On 13/6/2024 3:56 μ.μ., Adriano Santoni via Cscwg-public wrote:
Dimitris,
we are not against this ballot, per se, but I wonder what is the point
of regulating EV code signing certificates considering that "Starting
February 2024, Microsoft will no longer accept or recognize EV Code
Signing Certificates" [1] and there are no platforms other than
Windows that treat EV code signing certificates differently than plain
(non-EV) code signing certificates, at least as far as I know (I could
be wrong).
Adriano
[1]
https://learn.microsoft.com/en-us/security/trusted-root/program-requirements
Hi Adriano,
This ballot merely tries to simplify the current requirements for CAs
and auditors so that they don't need to look a two different locations
for the actual requirements. The ballot also helps identifying the exact
applicable requirements instead of the ambiguous current wording which
points to EV Guidelines unless there is more specific language in the CBRs.
Microsoft still needs to describe a clear plan for deciding which future
form of identity validation is preferred over the current options, and
this will probably be done in a future ballot.
BTW, Microsoft has clarified in F2F#61 that they will not have a
separate "trust-bit" for "EV Code Signing". That doesn't mean they will
discard an EV Code Signing Certificate if they see one :-)
Hope this helps.
Dimitris.
Il 12/06/2024 09:09, Dimitris Zacharopoulos (HARICA) via Cscwg-public
ha scritto:
NOTICE: Pay attention - external email - Sender is
010001900b48090a-44470727-22cc-4fbc-a44e-c7eab85c5cd8-000...@amazonses.com
Members can also review the INFORMATIVE attached documents, which are
produced by the automated markdown to PDF/DOCX conversion process,
implemented by the Infrastructure Subcommittee.
Dimitris.
On 12/6/2024 10:04 π.μ., Dimitris Zacharopoulos (HARICA) via
Cscwg-public wrote:
CSC-25 Import EV Guidelines into the Code Signing Baseline
Requirements
*Purpose of the Ballot*
This ballot updates the “Baseline Requirements for the Issuance and
Management of Publicly‐Trusted Code Signing Certificates“ version
3.7 in order to clarify language regarding Timestamp Authority
Private Key Protection. The main goals of this ballot are to:
1. Import all CSBR references that point to the EV Guidelines with
the actual language of corresponding sections of version 1.8.0
of the EV Guidelines, in order to remove external dependencies.
2. The Code Signing Working Group decided not to import rules
related to the subject:organizationIdentifier field.
The following motion has been proposed by Dimitris Zacharopoulos of
HARICA and endorsed by Martijn Katerbarg of Sectigo and Corey
Bonnell of Digicert.
You can view the github pull request representing this ballot here
<https://github.com/cabforum/code-signing/pull/38>.
Motion Begins
MODIFY the “Baseline Requirements for the Issuance and Management of
Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline
Requirements") based on version 3.7 as specified in the following
redline:
*
https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...d5af6d895b3666b5351509ad25d47ac5e87321fc
Motion Ends
This ballot proposes a Final Maintenance Guideline. The procedure
for approval of this ballot is as follows:
Discussion (at least 7 days)
* Start time: 2024-06-12 07:00:00 UTC
* End time: on or after 2024-06-19 07:00:00 UTC
Vote for approval (7 days)
* Start time: TBD
* End time: TBD
_______________________________________________
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public
_______________________________________________
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public
_______________________________________________
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public
_______________________________________________
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public