<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1338770436;
mso-list-type:hybrid;
mso-list-template-ids:1504329940 883453612 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:20.25pt;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:56.25pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:92.25pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:128.25pt;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:164.25pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:200.25pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:236.25pt;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:272.25pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:308.25pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:1364549298;
mso-list-type:hybrid;
mso-list-template-ids:-1993165516 93995154 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><b>Here are the final minutes of the subject meeting<o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Attendees:<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo1'>Atsushi Inaba - GlobalSign<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo1'>Andrea Holland – SecureTrust<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo1'>Bruce Morton - Entrust<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo1'>Corey Bonnell - DigiCert<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo1'>Dean Coclin - DigiCert<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo1'>Ian McMillan - Microsoft<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo1'>Janet Hines - SecureTrust<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo1'>Joanna Fox – TrustCor<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo1'>Tim Crawford – BDO<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo1'>Tim Hollebeek – DigiCert<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo1'>Roberto Quinones - Intel<o:p></o:p></li></ul><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bruce read the anti-trust statement.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Minute-taker: Andrea<o:p></o:p></p><p class=MsoNormal style='text-indent:.5in'><o:p> </o:p></p><p class=MsoNormal>Minutes from July 29th were approved.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bruce - Parking Lot Items Update<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'><a href="https://scanmail.trustwave.com/?c=4062&d=kfeW4XVnVBY1I_d5X9VVgwdf-VXnfQzLmTDhJkATMQ&s=5&u=https%3a%2f%2fdocs%2egoogle%2ecom%2fspreadsheets%2fd%2f1UID98GQnBNE9dzIkugMlLFF6po8FC5vbcSq0cwMEVqk%2fedit%23gid%3d0%26fvid%3d1822680629">https://docs.google.com/spreadsheets/d/1UID98GQnBNE9dzIkugMlLFF6po8FC5vbcSq0cwMEVqk/edit#gid=0&fvid=1822680629</a><o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Parking lot is tracking the open items from email discussions and meetings<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>A bunch of items have been closed out during the cleanup and clarifications ballot<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Review of open items <o:p></o:p></li><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Section 11.5 – In discussion<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Section 16.3 – Ian is working on a ballot<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Section 4 – Setup method to discuss new ballots coming from BRs and EV Guidelines<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Section 13 – Dimitris is working on a ballot<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Section 9.2.1 – Tim H is working on <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Section 11.1.11 – Open<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Section 9.2 – Open<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Section 13.2.1 – In discussion<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Section 7.2 – will probably drop since we are working on as a whole<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Section 11.1.2 – in discussion<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Section 15 – Open<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Section All – In process<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Section 9.2.4 - Open<o:p></o:p></li></ul></ul><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ballots<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>CSC-9 in IPR until Sept 8<sup>th</sup><o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>CSC-10 in IPR until Sept 12<sup>th</sup><o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Bruce: Do we want 2 publications 4 days apart? Or put into 1 publication<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Dean: Practically speaking 1 publication make, but we will have to check the bylaws<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Bruce: The work has been done<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Dean: Will have to do some research<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Bruce: We will discuss it on the 9<sup>th</sup><o:p></o:p></li></ul><p class=MsoNormal><o:p> </o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Ian - Logging Ballot – Data Log Retention<o:p></o:p></li><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Taking from BRs v2.5 the outcome of CSC-10 and put CSC-11 on top of it<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Redlined Ready and drafted for ballot discussion<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Looking for 2 endorsers<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'><a href="https://wiki.cabforum.org/cscwg/csc_11_-_update_to_log_data_retention">https://wiki.cabforum.org/cscwg/csc_11_-_update_to_log_data_retention</a> _requirements<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Ian to send out redline for potential endorsers to review<o:p></o:p></li></ul><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Ian - Subscriber Private Keys<o:p></o:p></li><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Has some proposed language, but waiting for cleanup and log retention ballot<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Still need to discuss: How does a subscriber provide proof of key generation in a protected system? <o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Ian Will present ideas at the next meeting<o:p></o:p></li></ul></ul><p class=MsoNormal>Bruce - SCWG Ballots to Review<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'><a href="https://scanmail.trustwave.com/?c=4062&d=kfeW4XVnVBY1I_d5X9VVgwdf-VXnfQzLmTDhJkATMQ&s=5&u=https%3a%2f%2fdocs%2egoogle%2ecom%2fspreadsheets%2fd%2f1UID98GQnBNE9dzIkugMlLFF6po8FC5vbcSq0cwMEVqk%2fedit%23gid%3d0%26fvid%3d1822680629">https://docs.google.com/spreadsheets/d/1UID98GQnBNE9dzIkugMlLFF6po8FC5vbcSq0cwMEVqk/edit#gid=0&fvid=1822680629</a><o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Purpose - CSBRs refer to both TLS BRs and EV Guidelines. We didn’t want the docs to impact us so froze the versions. However, we end up losing out on positive improvements<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Review ballots for any impact<o:p></o:p></li><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC26 – Formatting change – No impact<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC28 – Log changes - Improvement – Ballot created<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC30 – EV registration transparency - Improvement – should be discussed<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC31 – Browser Alignment - No Impact – should rereview after reformatting<o:p></o:p></li><ul style='margin-top:0in' type=square><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level3 lfo2'>Corey: More impactful ballots, so a comprehensive review is needed<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level3 lfo2'>Tim H: In agreement<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level3 lfo2'>Bruce: Maybe have a CSBR alignment ballot<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level3 lfo2'>Tim H: Benefits to alignment to reduce issues of selecting the wrong requirements to follow<o:p></o:p></li></ul><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC33 – APLN method - Review <o:p></o:p></li><ul style='margin-top:0in' type=square><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level3 lfo2'>Bruce: Domains have no impact since we don’t have domains<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level3 lfo2'>Tim H: Tiny ways domain can get in, the OU language references domains in an OU<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level3 lfo2'>Bruce: we have that in the CS document?