[Cscwg-public] New companies and EV Code Signing

Tim Hollebeek tim.hollebeek at digicert.com
Wed Jul 28 17:07:12 UTC 2021 

No, no, no.

 

Both EV and OV have various rules for the minimum requirements to get a certificate.

 

OV has an additional requirement that companies younger than three years old must additionally validate the applicant.  Those rules have been there for a long time.

 

EV lacks that additional requirement (due to an oversight, it seems), and therefore, paradoxically, OV certificates are actually more strongly vetted than EV for such companies.  That shouldn’t be the case.

 

All we’re suggesting is that EV should have the same or better rules for new companies, instead of the weaker rules that are currently in place.

 

The concrete proposal is that the OV language for new companies be modified to include EV certificates as well, which I believe was the original intent.

 

-Tim

 

From: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr> 
Sent: Wednesday, July 28, 2021 12:51 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; Corey Bonnell <Corey.Bonnell at digicert.com>; cscwg-public at cabforum.org
Subject: Re: [Cscwg-public] New companies and EV Code Signing

 

 

On 28/7/2021 7:24 μ.μ., Tim Hollebeek wrote:

The intent isn’t to forbid it.  Young companies just have additional validation requirements, which have been there for quite a long time.  And you shouldn’t be able to get around those additional requirements simply by getting a different certificate type.  The bar should be uniform across security products, and if anything, should be higher for EV instead of lower, like it currently is.

 

Agreed for keeping the same level but I'm not sure what you are proposing. The EV process allows for new companies to get a certificate following specific validation rules. You and Corey seem to suggest that for OV according to 11.1.1(4), there is no way for a new company (less than 3 years old) to be allowed to get an OV certificate and I'm not sure you would like to see that for EV Certificates or expect to see the EV process being applied for OV applicants. Can you please clarify? It's quite possible I have misunderstood your position so please forgive me if this was far from what you intended to convey.

Dimitris.






-Tim

 

From: Dimitris Zacharopoulos (HARICA)  <mailto:dzacharo at harica.gr> <dzacharo at harica.gr> 
Sent: Wednesday, July 28, 2021 2:10 AM
To: Tim Hollebeek  <mailto:tim.hollebeek at digicert.com> <tim.hollebeek at digicert.com>; Corey Bonnell  <mailto:Corey.Bonnell at digicert.com> <Corey.Bonnell at digicert.com>; cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: Re: [Cscwg-public] New companies and EV Code Signing

 

I see. I probably misunderstood the word "individual" to mean a person associated with the organization.

IMO the requirement for non-EV is poorly written as I don't think it was ever the intent of this WG to forbid companies that are not 3 years old to obtain an OV Code Signing Certificate. If this was the intent and you can point me to minutes or any public discussion, we can certainly take a deeper look.

Thanks,
Dimitris.

On 27/7/2021 8:20 μ.μ., Tim Hollebeek wrote:

I think what Corey is trying to point out is that EVG 11.6 is weaker than the OV CSBR requirement, so it in itself does not cover the EVCS gap we identified.

 

-Tim

 

From: Dimitris Zacharopoulos (HARICA)  <mailto:dzacharo at harica.gr> <dzacharo at harica.gr> 
Sent: Tuesday, July 27, 2021 12:35 AM
To: Corey Bonnell  <mailto:Corey.Bonnell at digicert.com> <Corey.Bonnell at digicert.com>; cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> ; Tim Hollebeek  <mailto:tim.hollebeek at digicert.com> <tim.hollebeek at digicert.com>
Subject: Re: [Cscwg-public] New companies and EV Code Signing

 

 

On 27/7/2021 1:13 π.μ., Corey Bonnell wrote:

Hi Dimitris,

Perhaps I’m missing some context, but any of the four verification options set forth in EVG 11.6.2 will satisfy 11.6 (and in turn, CSBR 11.2.7). Several of the verification options listed in that section do not provide the level of assurance that the CSBRs prescribe for individuals in section 11.1.2.

 

With this in mind, I believe that harmonizing the individual vetting for new organizations requirement for OVCS with EVCS is a useful improvement.


Certainly, but that's not the topic we were discussing with Tim, which was around the "3 years of existence" requirement for an organization to be validated.

Dimitris.






 

Thanks,

Corey

 

From: Cscwg-public  <mailto:cscwg-public-bounces at cabforum.org> <cscwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Cscwg-public
Sent: Saturday, July 24, 2021 4:13 AM
To: Tim Hollebeek  <mailto:tim.hollebeek at digicert.com> <tim.hollebeek at digicert.com>; cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: Re: [Cscwg-public] New companies and EV Code Signing

 

 

On 22/7/2021 7:11 μ.μ., Tim Hollebeek via Cscwg-public wrote:

 

I’m hearing from our code signing validation people that 11.1.1, which refers to non-EV CS certificates, has a requirement for additional validation for companies less than three years old (we’ve discussed this recently), but this requirement is missing for EV code signing certificates.

 

Is that what we want?  It seems very odd that a higher level of validation has fewer requirements.


Hi Tim,

For EV CS certificates there is a direct reference to the EV Guidelines. Specifically, 11.2.7 of the CSBRs point to EVG 11.6.

EVG 11.6.2 includes language for companies less than three years old. I recall bringing this up in one of the previous calls where it was pointed out that it's not necessary for a company to be less than 3 years old if the other verification methods described in 11.6.2 are used.

Hope this helps.

Dimitris.









 

-Tim








_______________________________________________
Cscwg-public mailing list
Cscwg-public at cabforum.org <mailto:Cscwg-public at cabforum.org> 
https://lists.cabforum.org/mailman/listinfo/cscwg-public

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210728/26ed19b4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210728/26ed19b4/attachment-0001.p7s>

More information about the Cscwg-public mailing list