[Cscwg-public] New companies and EV Code Signing

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Jul 27 04:35:04 UTC 2021 


On 27/7/2021 1:13 π.μ., Corey Bonnell wrote:
>
> Hi Dimitris,
>
> Perhaps I’m missing some context, but any of the four verification 
> options set forth in EVG 11.6.2 will satisfy 11.6 (and in turn, CSBR 
> 11.2.7). Several of the verification options listed in that section do 
> not provide the level of assurance that the CSBRs prescribe for 
> individuals in section 11.1.2.
>
> With this in mind, I believe that harmonizing the individual vetting 
> for new organizations requirement for OVCS with EVCS is a useful 
> improvement.
>

Certainly, but that's not the topic we were discussing with Tim, which 
was around the "3 years of existence" requirement for an organization to 
be validated.

Dimitris.

> Thanks,
>
> Corey
>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of 
> *Dimitris Zacharopoulos (HARICA) via Cscwg-public
> *Sent:* Saturday, July 24, 2021 4:13 AM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; 
> cscwg-public at cabforum.org
> *Subject:* Re: [Cscwg-public] New companies and EV Code Signing
>
> On 22/7/2021 7:11 μ.μ., Tim Hollebeek via Cscwg-public wrote:
>
>     I’m hearing from our code signing validation people that 11.1.1,
>     which refers to non-EV CS certificates, has a requirement for
>     additional validation for companies less than three years old
>     (we’ve discussed this recently), but this requirement is missing
>     for EV code signing certificates.
>
>     Is that what we want?  It seems very odd that a higher level of
>     validation has fewer requirements.
>
>
> Hi Tim,
>
> For EV CS certificates there is a direct reference to the EV 
> Guidelines. Specifically, 11.2.7 of the CSBRs point to EVG 11.6.
>
> EVG 11.6.2 includes language for companies less than three years old. 
> I recall bringing this up in one of the previous calls where it was 
> pointed out that it's not necessary for a company to be less than 3 
> years old if the other verification methods described in 11.6.2 are used.
>
> Hope this helps.
>
> Dimitris.
>
>
>
>
>     -Tim
>
>
>
>     _______________________________________________
>
>     Cscwg-public mailing list
>
>     Cscwg-public at cabforum.org  <mailto:Cscwg-public at cabforum.org>
>
>     https://lists.cabforum.org/mailman/listinfo/cscwg-public  <https://lists.cabforum.org/mailman/listinfo/cscwg-public>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210727/400907ef/attachment-0001.html>

More information about the Cscwg-public mailing list