[Cscwg-public] Proposal to make changes to revocation based on malware
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Fri Sep 23 16:46:16 UTC 2022
I posted some proposed changes for consistency and accuracy.
* https://github.com/cabforum/code-signing/pull/10#pullrequestreview-1118760785
Thanks,
Dimitris.
On 23/9/2022 3:55 μ.μ., Bruce Morton via Cscwg-public wrote:
>
> Hi Martjin,
>
> I will endorse the ballot.
>
> Thanks, Bruce.
>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of
> *Martijn Katerbarg via Cscwg-public
> *Sent:* Friday, September 23, 2022 3:44 AM
> *To:* cscwg-public at cabforum.org
> *Subject:* [EXTERNAL] Re: [Cscwg-public] Proposal to make changes to
> revocation based on malware
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know
> the content is safe.
>
> ------------------------------------------------------------------------
>
> All,
>
> As discussed on yesterdays call, the latest changes which Tim and I
> were discussing are pushed into Github.
>
> The complete change can be found at
> https://github.com/cabforum/code-signing/pull/10/files for review.
>
> Bruce, Ian, since I earlier had your endorsements, please let me know
> if they still stand. The changes since the endorsements, are captured
> in
> https://github.com/cabforum/code-signing/pull/10/commits/90fa38ab4dc5e5f9b25fce844b750d693f7256b7
>
> If there are no other comments, then hopefully we can start a ballot
> process on this.
>
>
> Regards,
>
> Martijn
>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of
> *Martijn Katerbarg via Cscwg-public
> *Sent:* Tuesday, 19 July 2022 09:22
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>;
> cscwg-public at cabforum.org
> *Subject:* Re: [Cscwg-public] Proposal to make changes to revocation
> based on malware
>
> CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you recognize the sender
> and know the content is safe.
>
> Thanks Tim,
>
> * What is the motivation for allowing a waiver if approved by just
> “at least one” of the stakeholders, instead of all of them?
> * I’m a bit concerned that language might be increasingly
> troublesome as we continue to expand the scope and participation
> of this group.
>
> I believe it might be difficult to get approval from all stakeholders
> within a certain amount of time, meaning the CA would possibly never
> get all approvals, and never be able to utilize the waiver.
>
> Considering that signed code is often (but not exclusively) targeted
> for a specific platform, stakeholders of other platforms might not be
> inclined to give approval for something that does not even affect them.
>
> I do share your concern, but I also don’t see a better path towards
> the same goal.
>
> * Similarly, I’m unsure how I feel about making compliance
> distinctions based on whether a particular root program has
> decided to have a contractual relationship with its issuers or
> not. That seems like an implementation detail of the relationship
> that the guidelines should remain silent on. But I appreciate what
> that definition is intended to do, and would like to perhaps find
> a different way to express the same intent.
>
> Good point, and maybe the word “contract” is too much here?
>
> Although I would note this language is already part of the
> “Certificate Beneficiaries” definition right now.
>
> I’m open for a different suggestion
>
> *From:* Tim Hollebeek <tim.hollebeek at digicert.com>
> *Sent:* Friday, 15 July 2022 18:18
> *To:* Martijn Katerbarg <martijn.katerbarg at sectigo.com>;
> cscwg-public at cabforum.org
> *Subject:* RE: [Cscwg-public] Proposal to make changes to revocation
> based on malware
>
> CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you recognize the sender
> and know the content is safe.
>
> What is the motivation for allowing a waiver if approved by just “at
> least one” of the stakeholders, instead of all of them?
>
> I’m a bit concerned that language might be increasingly troublesome as
> we continue to expand the scope and participation of this group.
>
> Similarly, I’m unsure how I feel about making compliance distinctions
> based on whether a particular root program has decided to have a
> contractual relationship with its issuers or not. That seems like an
> implementation detail of the relationship that the guidelines should
> remain silent on. But I appreciate what that definition is intended
> to do, and would like to perhaps find a different way to express the
> same intent.
>
> -Tim
>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of
> *Martijn Katerbarg via Cscwg-public
> *Sent:* Monday, June 27, 2022 10:04 AM
> *To:* cscwg-public at cabforum.org
> *Subject:* [Cscwg-public] Proposal to make changes to revocation based
> on malware
>
> All,
>
> As already hinted during the last meeting during the F2F, Ian and I,
> have been working on a proposal affecting the guidelines regarding
> malware based revocation.
>
> The intent of this change is to:
>
> * Limit the number of days before a certificate needs to be revoked,
> especially when the subscriber is not responding to inquiries
> * Remove the OCSP log analysis requirements
> * Simplify the process that has to be followed
>
> I have attached 3 documents: one with the current language, one with
> the proposed language, as well as a redlined version.
>
> The changes have been made based on upcoming version 3.0 of the
> CSCBRs. In case you wish to compare with version 2.8, the relevant
> section is 13.1.5.3. Besides to that section, there is also a change
> to the “Suspect Code” definition, as well as a new definition in the
> proposal.
>
> Once PR6
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F6&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C0a91a06103a94b96adf008da69575c2d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637938121195022126%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BaODhyht2Dvw56UXKIt47jk14XlswOCarDkBIOJs72U%3D&reserved=0>
> has been merged, I will also prepare the changes in GIT for those that
> prefer comparing there.
>
> Looking forward to comments to this and move towards a potential ballot.
>
> Regards,
>
> Martijn
>
> /Any email and files/attachments transmitted with it are confidential
> and are intended solely for the use of the individual or entity to
> whom they are addressed. If this message has been sent to you in
> error, you must not copy, distribute or disclose of the information it
> contains. _Please notify Entrust immediately_ and delete the message
> from your system./
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220923/a39f7bf4/attachment.html>
More information about the Cscwg-public
mailing list