of my concerns raised in 2020-12-16 are still unaddressed.
>>>>
>>>> 14.1 still seems to be a bit ambiguous. It points directly to the 
>>>> EV Guidelines section 14.1 but does it also apply for Employees 
>>>> that vet non-EV Code Signing? The answer seems to be "yes" which 
>>>> makes non-EV CS issuers non-conformant as soon as this becomes 
>>>> effective.
>>>>
>>>> The same applies for 16.2. We need an effective date for non-EV 
>>>> issuers to migrate to the stronger EV requirements.
>>>>
>>>> I would be fine with any effective date. 2021-06-01 seems to be an 
>>>> effective date for some changes regarding the key sizes so CAs 
>>>> already have their attention to this deadline. I suggest we have 
>>>> those two requirements phased-in for non-EV code signing 
>>>> certificate issuers.
>>>>
>>>>
>>>> Dimitris.
>>>>
>>>> On 4/1/2021 4:52 μ.μ., Bruce Morton via Cscwg-public wrote:
>>>>
>>>>     *Ballot CSC-7: Update to merge EV and Non-EV clauses*
>>>>
>>>>     Purpose of the Ballot:
>>>>
>>>>     The CSC-2 merger of the Code Signing BRs and the EV Code
>>>>     Signing Guidelines was done without technical changes. The
>>>>     result is that we have some sections where there is different
>>>>     text for Non-EV and EV Code Signing certificates. In many cases
>>>>     there was no reason to have two different requirements. In
>>>>     other cases, it made sense that they both have the same
>>>>     requirement. There were of course some items where EV is
>>>>     different and these clauses were not touched for now. These
>>>>     items were all discussed in our bi-weekly meetings. Other minor
>>>>     changes were the adding in a table for document revision and
>>>>     history and another table for effective dates within the BRs.
>>>>     There were also some errors corrected from the merger.
>>>>
>>>>     The following motion has been proposed by Bruce Morton of
>>>>     Entrust, and endorsed by Dimitris Zacharopoulos of HARICA and
>>>>     Dean Coclin of DigiCert.
>>>>
>>>>     --- MOTION BEGINS ---
>>>>
>>>>     This ballot modifies the “Baseline Requirements for the
>>>>     Issuance and Management of Publicly‐Trusted Code Signing
>>>>     Certificates" version 2.1 according to the attached redline.
>>>>
>>>>     --- MOTION ENDS ---
>>>>
>>>>     The procedure for approval of this ballot is as follows:
>>>>
>>>>     Discussion (7+ days)
>>>>     Start Time: 2021-01-04, 10:00 am Eastern Time (US)
>>>>     End Time: not before 2021-01-11, 10:00 am Eastern Time (US)
>>>>
>>>>     Vote for approval (7 days)
>>>>
>>>>     Start Time: TBD
>>>>
>>>>     End Time: TBD
>>>>
>>>>
>>>>
>>>>     _______________________________________________
>>>>
>>>>     Cscwg-public mailing list
>>>>
>>>>     Cscwg-public at cabforum.org  <mailto:Cscwg-public at cabforum.org>
>>>>
>>>>     https://lists.cabforum.org/mailman/listinfo/cscwg-public  <https://lists.cabforum.org/mailman/listinfo/cscwg-public>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Cscwg-public mailing list
>>> Cscwg-public at cabforum.org
>>> https://lists.cabforum.org/mailman/listinfo/cscwg-public
>>
>>
>> _______________________________________________
>> Cscwg-public mailing list
>> Cscwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/cscwg-public
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210111/7653e9a8/attachment-0001.html>

More information about the Cscwg-public mailing list