[cabfpub] Code Signing Baseline Requirements - Final Draft for public exposure

Ryan Sleevi sleevi at google.com
Wed Mar 11 05:12:44 UTC 2015


Reposting with permission
On Mar 10, 2015 9:35 PM, "Peter Bowen" <pzbowen at gmail.com> wrote:

> On Thu, Feb 5, 2015 at 9:11 AM, Dean Coclin <Dean_Coclin at symantec.com>
> wrote:
> > The Code Signing Working Group of the CA/Browser Forum announces the
> final
> > draft of the Code Signing Baseline Requirements. This version takes into
> > account comments received in the first round of public review as well as
> > comments from WebTrust auditors. Additional changes/corrections were
> > incorporated by the working group over the past 3 months.
> >
> > This version is being sent out to the public mailing list and will be
> posted
> > on the CA/B Forum website for final comments until March 6th, 2015.
>
> Apologies for not reading these in detail until four days after the
> deadline.
>
> I am concerned that it seems that EV Code Signing certificates are not
> a super set of standard (Baseline) Code Signing certificates.
> Specifically, EVCS section 9.2.2 forbids subject alternative names in
> EVCS certificates while the BRCS section 9.2.1 requires a SAN.
> Similarly, EVCS 9.2.3 indicates common name is deprecated but BRCS
> 9.2.2 makes it mandatory.
>
> My expectation is that EV certificates always meet the requirements of
> the non-EV certificate such that systems that don't differentiate
> between EV and non-EV certificates can use EV certificates as standard
> certificates.
>
> Thanks,
> Peter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150310/a3022da7/attachment-0002.html>


More information about the Public mailing list