<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-2022-jp"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
{font-family:"\@MS PGothic";}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:ZH-CN;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:196092729;
mso-list-template-ids:13820012;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:281040023;
mso-list-type:hybrid;
mso-list-template-ids:-15147122 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l2
{mso-list-id:342320950;
mso-list-type:hybrid;
mso-list-template-ids:238839730 -414921982 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
mso-bidi-font-family:"Times New Roman";}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3
{mso-list-id:1107502571;
mso-list-type:hybrid;
mso-list-template-ids:-1584208608 -1 -1 -1 -1 -1 -1 -1 -1 -1;}
@list l3:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l3:level2
{mso-level-number-format:alpha-lower;
mso-level-text:%2;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l3:level3
{mso-level-number-format:roman-lower;
mso-level-text:%3;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l3:level4
{mso-level-text:%4;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l3:level5
{mso-level-number-format:alpha-lower;
mso-level-text:%5;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l3:level6
{mso-level-number-format:roman-lower;
mso-level-text:%6;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l3:level7
{mso-level-text:%7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l3:level8
{mso-level-number-format:alpha-lower;
mso-level-text:%8;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l3:level9
{mso-level-number-format:roman-lower;
mso-level-text:%9;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l4
{mso-list-id:1269779814;
mso-list-template-ids:379364156;}
@list l4:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5
{mso-list-id:1803963879;
mso-list-type:hybrid;
mso-list-template-ids:-1584208608 2027442788 1490214718 -685974328 -1607952272 -1808384106 -848383798 -643252196 -1440287212 369510368;}
@list l5:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l5:level2
{mso-level-number-format:alpha-lower;
mso-level-text:%2;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l5:level3
{mso-level-number-format:roman-lower;
mso-level-text:%3;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l5:level4
{mso-level-text:%4;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l5:level5
{mso-level-number-format:alpha-lower;
mso-level-text:%5;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l5:level6
{mso-level-number-format:roman-lower;
mso-level-text:%6;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l5:level7
{mso-level-text:%7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l5:level8
{mso-level-number-format:alpha-lower;
mso-level-text:%8;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l5:level9
{mso-level-number-format:roman-lower;
mso-level-text:%9;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.75in;
text-indent:0in;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
mso-ascii-font-family:Cambria;
mso-fareast-font-family:Cambria;
mso-hansi-font-family:Cambria;
mso-bidi-font-family:Cambria;
color:black;
mso-text-animation:none;
border:none windowtext 1.0pt;
mso-border-alt:none windowtext 0in;
padding:0in;
mso-ansi-font-weight:normal;
mso-ansi-font-style:normal;
text-underline:black;
text-decoration:none;
text-underline:none;
text-decoration:none;
text-line-through:none;
vertical-align:baseline;}
@list l6
{mso-list-id:1968662072;
mso-list-type:hybrid;
mso-list-template-ids:-963630024 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l6:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l6:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l6:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='mso-fareast-language:EN-US'>GlobalSign Votes No on Ballot CSC-6.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>As we looked at the ballot in more detail, we have a couple of questions which we should have asked during the review period which we think are important to address prior to voting yes.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:11.9pt'>Question 1:<o:p></o:p></p><p class=MsoNormal style='margin-bottom:11.9pt'>What is meant by: Subscriber uses a hosted Hardware Crypto Module meeting the specified requirement; <o:p></o:p></p><p class=MsoNormal style='margin-bottom:11.9pt'>The word hosted makes this sound like a hosted service. Does this include the use of a token? If so, then we should make a defined term for �$B!H�(BHosted Hardware Crypto Module�$B!I�(B that explains what this is, or perhaps delete �$B!H�(Bhosted�$B!I�(B from this requirement if that meant the intent.<span style='font-family:"Cambria",serif;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:11.9pt'>Question 2: <o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Section 16.3.2, Subscriber Private Key Verification has this statement:<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.75in'>Effective November, 15, 2022, Subscriber Private Keys for Code Signing Certificates SHALL be <u>protected</u> per the following requirements. �$B!D�(B.<br><br><span style='font-family:"Cambria",serif;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:11.9pt'><span style='mso-fareast-language:EN-US'>Since this is specifying private key protection, shouldn�$B!G�(Bt this be in section 16.3.1, Subscriber Private Key <u>Protection</u>, or maybe just that statement needs to be removed or updated? </span><o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Question 3:<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Section 16.3.1 Subscriber Private Key Protection says the following:<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal>For Non-EV Code Signing Certificates, the CA MUST obtain a representation from the Subscriber that the Subscriber will use one of the following options to generate and protect their Code Signing Certificate Private Keys: <span style='font-family:"Cambria",serif;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:11.0pt;margin-left:.75in;text-indent:-.25in;mso-list:l2 level1 lfo4'><![if !supportLists]><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>A Trusted Platform Module (TPM) that generates and secures a Key Pair and that can document the Subscriber�$B!G�(Bs Private Key protection through a TPM key attestation. <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:11.0pt;margin-left:.75in;text-indent:-.25in;mso-list:l2 level1 lfo4'><![if !supportLists]><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>A suitable Hardware Crypto Module with a unit design form factor certified as conforming to at least FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent. <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:11.0pt;margin-left:.75in;text-indent:-.25in;mso-list:l2 level1 lfo4'><![if !supportLists]><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Another type of hardware storage token with a unit design form factor of SD Card or USB token (not necessarily certified as conformant with FIPS 140-2 Level 2 or Common Criteria EAL 4+). The Subscriber MUST also warrant that it will keep the token physically separate from the device that hosts the code signing function until a signing session is begun. <o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Then a bit later it says:<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'>Effective September, 1, 2022, Subscriber Private Keys for Code Signing Certificates SHALL be protected per the following requirements.