[Cscwg-public] Code Signing Baseline Requirements references to the EV Guidelines
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Mon Mar 11 16:19:46 UTC 2024
All,
I re-based the importEVG branch to the latest CSBR (3.7.0). You can see
the ballot redline in https://github.com/cabforum/code-signing/pull/38.
Feel free to start a review within the PR or reply to this thread with
comments.
Importing the EV Guidelines into the CSBRs ballot requires time to
review so I plan to give at least 2 weeks discussion period for Members
to check before starting the voting period.
I have one remaining task which is to import the changes introduced by
Ballot SC68 <https://github.com/cabforum/servercert/pull/478>. Other
than that, we should be good to go. I would like to ask for 2 endorsers
to reserve a ballot number.
Thank you,
Dimitris.
On 2/2/2024 1:59 μ.μ., Dimitris Zacharopoulos (HARICA) wrote:
> Dear Members,
>
> Apologies for sending this late. Here is the mapping document for the
> import of the EV Guidelines into the CS Baseline Requirements.
>
> The process started from sections of the CSBRs that point to sections
> of the EV Guidelines. In some cases, the referenced EVG section,
> contained additional references within the EVG. The spreadsheet tried
> to capture and follow all those references to ensure we didn't miss
> anything.
>
> I hope this document will help the review process so we can proceed
> with a ballot. Before we do the ballot, we will have to rebase to the
> latest CSBR version and resolve any conflicts that may be caused by
> the last 2 ballots. My goal is to get this ready for a ballot after
> the next F2F meeting.
>
>
> Thank you,
> Dimitris.
>
> On 8/1/2024 3:06 μ.μ., Dimitris Zacharopoulos (HARICA) via
> Cscwg-public wrote:
>> Dear Members,
>>
>> Following up on the work of importing the references to the EV
>> Guidelines and specifically the latest version (1.8.0) with the
>> exception of the CA/B Forum organization identifier extension as
>> agreed in previous meetings, the resulting redline (based on CSBR
>> version 3.4.0) is available in the following link:
>>
>> * https://github.com/cabforum/code-signing/compare/main...importEVG
>>
>> We can easily rebase to version 3.5.0 which is the latest CSBR
>> version, but the focus should be more on the import of the existing
>> EV references.
>>
>> The redline contains several formatting improvements as well, like
>> removal of double spaces and tabs that break the conversion.
>>
>> Here are my notes from the conversion:
>>
>>
>> - CSBR section 3.2.2.2 points to EV Guidelines
>> - Section 10.1.2 for specific roles (done)
>> - Section 11.2 for Legal Existence and Identity (done)
>> - Section 11.3 for Assumed Name (done)
>> - Section 11.4 for Physical Existence (done)
>> - Section 11.5 for Method of Communication (done)
>> - Section 11.6 for Operational Existence (done)
>> - Section 11.8 for Name, Title and Authority of Contract Signer and
>> Certificate Approver (done)
>> - Section 11.9 for Signature on Subscriber Agreement and EV CS
>> Certificate Requests (done)
>> - Section 11.10 for Approval of EV CS Certificate Request (done)
>> - Section 11.11 for Certain Information Sources (done)
>> - Section 11.12.3 for Parent/Subsidiary/Affiliate Relationship (done)
>> - CSBR section 4.1.1 points to EV Guidelines section 11.12.2 for
>> "suspicious" certificate requests (done new section 3.2.8)
>> - CSBR section 4.2.1 points to EV Guidelines
>> - section 11.13 for the "due diligence" verification (done new
>> section 3.2.9)
>> - section 11.14 for the usage periods of documents, data and
>> previous validations performed per section 3.2. (done with new
>> section 4.2.1.1)
>> - CSBR section 5.2.4 points to EV Guidelines section 11.13 for the
>> Final Cross-Correlation and Due Diligence steps (done by pointing to
>> the new section 3.2.9)
>> - CSBR section 5.3.3 points to EV Guidelines in general for the
>> Validation Specialist training and internal examination (done)
>> - CSBR section 7.1.4.2.4 points to EV Guidelines sections 9.2.1
>> (done), 9.2.3 (done), 9.2.4 (done, section 11.1.3 disclosure of
>> verification sources migrated to 3.2.10), 9.2.5 (done), 9.2.6 (done),
>> 9.2.8 (done updated reference to 9.2.4 to 7.1.4.2.4 (c)) for subject
>> information
>> - CSBR section 9.2.1 points to EV Guidelines section 8.4 for
>> insurance coverage (done)
>>
>>
>> 9.8.2 --> Do not import
>> 11.11.1 --> 3.2.2.2.10.1
>> 11.11.4 --> 3.2.2.2.12
>> 11.13 --> 3.2.9
>> 14.1.1, 14.1.2 --> 5.3 (Training and background checks)
>> 14.1.3 --> 5.2.4 (separation of duties)
>> 14.2 --> 1.3.2.1 (new section)
>>
>> We still need to do a thorough check for the import of the proper
>> definitions and acronyms and remove the ones that are not use in the
>> CSBRs with the first letter capitalized.
