[Cscwg-public] New companies and EV Code Signing

Corey Bonnell Corey.Bonnell at digicert.com
Mon Jul 26 22:13:16 UTC 2021

Hi Dimitris,

Perhaps I’m missing some context, but any of the four verification options set forth in EVG 11.6.2 will satisfy 11.6 (and in turn, CSBR 11.2.7). Several of the verification options listed in that section do not provide the level of assurance that the CSBRs prescribe for individuals in section 11.1.2.


With this in mind, I believe that harmonizing the individual vetting for new organizations requirement for OVCS with EVCS is a useful improvement.





From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Cscwg-public
Sent: Saturday, July 24, 2021 4:13 AM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; cscwg-public at cabforum.org
Subject: Re: [Cscwg-public] New companies and EV Code Signing



On 22/7/2021 7:11 μ.μ., Tim Hollebeek via Cscwg-public wrote:


I’m hearing from our code signing validation people that 11.1.1, which refers to non-EV CS certificates, has a requirement for additional validation for companies less than three years old (we’ve discussed this recently), but this requirement is missing for EV code signing certificates.


Is that what we want?  It seems very odd that a higher level of validation has fewer requirements.

Hi Tim,

For EV CS certificates there is a direct reference to the EV Guidelines. Specifically, 11.2.7 of the CSBRs point to EVG 11.6.

EVG 11.6.2 includes language for companies less than three years old. I recall bringing this up in one of the previous calls where it was pointed out that it's not necessary for a company to be less than 3 years old if the other verification methods described in 11.6.2 are used.

Hope this helps.




Cscwg-public mailing list
Cscwg-public at cabforum.org <mailto:Cscwg-public at cabforum.org> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210726/ad6920d3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210726/ad6920d3/attachment.p7s>

More information about the Cscwg-public mailing list