<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:843134777;
mso-list-template-ids:-2117581000;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1151019430;
mso-list-template-ids:600853740;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2
{mso-list-id:1647472314;
mso-list-template-ids:1625969506;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p style='margin:0in'><b><span style='color:#767676'>Here are the </span>final<span style='color:#767676'> minutes of the subject call:<o:p></o:p></span></b></p><p style='margin:0in'><span style='font-size:10.0pt;color:#767676'><o:p> </o:p></span></p><p style='margin:0in'><b>Meeting Date: </b>3/25/2021 09:00 AM<o:p></o:p></p><p style='margin:0in'><b>Participants:</b><o:p></o:p></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:27.0pt'> <o:p></o:p></p><p class=MsoNormal style='margin-left:63.0pt;text-indent:-.25in;mso-list:l1 level1 lfo2;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Dean Coclin<o:p></o:p></p><p class=MsoNormal style='margin-left:63.0pt;text-indent:-.25in;mso-list:l1 level1 lfo2;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Adriano Santoni<o:p></o:p></p><p class=MsoNormal style='margin-left:63.0pt;text-indent:-.25in;mso-list:l1 level1 lfo2;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Atsushi Inaba<o:p></o:p></p><p class=MsoNormal style='margin-left:63.0pt;text-indent:-.25in;mso-list:l1 level1 lfo2;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Bruce Morton<o:p></o:p></p><p class=MsoNormal style='margin-left:63.0pt;text-indent:-.25in;mso-list:l1 level1 lfo2;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Corey Bonnell<o:p></o:p></p><p class=MsoNormal style='margin-left:63.0pt;text-indent:-.25in;mso-list:l1 level1 lfo2;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Daniela Hood<o:p></o:p></p><p class=MsoNormal style='margin-left:63.0pt;text-indent:-.25in;mso-list:l1 level1 lfo2;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Inigo Barreira<o:p></o:p></p><p class=MsoNormal style='margin-left:63.0pt;text-indent:-.25in;mso-list:l1 level1 lfo2;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Tim Crawford<o:p></o:p></p><p class=MsoNormal style='margin-left:63.0pt;text-indent:-.25in;mso-list:l1 level1 lfo2;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Tim Hollebeek<o:p></o:p></p><p class=MsoNormal style='margin-left:63.0pt;text-indent:-.25in;mso-list:l1 level1 lfo2;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Ian McMillan<o:p></o:p></p><p style='margin:0in'> <o:p></o:p></p><p style='margin:0in'><b>Notes:</b><o:p></o:p></p><p class=MsoNormal style='margin-left:63.0pt;text-indent:-.25in;mso-list:l0 level1 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Anti-Trust Statement read by Dean<o:p></o:p></p><p class=MsoNormal style='margin-left:63.0pt;text-indent:-.25in;mso-list:l0 level1 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Approval of prior meeting minutes (2/25 and 3/12)<o:p></o:p></p><p class=MsoNormal style='margin-left:1.75in;text-indent:-.25in;mso-list:l0 level2 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New"'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Approve meeting minutes from the past two meetings <o:p></o:p></p><p class=MsoNormal style='margin-left:63.0pt;text-indent:-.25in;mso-list:l0 level1 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>CSC-8 Ballot Discussions<o:p></o:p></p><p class=MsoNormal style='margin-left:1.75in;text-indent:-.25in;mso-list:l0 level2 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New"'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Ian summarized the state of the ballot and areas of discussion period's feedback<o:p></o:p></p><p class=MsoNormal style='margin-left:1.75in;text-indent:-.25in;mso-list:l0 level2 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New"'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Tim H - CRL requirement not having the accuracy of the CRL requirement being on Timestamp and Code Signing certificates <o:p></o:p></p><p class=MsoNormal style='margin-left:189.0pt;text-indent:-.25in;mso-list:l0 level3 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>We should state what is required for CRLs and prefer to get this aligned with the BR requirements<o:p></o:p></p><p class=MsoNormal style='margin-left:189.0pt;text-indent:-.25in;mso-list:l0 level3 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Goal to reduce ambiguity with what are the CRL requirements for each layer<o:p></o:p></p><p class=MsoNormal style='margin-left:3.5in;text-indent:-.25in;mso-list:l0 level4 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>End entities, and non-Self-Signed certs (sub Cas)<o:p></o:p></p><p class=MsoNormal style='margin-left:189.0pt;text-indent:-.25in;mso-list:l0 level3 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Agreed to add this change to the next clean up ballot to clear the way to get this ballot out with the key protection update needed to meet the 3072 key length date coming up on June 1, 2021<o:p></o:p></p><p class=MsoNormal style='margin-left:1.75in;text-indent:-.25in;mso-list:l0 level2 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New"'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Tim H/Corey - Appendix B with regards to AIA requirements specify root CA previously and now say issuing CA, but this should never be the root CA. The parent issuing CA URL should be there, but this extension must NOT be included if the parent CA is the root CA.