<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Thanks, Ian.</p>
<p><br>
</p>
Adriano<br>
<p><br>
</p>
<div class="moz-cite-prefix">Il 22/03/2022 16:43, Ian McMillan ha
scritto:<br>
</div>
<blockquote type="cite"
cite="mid:MN2PR00MB0701D834DA28B969FBF448C1C4179@MN2PR00MB0701.namprd00.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255,
255, 255);" class="elementToProof">
Hi Adriano,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255,
255, 255);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255,
255, 255);" class="elementToProof">
Sorry, I have been disconnected from email and work all last
week. </div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255,
255, 255);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255,
255, 255);" class="elementToProof">
This is a good catch, and I've updated the table to include this
feedback as well as call out 16.3.1 (7-9) as being required
after November 15, 2022. Please see the attached redline with
this update. </div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255,
255, 255);" class="elementToProof">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255,
255, 255);" class="elementToProof">
Thanks,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255,
255, 255);" class="elementToProof">
Ian </div>
<div>
<div><br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
<hr tabindex="-1" style="display:inline-block; width:98%;">
<b>From:</b> Adriano Santoni<br>
<b>Sent:</b> Monday, March 21, 2022 6:58 AM<br>
<b>To:</b> Ian McMillan; Bruce Morton;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Inigo Barreira; Dimitris
Zacharopoulos (HARICA)<br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public] Update to
Subscriber Private Key Protection Requirements (CSC-6 to
CSC-13)
<div><br>
</div>
</div>
<div class="rps_9bb3">
<div>
<p><font face="Calibri">All,</font></p>
<p><font face="Calibri">I am not clear why the table of
Relevant dates does not include this one, which seems to
be the most important and demanding one:</font><br>
</p>
<blockquote type="cite"><span style="" lang="EN-US">Effective
November, 15, 2022, for Code Signing Certificates, CAs
SHALL ensure that the Subscriber’s Private Key is
generated, stored, and used in a suitable Hardware
Crypto Module that meets or exceeds the requirements
specified in section 16.3.1</span></blockquote>
<p>This, in fact, requires that all existing code signing
certificate application web forms that allow a CSR to be
pasted be removed by November 15, if not profoundly
modified in order to comply with §16.3.1, if I am not
mistaken.</p>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"><br>
</font></p>
<div class="x_moz-cite-prefix">Il 10/03/2022 22:46, Ian
McMillan ha scritto:<br>
</div>
<blockquote type="cite">
<meta content="Microsoft Word 15 (filtered medium)">
<div class="x_WordSection1">
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">Thank you Bruce!</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style=""> </span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">Attached is the updated redline with
the removal of the first addition of “contractual”
which you called out as changing the current
requirement.
</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style=""> </span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">Thanks</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">Ian </span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style=""> </span></p>
<div>
<div style="border:none; border-top:solid #E1E1E1
1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<b><span style="">From:</span></b><span style="">
Bruce Morton <a
href="mailto:Bruce.Morton@entrust.com"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-rfc2396E"
moz-do-not-send="true">
<Bruce.Morton@entrust.com></a> <br>
<b>Sent:</b> Thursday, March 10, 2022 4:12 PM<br>
<b>To:</b> Ian McMillan <a
href="mailto:ianmcm@microsoft.com"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-rfc2396E"
moz-do-not-send="true">
<ianmcm@microsoft.com></a>; <a
href="mailto:cscwg-public@cabforum.org"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-abbreviated
moz-txt-link-freetext" moz-do-not-send="true">
cscwg-public@cabforum.org</a>; Inigo Barreira
<a href="mailto:Inigo.Barreira@sectigo.com"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-rfc2396E"
moz-do-not-send="true">
<Inigo.Barreira@sectigo.com></a>;
Dimitris Zacharopoulos (HARICA) <a
href="mailto:dzacharo@harica.gr"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-rfc2396E"
moz-do-not-send="true">
<dzacharo@harica.gr></a>; Adriano
Santoni <a
href="mailto:adriano.santoni@staff.aruba.it"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-rfc2396E"
moz-do-not-send="true">
<adriano.santoni@staff.aruba.it></a><br>
<b>Subject:</b> [EXTERNAL] RE: [Cscwg-public]
Update to Subscriber Private Key Protection
Requirements (CSC-6 to CSC-13)</span></p>
</div>
</div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">Hi Ian,</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style=""> </span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">We added “contractual” representation
in 2 places in section 16.3.1. I believe that the
first “contractual” should be removed as this is
changing an existing requirement which will not be
effective as of 15 November 2022. The second
“contractual” should remain as this is a new
requirement which the CAs must meet effective 15
November 2022.</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style=""> </span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">With that change, I am good to endorse
the ballot.</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style=""> </span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style=""> </span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">Thanks, Bruce. </span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style=""> </span></p>
<div>
<div style="border:none; border-top:solid #E1E1E1
1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<b><span style="">From:</span></b><span style="">
Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext" moz-do-not-send="true">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ian McMillan via
Cscwg-public<br>
<b>Sent:</b> Thursday, March 10, 2022 12:43 PM<br>
<b>To:</b> Inigo Barreira <<a
href="mailto:Inigo.Barreira@sectigo.com"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext" moz-do-not-send="true">Inigo.Barreira@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext" moz-do-not-send="true">
cscwg-public@cabforum.org</a>; Dimitris
Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext" moz-do-not-send="true">dzacharo@harica.gr</a>>;
Adriano Santoni <<a
href="mailto:adriano.santoni@staff.aruba.it"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext" moz-do-not-send="true">adriano.santoni@staff.aruba.it</a>><br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public]
Update to Subscriber Private Key Protection
Requirements (CSC-6 to CSC-13)</span></p>
</div>
</div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">WARNING: This email originated outside
of Entrust.<br>
DO NOT CLICK links or attachments unless you trust
the sender and know the content is safe.</span></p>
<div class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;text-align:center" align="center">
<span style="">
<hr width="100%" size="1" align="center">
</span></div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">Hi Folks, </span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style=""> </span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">Coming out of the meeting today we’ve
made some additional changes to address the term
“representation” in section 16 by adding changing it
to “contractual representation”.