>>
>> I have not completed a full mapping of the import of the EVGs into
>> the CSBRs but that's my next target. Please note that some
>> destination sections are different from what Inigo has decided for
>> the conversion of the EVGs into the RFC 3647 format
>> <https://github.com/cabforum/servercert/compare/90a98dc7c1131eaab01af411968aa7330d315b9b...238ff99fbe04f2aa24f2c58910d8133f2283f11e>.
>> We can compare notes with Inigo after we get some initial feedback by
>> Members.
>>
>>
>> Best regards,
>> Dimitris.
>>
>> On 2/10/2023 11:56 μ.μ., Dimitris Zacharopoulos (HARICA) wrote:
>>>
>>> Dear Members,
>>>
>>> At a previous Teleconference I volunteered to search the CSBRs and
>>> find references to the EV Guidelines that could be discussed at the
>>> upcoming F2F. We can then decide if we want to import all or some of
>>> them to the CSBRs.
>>>
>>> The EV Guidelines that is -supposed to be- referenced is version 1.7.1.
>>>
>>> * CSBR section 3.2.2.2 points to EV Guideline:
>>> o Section 10.1.2 for specific roles
>>> o Section 11.2 for Legal Existence and Identity
>>> o Section 11.3 for Assumed Name
>>> o Section 11.4 for Physical Existence
>>> o Section 11.5 for Method of Communication
>>> o Section 11.6 for Operational Existence
>>> o Section 11.8 for Name, Title and Authority of Contract
>>> Signer and Certificate Approver
>>> o Section 11.9 for Signature on Subscriber Agreement and EV CS
>>> Certificate Requests
>>> o Section 11.10 for Approval of EV CS Certificate Request
>>> o Section 11.11 for Certain Information Sources
>>> o Section 11.12.3 for Parent/Subsidiary/Affiliate Relationship
>>> * CSBR section 4.1.1 points to EV Guidelines section 11.12.2 for
>>> "suspicious" certificate requests
>>> * CSBR section 4.2.1 points to EV Guidelines:
>>> o section 11.13 for the "due diligence" verification
>>> o section 11.14 for the usage periods of documents, data and
>>> previous validations performed per section 3.2
>>> * CSBR section 5.2.4 points to EV Guidelines section 11.13 for the
>>> Final Cross-Correlation and Due Diligence steps
>>> * CSBR section 5.3.3 points to EV Guidelines in general for the
>>> Validation Specialist training and internal examination
>>> * CSBR section 7.1.4.2.4 points to EV Guidelines sections 9.2.1,
>>> 9.2.3, 9.2.4, 9.2.5, 9.2.6 for subject information
>>> * CSBR section 9.2.1 points to EV Guidelines section 8.4 for
>>> insurance coverage
>>>
>>> During this process, I also noticed that we have a capitalized term
>>> "EV Process" without a corresponding definition. I will add an issue
>>> on GitHub for the next cleanup ballot.
>>>
>>> I would appreciate a second review in case I missed something.
>>>
>>>
>>> Thank you,
>>>
>>> Dimitris.
>>>
>>
>>
>> _______________________________________________
>> Cscwg-public mailing list
>> Cscwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/cscwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240311/475656ae/attachment.html>
More information about the Cscwg-public
mailing list