<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-2022-jp">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
{font-family:"\@MS PGothic";}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
p.xmsolistparagraph, li.xmsolistparagraph, div.xmsolistparagraph
{mso-style-name:x_msolistparagraph;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
span.EmailStyle23
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:255404362;
mso-list-template-ids:-1983894784;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:1076323968;
mso-list-template-ids:734282504;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='mso-fareast-language:EN-US'>We�$B!G�(Jll have more comments later, but there�$B!G�(Js a simple one I would like to point out to start the discussion. The requirement to have CRLs is stated as �$B!H�(JCAs MUST issue CRLs, �$B!D!I�(J. This is trivially true for DigiCert. We issue LOTS of CRLs!<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>I believe the intent is that CAs MUST issue one or more CRLs that collectively cover all the relevant types of certificates that are in scope for the CSBRs. The requirement needs to have that level of specificity and detail, so there�$B!G�(Js clarity about exactly what is required.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>-Tim<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='mso-fareast-language:ZH-CN'>From:</span></b><span style='mso-fareast-language:ZH-CN'> Cscwg-public <cscwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Ian McMillan via Cscwg-public<br><b>Sent:</b> Thursday, March 18, 2021 5:44 PM<br><b>To:</b> Bruce.Morton@entrust.com; cscwg-public@cabforum.org<br><b>Subject:</b> Re: [Cscwg-public] Ballot CSC-8 v3: Update to Revocation response mechanisms. key protection for EV certificates, and clean-up of 11.2.1 & Appendix B<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Absolutely, I�$B!G�(Jve made this change in the attached redline now.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Ian<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='mso-fareast-language:ZH-CN'>From:</span></b><span style='mso-fareast-language:ZH-CN'> Bruce Morton <a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a> <br><b>Sent:</b> Thursday, March 18, 2021 2:34 PM<br><b>To:</b> Ian McMillan <<a href="mailto:ianmcm@microsoft.com">ianmcm@microsoft.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [EXTERNAL] RE: Ballot CSC-8 v3: Update to Revocation response mechanisms. key protection for EV certificates, and clean-up of 11.2.1 & Appendix B<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'>Hi Ian,<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'>Can we remove both of these sentences, �$B!H�(JA Timestamp Authority is NOT REQUIRED to validate in any way data submitted to it for timestamping. It simply adds the time to the data that are presented to it, signs the result and appends its own Timestamp Certificate.�$B!I�(J<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'>�(JThe reason is CSBR 11.2.1 is called �$B!H�(JVerification Requirements �(J–�(J Overview�$B!I�(J, so Timestamp Authority requirements should not be in this section. Also CSBR 1</span>6.1 (1) addresses the Timestamp Authority requirement. If we need some of this text, it should be move to the correct section.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks, Bruce.<span style='mso-fareast-language:ZH-CN'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Ian McMillan via Cscwg-public<br><b>Sent:</b> Thursday, March 18, 2021 5:17 PM<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [EXTERNAL] [Cscwg-public] Ballot CSC-8 v3: Update to Revocation response mechanisms. key protection for EV certificates, and clean-up of 11.2.1 & Appendix B<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"MS PGothic",sans-serif'>WARNING: This email originated outside of Entrust.<br>DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span style='font-size:12.0pt;font-family:"MS PGothic",sans-serif'><hr size=0 width="100%" align=center></span></div><p class=MsoNormal><b>Ballot CSC-8 v3: Update to Revocation response mechanisms. key protection for EV certificates, and clean-up of 11.2.1 & Appendix B<o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Purpose of this ballot:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Address the changes needed in the Baseline Requirement for the Issuance and Management of Publicly-Trusted Code Signing Certificates v2.2 for:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><ol style='margin-top:0in' start=1 type=1><li class=xmsolistparagraph style='margin-left:0in;mso-list:l0 level1 lfo3'>Making OCSP optional with CRLs being required (13.2.1, 13.2.2, Appendix B: 3C, 5C)<o:p></o:p></li><li class=xmsolistparagraph style='margin-left:0in;mso-list:l0 level1 lfo3'>Added Common Criteria EAL 4+ to the supported key protection crypto modules for EV certificates in light of support for RSA 3072 keys (16.3.2)<o:p></o:p></li><li class=xmsolistparagraph style='margin-left:0in;mso-list:l0 level1 lfo3'>Clean up of Appendix B[3C] & [5C] (AIA value requirements) and section 11.2.1 contradiction with RFC3161<o:p></o:p></li></ol><p class=xmsolistparagraph><o:p> </o:p></p><p class=xmsonormal>In Appendix B, it was noted that the requirements for the Timestamping (5C) and Code Signing (3C) certificates had AIA value requirements to include the root certificate URL, but that should be the issuing CA URL. This has been included in this ballot.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Corey Bonnell noted a contradiction in the section 11.2.1 regarding Timestamp in the clause �$B!H�(Jand appends it own Timestamp Certificate�$B!I�(J is an unconditional requirement for a timestamp response to include the TSA certificate chain, but this conflicts with RFC3161 making this clause a conditional requirement based on the certReq field (missing or set to false). This clean up has the clause removed from section 11.2.1.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The following motion has been proposed by Ian McMillan of Microsoft, and endorsed by Dimitris Zacharopoulos of HARICA and Bruce Morton of EnTrust.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>--- MOTION BEGINS ---<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>�(JThis ballot modifies the �$B!H�(JBaseline Requirements for the Issuance and Management of Publicly�$B!>�(JTrusted Code Signing Certificates" version 2.2 according to the attached redline.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>--- MOTION ENDS ---<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The procedure for approval of this ballot is as follows:<br><br>Discussion (7 days)<br>Start Time: 2021-03-18, 17:30 Eastern Time (US)<br>End Time: not before 2021-03-25, 17:30 Eastern Time (US)<br><br>Vote for approval (7 days)<o:p></o:p></p><p class=MsoNormal>Start Time: 2021-03-25, 17:30 Eastern Time (US)<o:p></o:p></p><p class=MsoNormal>End Time: 2021-04-01, 17:30 Eastern Time (US)<o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p></div></div></body></html>