<span style='font-family:"Cambria",serif;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Cambria",serif;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:11.9pt;margin-left:.5in'>The CA MUST obtain a representation from the Subscriber that the Subscriber will use one of the following options to generate and protect their Code Signing Certificate Private Keys in a Hardware Crypto Module with a unit design form factor certified as conforming to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+: <o:p></o:p></p><p class=MsoNormal style='margin-bottom:11.9pt'>Does this mean that the first 3 methods are prohibited? If so, then we should explicitly state that �$B!H�(Bthese methods must not be used starting September 1, 2022.�$B!I�(B In the heading para for those 3 methods.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:11.9pt'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:11.9pt'>Question 4:<o:p></o:p></p><p class=MsoNormal style='margin-bottom:11.9pt'>Same as question 3 but in section 16.3.2: Are the first 3 methods prohibited as of 15 November 2022? If so, then we should explicitly state that they are prohibited as of that date.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:11.9pt'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:11.9pt'>Question 5:<o:p></o:p></p><p class=MsoNormal style='margin-bottom:11.9pt'>Need clarification on section 16.3.2, item 3<o:p></o:p></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='margin-bottom:11.9pt;margin-left:.5in;line-height:102%;mso-list:l1 level1 lfo11'>The Subscriber uses a CA prescribed crypto library and a suitable Hardware Crypto Module combination for the Key Pair generation and storage;<span style='font-family:"Cambria",serif;mso-fareast-language:EN-US'><o:p></o:p></span></li></ul><p class=MsoNormal style='margin-bottom:11.9pt'>If a CA limits the list of available CSPs available to the Subscriber to those that are only suitable for approved tokens, does that satisfy this requirement? <o:p></o:p></p><p class=MsoNormal style='margin-bottom:11.9pt'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:11.9pt'><o:p> </o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Cscwg-public <cscwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Ian McMillan via Cscwg-public<br><b>Sent:</b> Tuesday, February 22, 2022 10:30 AM<br><b>To:</b> cscwg-public@cabforum.org<br><b>Subject:</b> [Cscwg-public] VOTING BEGINS: Ballot CSC-6: Update to Subscriber Private Key Protection Requirements<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_6_-_update_to_subscriber_private_key_protection_requirements&data=04%7C01%7Cianmcm%40microsoft.com%7Cdba94eb81c164facf1b508d9f019a88d%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637804815989127861%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=chOc9LY58DjZreBftXXETeYfez6xuBrSzqZxifDxvcQ%3D&reserved=0">Ballot CSC-6: Update to Subscriber Private Key Protection Requirements</a><o:p></o:p></p><p class=MsoNormal>Purpose of this ballot: Update the subscriber private key protection requirements in the Baseline Requirement for the Issuance and Management of Publicly-Trusted Code Signing Certificates v2.7. The following motion has been proposed by Ian McMillan of Microsoft, and endorsed by Tim Hollebeek of DigiCert and Bruce Morton of Entrust.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>— MOTION BEGINS — <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>This ballot updates the �$B!H�(BBaseline Requirements for the Issuance and Management of Publicly�$B!>�(BTrusted Code Signing Certificates�$B!H�(B version 2.7 according to the attached redline which includes:<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'> <o:p></o:p></p><ol style='margin-top:0in' start=1 type=1><li class=MsoNormal style='mso-list:l4 level1 lfo3'>Update section 16.3 �$B!H�(BSubscriber Private Key Protection�$B!I�(B to �$B!H�(BSubscriber Private Key Protection and Verification�$B!I�(B<o:p></o:p></li><li class=MsoNormal style='mso-list:l4 level1 lfo3'>Update section 16.3 �$B!H�(BSubscriber Private Key Protection�$B!I�(B to include sub-sections �$B!H�(B16.3.1 Subscriber Private Key Protection�$B!I�(B and �$B!H�(B16.3.2 Subscriber Private Key Verification�$B!I�(B<o:p></o:p></li><li class=MsoNormal style='mso-list:l4 level1 lfo3'>Update section 16.3 under new sub-section 16.3.1 to remove allowance of TPM key generation and software protected private key protection, and remove private key protection requirement differences between EV and non-EV Code Signing Certificates<o:p></o:p></li><li class=MsoNormal style='mso-list:l4 level1 lfo3'>Update section 16.3 under new sub-section 16.3.1 to include the allowance of key generation and protection using a cloud-based key protection solution providing key generation and protection in a hardware crypto module that conforms to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+<o:p></o:p></li><li class=MsoNormal style='mso-list:l4 level1 lfo3'>Update section 16.3 under new sub-section 16.3.2 to include verification for Code Signing Certificates' private key generation and storage in a crypto module that meets or exceeds the requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+ by the CAs. Include additional acceptable methods for verification including cloud-based key generation and protection solutions and a stipulation for CAs to satisfy this verification requirement with additional means specified in their CPS. Any additional means specified by a CA in their CPS, must be proposed to the CA/Browser Forum for inclusion into the acceptable methods for section 16.3.2 within 6 months of inclusion in their CPS.<o:p></o:p></li></ol><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>— MOTION ENDS —<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The procedure for approval of this ballot is as follows:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Discussion (7 days)<o:p></o:p></p><p class=MsoNormal>Start Time: 2022-02-14, 19:30 Eastern Time (US) <o:p></o:p></p><p class=MsoNormal>End Time: not before 2022-02-21, 19:30 Eastern Time (US)<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Vote for approval (7 days) <o:p></o:p></p><p class=MsoNormal>Start Time: 2022-02-22,10:30 Eastern Time (US) <o:p></o:p></p><p class=MsoNormal>End Time: 2022-03-01,10:30 Eastern Time (US) <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'> </span><o:p></o:p></p></div></body></html>