[Cscwg-public] New companies and EV Code Signing

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Sat Jul 24 08:12:54 UTC 2021

On 22/7/2021 7:11 μ.μ., Tim Hollebeek via Cscwg-public wrote:
> I’m hearing from our code signing validation people that 11.1.1, which 
> refers to non-EV CS certificates, has a requirement for additional 
> validation for companies less than three years old (we’ve discussed 
> this recently), but this requirement is missing for EV code signing 
> certificates.
> Is that what we want?  It seems very odd that a higher level of 
> validation has fewer requirements.

Hi Tim,

For EV CS certificates there is a direct reference to the EV Guidelines. 
Specifically, 11.2.7 of the CSBRs point to EVG 11.6.

EVG 11.6.2 includes language for companies less than three years old. I 
recall bringing this up in one of the previous calls where it was 
pointed out that it's not necessary for a company to be less than 3 
years old if the other verification methods described in 11.6.2 are used.

Hope this helps.


> -Tim
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210724/85879606/attachment.html>

More information about the Cscwg-public mailing list