<o:p></o:p></p><p class=MsoNormal style='margin-left:189.0pt;text-indent:-.25in;mso-list:l0 level3 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>AIA should never download the root CA certificate, CTLs do this in the platform.<o:p></o:p></p><p class=MsoNormal style='margin-left:3.5in;text-indent:-.25in;mso-list:l0 level4 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>You do not download self-signed certificates<o:p></o:p></p><p class=MsoNormal style='margin-left:3.5in;text-indent:-.25in;mso-list:l0 level4 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Cross-signed roots are sub issuing CA of the root that signed it (caveat to the point above regarding downloading self-signed certs<o:p></o:p></p><p class=MsoNormal style='margin-left:189.0pt;text-indent:-.25in;mso-list:l0 level3 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Take this to the mailing list and the next ballot needs to clean this up, and will combine with other clean up items Bruce has and the CRL specifics<o:p></o:p></p><p class=MsoNormal style='margin-left:1.75in;text-indent:-.25in;mso-list:l0 level2 lfo4;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New"'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Tim H - in section 13.2.2 with regards to the Timestamp Certificate Status #2 for OCSP status it should NOT say "Subordinate CA" but "Timestamp" in the below sentence:<o:p></o:p></p><p style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:81.0pt'><i>If the CA provides OCSP responses, the CA SHALL update information provided via an OCSP response at least (i) every twelve months and (ii) within 24 hours after revoking a <b>Subordinate CA</b> Certificate.</i><o:p></o:p></p><p class=MsoNormal style='margin-left:1.25in;text-indent:-.25in;mso-list:l2 level1 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New"'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Ian - No confirmation on the Oracle Java SE behavior with timestamp certificate validity being within the validity period at the time of validation <o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Bruce - believes Java SE does not respect timestamps on JAR signature<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Need to get confirmation from Oracle<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>The pain/oddity with a 135 month certificate that is replaced every 15 months <o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>MS 1st party Timestamp certificates will continue to be 15 months at most because this is a MAX validity<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Need to consider the language here with MAX validity or we can leave it (CA can choose to limit it to any validity period less than 135 months)<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>If we get the confirmation from Oracle we can change this to 15 months, if not, leave it as is for now<o:p></o:p></p><p class=MsoNormal style='margin-left:1.25in;text-indent:-.25in;mso-list:l2 level1 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New"'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>CSC-6 Key Protection - focus on how we support public cloud services for a key generation and protection<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Number change by Bruce helps separate the two components of the requirements: (1) key protection, (2) key protection verification<o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Goal in key protection to remove the acceptance of software protected keys and add cloud-based key protection solutions that meet the crypto module requirements (FIPS 140-Level 2, <o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Ian asked what is the common practice for subscriber keys being generated by the subscribers or are they pre-generated<o:p></o:p></p><p class=MsoNormal style='margin-left:279.0pt;text-indent:-.25in;mso-list:l2 level4 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Bruce and Tim H said the common practice is subscribers generate keys, but not in the case of signing services (CA that provides a signing service can generate the keys on behalf of the subscriber)<o:p></o:p></p><p class=MsoNormal style='margin-left:279.0pt;text-indent:-.25in;mso-list:l2 level4 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Adriano asked if we can address the topic he raised on the mailing list regarding single supplier issue and the interpretation of the requirements for a crypto module's certification<o:p></o:p></p><p class=MsoNormal style='margin-left:1.25in;text-indent:-.25in;mso-list:l2 level1 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New"'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Adriano - Single supplier issue that meets the CC EAL 4+ requirement, and the interpretation of the requirements for a crypto module's certification<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Ask is if the group agrees with Tomas' interpretation of the ambiguity in the wording of the requirement? <o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Adriano's question is centered on if the programable interface or applications leveraging the crypto module needs to be also certified? What is the group's collective opinion.