[Cscwg-public] New companies and EV Code Signing
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Wed Jul 28 06:09:58 UTC 2021
I see. I probably misunderstood the word "individual" to mean a person
associated with the organization.
IMO the requirement for non-EV is poorly written as I don't think it was
ever the intent of this WG to forbid companies that are not 3 years old
to obtain an OV Code Signing Certificate. If this was the intent and you
can point me to minutes or any public discussion, we can certainly take
a deeper look.
Thanks,
Dimitris.
On 27/7/2021 8:20 μ.μ., Tim Hollebeek wrote:
>
> I think what Corey is trying to point out is that EVG 11.6 is weaker
> than the OV CSBR requirement, so it in itself does not cover the EVCS
> gap we identified.
>
> -Tim
>
> *From:* Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
> *Sent:* Tuesday, July 27, 2021 12:35 AM
> *To:* Corey Bonnell <Corey.Bonnell at digicert.com>;
> cscwg-public at cabforum.org; Tim Hollebeek <tim.hollebeek at digicert.com>
> *Subject:* Re: [Cscwg-public] New companies and EV Code Signing
>
> On 27/7/2021 1:13 π.μ., Corey Bonnell wrote:
>
> Hi Dimitris,
>
> Perhaps I’m missing some context, but any of the four verification
> options set forth in EVG 11.6.2 will satisfy 11.6 (and in turn,
> CSBR 11.2.7). Several of the verification options listed in that
> section do not provide the level of assurance that the CSBRs
> prescribe for individuals in section 11.1.2.
>
> With this in mind, I believe that harmonizing the individual
> vetting for new organizations requirement for OVCS with EVCS is a
> useful improvement.
>
>
> Certainly, but that's not the topic we were discussing with Tim, which
> was around the "3 years of existence" requirement for an organization
> to be validated.
>
> Dimitris.
>
>
> Thanks,
>
> Corey
>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org>
> <mailto:cscwg-public-bounces at cabforum.org> *On Behalf Of *Dimitris
> Zacharopoulos (HARICA) via Cscwg-public
> *Sent:* Saturday, July 24, 2021 4:13 AM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>
> <mailto:tim.hollebeek at digicert.com>; cscwg-public at cabforum.org
> <mailto:cscwg-public at cabforum.org>
> *Subject:* Re: [Cscwg-public] New companies and EV Code Signing
>
> On 22/7/2021 7:11 μ.μ., Tim Hollebeek via Cscwg-public wrote:
>
> I’m hearing from our code signing validation people that
> 11.1.1, which refers to non-EV CS certificates, has a
> requirement for additional validation for companies less than
> three years old (we’ve discussed this recently), but this
> requirement is missing for EV code signing certificates.
>
> Is that what we want? It seems very odd that a higher level
> of validation has fewer requirements.
>
>
> Hi Tim,
>
> For EV CS certificates there is a direct reference to the EV
> Guidelines. Specifically, 11.2.7 of the CSBRs point to EVG 11.6.
>
> EVG 11.6.2 includes language for companies less than three years
> old. I recall bringing this up in one of the previous calls where
> it was pointed out that it's not necessary for a company to be
> less than 3 years old if the other verification methods described
> in 11.6.2 are used.
>
> Hope this helps.
>
> Dimitris.
>
>
>
>
>
> -Tim
>
>
>
>
> _______________________________________________
>
> Cscwg-public mailing list
>
> Cscwg-public at cabforum.org <mailto:Cscwg-public at cabforum.org>
>
> https://lists.cabforum.org/mailman/listinfo/cscwg-public <https://lists.cabforum.org/mailman/listinfo/cscwg-public>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210728/12a4052e/attachment-0001.html>
More information about the Cscwg-public
mailing list