<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level3 lfo2'>Tim H: It is there more as bug then a feature<o:p></o:p></li></ul><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC35 – Cleanups/Clarifications - Needs Review<o:p></o:p></li><ul style='margin-top:0in' type=square><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level3 lfo2'>Bruce:<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level3 lfo2'>Tim: SC31 + SC35 good to review together<o:p></o:p></li></ul><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC39 – NetSec Critical Vulnerability - No Change – Already have to abide by since we don’t have a version set<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC41 – Reformatting – No impact<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC42 – 398 day reuse – No impact<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC44 – Status codes – No impact<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC45 – Wildcard domain validation – No impact<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC46 – CAA – No impact<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC47 – Remove OU – review<o:p></o:p></li><ul style='margin-top:0in' type=square><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level3 lfo2'>Bruce: Is that something we want to consider<o:p></o:p></li></ul><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>SC48 – Domain Encoding - No Impact<o:p></o:p></li></ul><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Bruce: Circle back and review the items for domains. Overall two items Log changes and alignment (we can include EV registration in the alignment as well). The one that will help us we are taking care of and the others will be addressed with an alignment ballot.<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>The one that will help us are taken care of and the others have no impact.<o:p></o:p></li></ul><p class=MsoNormal>Corey – New Formatting for CSBRs<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Completed moving content of CSBRs version 2.5 to pandoc includes CSC-10 Audit Criteria update.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Working out of fork in github – <a href="https://github.com/CBonnell/code-signing/tree/rc3647-migration">https://github.com/CBonnell/code-signing/tree/rc3647-migration</a><o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Running through another sweep and will be opening a PR to get the process started.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Appendices A+B are now in Section 7<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Pdf: <a href="https://github.com/CBonnell/code-signing/actions/runs/1171082629">https://github.com/CBonnell/code-signing/actions/runs/1171082629</a><o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Content has some word smithing. Some things that needed to be split up, adjust for formatting, and organization shifts. <o:p></o:p></li><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Ex. Timestamping was under key protection so it got moved to Section 6.8 <o:p></o:p></li></ul><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>A lot of blank places which already existed. Which leaves it unclear. Do you go to look at the TLS BRs for information? What if the TLS BRs is also blank? Is what is on the TLS BRs relevant for CS BRs?<o:p></o:p></li><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Corey: Next Step- Does this blank make sense?<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Dean: Good point, this is where we will need to do some work and research; fill in what might need to be here or adding new content.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Bruce: Is there language that states we follow TLS BRs unless noted in CSBRs?<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Corey: I didn’t not find any explicit language. It is agreed upon, and called out in some areas, but not for the overall document. Ex. CRL Profile Requirements.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Bruce: But we do say, except were specifically stated during the event of any conflict in which case these requirements will prevail, this document incorporates by reference the Baseline Requirements, NetSec Requirements, EV guidelines. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Dean: What does that mean for audits?<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Tim Crawford: It is easier to have the relevant information brought over. If not, we pull those from the baseline SSL where applicable.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Bruce: This problem already exists we are just reformatting. WebTrust wrote audit criteria for CS and based on our CSBRs. I don’t know if a problem exists. A problem would exist if we take the reference to the TSL BRs out of our document. Section 1.1 of our document we state we are using those documents unless they conflict with what we wrote in our CS BRs<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Tim Hollebeek: I agree with you and I think in most cases like key pairs certificate usage, is something that is well understood and the fact that it doesn’t diverge. There is not going to be any real disagreements on that. There are sections that are blank where the underlining TLS BRs section doesn’t make any sense in the CS context, but nobody’s noticed.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Bruce: I agree<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Tim H: I agree there is no problem, but it would be worth while to review. Do we really mean No Stipulation and if we do put that there. Do we really mean defer to the TLS BRs and if we do put that there. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Dean: Does the audit criteria change if we clarify.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Tim H: I am moving beyond the audit criteria, that can remain unchanged. The point I was making is that 90% of the topics you can up with what was actually intended. The problem is there are areas where it is unclear and if you are trying to figure out what the requirements are it is unclear what the intent is. We did this for TLS BRs in DC 5 years ago and actually put in No Stipulation where it is made. Now that we are in 3647 format it is much easier to solve this problem. Probably only take a hour or two to produce a rough draft. