[cabfpub] Code Signing Baseline Requirements - Final Draft for public exposure
jeremy.rowley at digicert.com
Tue Mar 10 22:22:29 MST 2015
Right – that’s because we haven’t updated the EVCS to reflect the CS discussions. That would happen after passing the CS BRs.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Tuesday, March 10, 2015 11:13 PM
Subject: Re: [cabfpub] Code Signing Baseline Requirements - Final Draft for public exposure
Reposting with permission
On Mar 10, 2015 9:35 PM, "Peter Bowen" <pzbowen at gmail.com<mailto:pzbowen at gmail.com>> wrote:
On Thu, Feb 5, 2015 at 9:11 AM, Dean Coclin <Dean_Coclin at symantec.com<mailto:Dean_Coclin at symantec.com>> wrote:
> The Code Signing Working Group of the CA/Browser Forum announces the final
> draft of the Code Signing Baseline Requirements. This version takes into
> account comments received in the first round of public review as well as
> comments from WebTrust auditors. Additional changes/corrections were
> incorporated by the working group over the past 3 months.
> This version is being sent out to the public mailing list and will be posted
> on the CA/B Forum website for final comments until March 6th, 2015.
Apologies for not reading these in detail until four days after the deadline.
I am concerned that it seems that EV Code Signing certificates are not
a super set of standard (Baseline) Code Signing certificates.
Specifically, EVCS section 9.2.2 forbids subject alternative names in
EVCS certificates while the BRCS section 9.2.1 requires a SAN.
Similarly, EVCS 9.2.3 indicates common name is deprecated but BRCS
9.2.2 makes it mandatory.
My expectation is that EV certificates always meet the requirements of
the non-EV certificate such that systems that don't differentiate
between EV and non-EV certificates can use EV certificates as standard
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public