[Cscwg-public] [EXTERNAL] WebTrust - EV Code Signing v.1.4.1 and ALV in the CCADB

Ben Wilson bwilson at mozilla.com
Tue Jul 13 20:01:13 UTC 2021 

It seems that additional work is needed to replace the EV Guidelines for
Code Signing.  For instance, section 17.1 of the Baseline Requirements for
Code Signing says that the eligible audit scheme (for Baseline) can be
“WebTrust for CAs v2.0 or newer” AND “WebTrust for Certification
Authorities – Extended Validation Code Signing v1.4.1 or newer”, but it
doesn't seem to be the other way around (that the BRCS is sufficient for
EVCS).  Does this working group have plans to replace the EV Guidelines for
Code Signing with a unified guideline document?

On Tue, Jul 13, 2021 at 12:20 PM Bruce Morton <Bruce.Morton at entrust.com>
wrote:

> Hi Ben,
>
>
>
> Based on how I interpret the requirements for the new CSBR v2.0 audit
> criteria, it should be used for all audit periods starting on or after 1
> November 2020. So that would mean that EVCS 1.4.1 could be used for periods
> starting before 1 November 2020. With a 3 month posting deadline, you could
> see EVCS 1.4.1 audit reports posted until 31 January 2022 (or later for
> late reports).
>
>
>
> For example, if an audit period started on 1 October 2020 and ended on 30
> September 2021, then the CA could use EVCS 1.4.1 and must post the report
> by 31 December 2021.
>
>
>
>
>
> Bruce.
>
>
>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of *Ben
> Wilson via Cscwg-public
> *Sent:* Tuesday, July 13, 2021 1:55 PM
> *To:* cscwg-public at cabforum.org
> *Subject:* [EXTERNAL] [Cscwg-public] WebTrust - EV Code Signing v.1.4.1
> and ALV in the CCADB
>
>
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the
> content is safe.
> ------------------------------
>
> All,
>
> In reference to the Webtrust Principles and Criteria and the CCADB's ALV
> processing of audit letters, see
>
>
> https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria
> <https://urldefense.com/v3/__https:/www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria__;!!FJ-Y8qCqXTj2!Of1UlBnrsakPt5Col1B5EeWGfnEFVf6SGVSJAehLcnY117n7naUu9KBRjfK7BVUX7yk$>,
> which mentions
>
> WebTrust for EV CS v. 1.4.1.  At what point will a requirement for v.
> 1.4.1 go away, if it will?  The reason I ask is that the CCADB gave me an
> ALV error recently when it processed an EV CS audit letter because it did
> not specifically mention WebTrust EV CS v. 1.4.1.
>
> Thoughts?
>
> Ben
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210713/287effff/attachment.html>

More information about the Cscwg-public mailing list