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Dean: This is a task for another time and put on the agenda. Great start Corey, looks great, is readable, and manageable. We can dedicate time at another meeting, a separate summit, or the face to face. We have a lot of options.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Tim H: Instead of trying to have a bunch of us spending time looking at. Maybe just a two of us review and provide recommendations without having everyone sit and look through side by side<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Dean: Calls for volunteers<o:p></o:p></li><ul style='margin-top:0in' type=square><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level3 lfo2'>Tim H. and Corey volunteer<o:p></o:p></li></ul><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Corey: Aid review word version of current CS BRs and marking it up with comments.<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Bruce: That will be useful to make sure we didn’t miss anything.<o:p></o:p></li></ul></ul><p class=MsoNormal>Any Other<o:p></o:p></p><p class=MsoNormal>Bruce – Invalidity Date Email<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>CS BRs state revocation date but should use invalidity date. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Corey responded to email that he thinks that is correct, but Authenticode doesn’t work that way<o:p></o:p></li><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Corey: Rob Stradling responded said that his recollection matches mine. Bruce you are right that is the right way to encode that information following 5280. Microsoft Windows Authenticode implementation looks for revocation date.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Bruce: To make the documentation correct though if someone puts the revocation date in the validity date that is fine, or the validity date in there is fine. It might not work for windows, but it would make it the correct term in our document. The term in our document makes it sound like I can put in the revocation date which implies past date. It cannot be a past date it has to be the date I do the revocation. If I want to put in a past date that is the validity date.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Corey: That is a should not 5280. I don’t see a hard prohibition. CS BRs are written as guidance to CAs that the revocation date field has to be used even if you are backdating.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Bruce: I thought the verification date has to be used if you are revoking.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Corey: The revocation date has to be set in the past for windows to recognize. To serve the function of the invalidity date you have to essentially use the revocation date.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Bruce: You cannot push back the revocation date if you already have a CRL issued where the thing has not be revoked.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Corey: That is not a must not that is a should not. It is not a hard prohibition on 5280.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Bruce: Sounds like a bad idea.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Corey: I agree it is an abuse of the CRL profile. If we force everyone to switch the invalidity date without windows update would be a security concern. If someone’s build server was popped two months ago and everything that was compiled and signed from that compromised server now contains malware. We need some way of encoding that. Everything up to when that server was compromised as trusted to everything that is after is not. There has to be a provision to add a past date to a revocation date.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Ian: Asking windows code integrity team to appropriately use the invalidity correct date. Priority of updating/improving our revocation and remediation. Will bring up change to team, not making any promises.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Bruce: Will table the request until we hear back from Ian. The benefit is that I could push back the revocation date.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Corey: Right. If a subscriber finds out their server was popped 3 months ago. You want a way of invalidating software that was built or signed from that machine retroactively.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Bruce: It still seems odd. I revoked 100 certs and this 1 I want to push back so I put out a revocation date which is backwards does that impact those other certs as well.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Tim H: It can be a challenge picking the revocation date that correctly balances getting rid of the malware and whichever printer driver needs to be preserved. Art in how this is done in practice<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Bruce: Ian, It would be great to have that looked at so it doesn’t have the CAs try to do some art to provide the right information.<o:p></o:p></li></ul></ul><p class=MsoNormal>Ian – Data Privacy<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Data privacy is evolving quickly.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level1 lfo2'>Was asked does the CS BRs look at the audit requirements and how are we in conflict with Data privacy laws as they evolve and should we?<o:p></o:p></li><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Tim H: Do you believe we are in conflict with the data protection laws anywhere?<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Ian: Yes, if you are required to log anything that is part of identity verification or like IP addresses. We just removed that from the timestamping authority data retention that is considered EUPI synonymous PII. Those kind of things.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Tim H: Thank you for clarifying what you mean. I believe the EU regulations have carves out for that sort of activity, because CAs are providing security services and are allowed to process PII for their customers. I can get a better answer from legal if you would like some advice about the data privacy.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Ian: I am more interested in should we as a group be considering how our requirements are impacting a CA or anybody else’s timestamping authority or signing services ability to meet data privacy requirements as they evolve. And should we keep an eye on that anyway.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Tim H: Based on what I have heard from our legal there aren’t any challenges in that area. But it is something we should keep an eye on.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Ian: I heard the same thing from our legal two years ago. Yesterday in a data privacy review, I heard some other things around new data changes in the GDPR and changes in individual states inside of the US. At any one moment these things can blow up<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Tim H: Absolutely, following 50 separate state laws and 200 countries is a challenge. If you do have any information on that, that you can share. I would love to see it.<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='margin-left:-15.75pt;mso-add-space:auto;mso-list:l0 level2 lfo2'>Ian: I can see if I can get more detail from the privacy review expert.<o:p></o:p></li></ul></ul><p class=MsoNormal>Next meeting September 9<sup>th</sup> in 2 weeks.<o:p></o:p></p><p class=MsoNormal>Meeting Adjourned<o:p></o:p></p><p class=MsoListParagraph style='margin-left:92.25pt;mso-add-space:auto'><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>