[Cscwg-public] New companies and EV Code Signing

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Jul 28 16:51:09 UTC 2021



On 28/7/2021 7:24 μ.μ., Tim Hollebeek wrote:
>
> The intent isn’t to forbid it.  Young companies just have additional 
> validation requirements, which have been there for quite a long time.  
> And you shouldn’t be able to get around those additional requirements 
> simply by getting a different certificate type.  The bar should be 
> uniform across security products, and if anything, should be higher 
> for EV instead of lower, like it currently is.
>
Agreed for keeping the same level but I'm not sure what you are 
proposing. The EV process allows for new companies to get a certificate 
following specific validation rules. You and Corey seem to suggest that 
for OV according to 11.1.1(4), there is no way for a new company (less 
than 3 years old) to be allowed to get an OV certificate and I'm not 
sure you would like to see that for EV Certificates or expect to see the 
EV process being applied for OV applicants. Can you please clarify? It's 
quite possible I have misunderstood your position so please forgive me 
if this was far from what you intended to convey.

Dimitris.



> -Tim
>
> *From:* Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
> *Sent:* Wednesday, July 28, 2021 2:10 AM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; Corey Bonnell 
> <Corey.Bonnell at digicert.com>; cscwg-public at cabforum.org
> *Subject:* Re: [Cscwg-public] New companies and EV Code Signing
>
> I see. I probably misunderstood the word "individual" to mean a person 
> associated with the organization.
>
> IMO the requirement for non-EV is poorly written as I don't think it 
> was ever the intent of this WG to forbid companies that are not 3 
> years old to obtain an OV Code Signing Certificate. If this was the 
> intent and you can point me to minutes or any public discussion, we 
> can certainly take a deeper look.
>
> Thanks,
> Dimitris.
>
> On 27/7/2021 8:20 μ.μ., Tim Hollebeek wrote:
>
>     I think what Corey is trying to point out is that EVG 11.6 is
>     weaker than the OV CSBR requirement, so it in itself does not
>     cover the EVCS gap we identified.
>
>     -Tim
>
>     *From:* Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
>     <mailto:dzacharo at harica.gr>
>     *Sent:* Tuesday, July 27, 2021 12:35 AM
>     *To:* Corey Bonnell <Corey.Bonnell at digicert.com>
>     <mailto:Corey.Bonnell at digicert.com>; cscwg-public at cabforum.org
>     <mailto:cscwg-public at cabforum.org>; Tim Hollebeek
>     <tim.hollebeek at digicert.com> <mailto:tim.hollebeek at digicert.com>
>     *Subject:* Re: [Cscwg-public] New companies and EV Code Signing
>
>     On 27/7/2021 1:13 π.μ., Corey Bonnell wrote:
>
>         Hi Dimitris,
>
>         Perhaps I’m missing some context, but any of the four
>         verification options set forth in EVG 11.6.2 will satisfy 11.6
>         (and in turn, CSBR 11.2.7). Several of the verification
>         options listed in that section do not provide the level of
>         assurance that the CSBRs prescribe for individuals in section
>         11.1.2.
>
>         With this in mind, I believe that harmonizing the individual
>         vetting for new organizations requirement for OVCS with EVCS
>         is a useful improvement.
>
>
>     Certainly, but that's not the topic we were discussing with Tim,
>     which was around the "3 years of existence" requirement for an
>     organization to be validated.
>
>     Dimitris.
>
>
>
>         Thanks,
>
>         Corey
>
>         *From:* Cscwg-public <cscwg-public-bounces at cabforum.org>
>         <mailto:cscwg-public-bounces at cabforum.org> *On Behalf Of
>         *Dimitris Zacharopoulos (HARICA) via Cscwg-public
>         *Sent:* Saturday, July 24, 2021 4:13 AM
>         *To:* Tim Hollebeek <tim.hollebeek at digicert.com>
>         <mailto:tim.hollebeek at digicert.com>; cscwg-public at cabforum.org
>         <mailto:cscwg-public at cabforum.org>
>         *Subject:* Re: [Cscwg-public] New companies and EV Code Signing
>
>         On 22/7/2021 7:11 μ.μ., Tim Hollebeek via Cscwg-public wrote:
>
>             I’m hearing from our code signing validation people that
>             11.1.1, which refers to non-EV CS certificates, has a
>             requirement for additional validation for companies less
>             than three years old (we’ve discussed this recently), but
>             this requirement is missing for EV code signing certificates.
>
>             Is that what we want?  It seems very odd that a higher
>             level of validation has fewer requirements.
>
>
>         Hi Tim,
>
>         For EV CS certificates there is a direct reference to the EV
>         Guidelines. Specifically, 11.2.7 of the CSBRs point to EVG 11.6.
>
>         EVG 11.6.2 includes language for companies less than three
>         years old. I recall bringing this up in one of the previous
>         calls where it was pointed out that it's not necessary for a
>         company to be less than 3 years old if the other verification
>         methods described in 11.6.2 are used.
>
>         Hope this helps.
>
>         Dimitris.
>
>
>
>
>
>
>             -Tim
>
>
>
>
>
>             _______________________________________________
>
>             Cscwg-public mailing list
>
>             Cscwg-public at cabforum.org  <mailto:Cscwg-public at cabforum.org>
>
>             https://lists.cabforum.org/mailman/listinfo/cscwg-public  <https://lists.cabforum.org/mailman/listinfo/cscwg-public>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210728/a7819b0b/attachment-0001.html>


More information about the Cscwg-public mailing list