<o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Tomas pointed out that the certification is on the crypto module itself and that will satisfy this requirement.<o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Dean points out we should make sure this is not ambiguous for auditors like Tim Crawford<o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Ian sees the specifics of the requirements is about the certification of the crypto module<o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Adriano would like this written with better clarity<o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Tim H sees the current language of the requirement with Tomas' interpretation is clear that the certification is required for the crypto module (and we state that in the meeting notes)<o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>The evaluation of the software that is certified can be part of a certification<o:p></o:p></p><p class=MsoNormal style='margin-left:279.0pt;text-indent:-.25in;mso-list:l2 level4 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Devices on the market that have hardware crypto module that is certified, but the applet/API that exposes the crypto operations may not be included in the certification<o:p></o:p></p><p class=MsoNormal style='margin-left:279.0pt;text-indent:-.25in;mso-list:l2 level4 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>All modern HSMs have custom code options, and this code is not able to tamper with the trust/security boundary of the crypto module that is certified<o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Ask for Adriano to provide better text suggestions to address the ambiguity he sees in the current text<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>The key protection change is part of the draft for CSC-6<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Ian not interested in moving the June 1, 2021 date for 3072 key lengths on RSA<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>How does the group address the lack of suppliers issue in terms of the tokens with longer key lengths (is this our business to address this)?<o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Timeline for a FIPS certification is still 18 months for suppliers<o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>This requirement has been out there since 2015 (this was a January 1, 2021 deadline originally)<o:p></o:p></p><p class=MsoNormal style='margin-left:279.0pt;text-indent:-.25in;mso-list:l2 level4 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Signing Service and cloud-based key protection solutions are also valid options for subscribers<o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Competition should be the driver<o:p></o:p></p><p class=MsoNormal style='margin-left:1.25in;text-indent:-.25in;mso-list:l2 level1 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New"'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Back to the key protection change with cloud-based solution in CSC-6<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>The group is okay with the current key protection language Ian proposed<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Second part on key protection verification is the harder part…<o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Counter-signed CSRs with manufacture's certificates is extremely rare<o:p></o:p></p><p class=MsoNormal style='margin-left:279.0pt;text-indent:-.25in;mso-list:l2 level4 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Great solution, maybe the best means, but not broadly available<o:p></o:p></p><p class=MsoNormal style='margin-left:279.0pt;text-indent:-.25in;mso-list:l2 level4 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>No one knows why this is rare, and may be only because it is a recent trend<o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>CA's shipping suitable hardware crypto module should state with or <b>without </b>pre-installed keys<o:p></o:p></p><p class=MsoNormal style='margin-left:279.0pt;text-indent:-.25in;mso-list:l2 level4 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Shipping without pre-installed keys is better option<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Need to have multiple options to help satisfy the requirements<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Suitable IT audit gives a lot of flexibility <o:p></o:p></p><p class=MsoNormal style='margin-left:3.0in;text-indent:-.25in;mso-list:l2 level3 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Tim Crawford never encounters this as an acceptable means to satisfying the requirements<o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Self-assertion is part of the subscriber agreement requirements <o:p></o:p></p><p class=MsoNormal style='margin-left:153.0pt;text-indent:-.25in;mso-list:l2 level2 lfo6;vertical-align:middle'><![if !supportLists]><span style='font-size:10.0pt;font-family:Wingdings'><span style='mso-list:Ignore'>§<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Had to cut the discussion off that this point due to end of the meeting hour, will continue this discussion<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>