</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style=""> </span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">Please review the changes in the
attached redline document. </span>
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style=""> </span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">Tim and Bruce would you review and
please reply back with your confirmed willingness to
endorse this ballot as CSC-13?</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style=""> </span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">Thanks,</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="">Ian</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style=""> </span></p>
<div>
<div style="border:none; border-top:solid #E1E1E1
1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<b><span style="">From:</span></b><span style="">
Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext" moz-do-not-send="true">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Inigo Barreira via
Cscwg-public<br>
<b>Sent:</b> Wednesday, March 9, 2022 12:15 PM<br>
<b>To:</b> Dimitris Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext" moz-do-not-send="true">dzacharo@harica.gr</a>>;
<a href="mailto:cscwg-public@cabforum.org"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext" moz-do-not-send="true">
cscwg-public@cabforum.org</a>; Adriano Santoni
<<a
href="mailto:adriano.santoni@staff.aruba.it"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext" moz-do-not-send="true">adriano.santoni@staff.aruba.it</a>><br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public]
Update to Subscriber Private Key Protection
Requirements (CSC-6 to CSC-13)</span></p>
</div>
</div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
</p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="" lang="EN-GB">Right, it´s not a new
thing but I realized now, sorry. It´s just the word
“representation” that confuses me and after
explanations is more confusing.
</span></p>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="" lang="EN-GB"> </span></p>
<div>
<div style="border:none; border-top:solid #E1E1E1
1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<b><span style="" lang="ES">De:</span></b><span
style="" lang="ES"> Dimitris Zacharopoulos
(HARICA) <<a href="mailto:dzacharo@harica.gr"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext" moz-do-not-send="true">dzacharo@harica.gr</a>>
<br>
<b>Enviado el:</b> miércoles, 9 de marzo de 2022
18:00<br>
<b>Para:</b> Inigo Barreira <<a
href="mailto:Inigo.Barreira@sectigo.com"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext" moz-do-not-send="true">Inigo.Barreira@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext" moz-do-not-send="true">
cscwg-public@cabforum.org</a>; Adriano Santoni
<<a
href="mailto:adriano.santoni@staff.aruba.it"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext" moz-do-not-send="true">adriano.santoni@staff.aruba.it</a>><br>
<b>Asunto:</b> Re: [Cscwg-public] Update to
Subscriber Private Key Protection Requirements
(CSC-6 to CSC-13)</span></p>
</div>
</div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span lang="ES"> </span></p>
<div style="border:solid black 1.0pt; padding:2.0pt
2.0pt 2.0pt 2.0pt">
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif; line-height:
12pt; background: rgb(250, 250, 3);">
<span style="font-size: 10pt; color: black;"
lang="ES">CAUTION: This email originated from
outside of the organization. Do not click links or
open attachments unless you recognize the sender
and know the content is safe.</span><span
style="font-size: 10pt; color: black;" lang="ES"></span></p>
</div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span lang="ES"> </span></p>
<div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;margin-bottom:12.0pt">
<span lang="ES">It's best if we add the subscriber
warranties and expectations in one place but my
point was that we already expect things from
Certificate Subscribers. It's not a new thing, as
you presented it.<br>
<br>
Dimitris.</span></p>
<div>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span lang="ES">On 9/3/2022 6:03 μ.μ., Inigo
Barreira wrote:</span></p>
</div>
<blockquote style="margin-top:5.0pt;
margin-bottom:5.0pt">
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span style="" lang="EN-GB">Nope. In section 7.2
(which is for certificate warranties) there´s no
clear indication on this unless you consider 1)
compliance and 6) key protection enough. Section
7.3 says nothing about this. Further, there´s no
definition of “representation” in section 4 and
hence my question because I was thinking on a
different matter.</span><span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span style="" lang="EN-GB"> </span><span
lang="ES"></span></p>
<div>
<div style="border:none; border-top:solid #E1E1E1
1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<b><span style="" lang="ES">De:</span></b><span
style="" lang="ES"> Dimitris Zacharopoulos
(HARICA)
<a href="mailto:dzacharo@harica.gr"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true">
<dzacharo@harica.gr></a> <br>
<b>Enviado el:</b> miércoles, 9 de marzo de
2022 14:08<br>
<b>Para:</b> Inigo Barreira <a
href="mailto:Inigo.Barreira@sectigo.com"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true">
<Inigo.Barreira@sectigo.com></a>; <a
href="mailto:cscwg-public@cabforum.org"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext"
moz-do-not-send="true">
cscwg-public@cabforum.org</a>; Adriano
Santoni <a
href="mailto:adriano.santoni@staff.aruba.it"
target="_blank" rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true">
<adriano.santoni@staff.aruba.it></a><br>
<b>Asunto:</b> Re: [Cscwg-public] Update to
Subscriber Private Key Protection
Requirements (CSC-6 to CSC-13)</span><span
lang="ES"></span></p>
</div>
</div>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span lang="ES"> </span></p>
<div style="border:solid black 1.0pt; padding:2.0pt
2.0pt 2.0pt 2.0pt">
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif; line-height: 12pt; background:
rgb(250, 250, 3);">
<span style="font-size: 10pt; color: black;"
lang="ES">CAUTION: This email originated from
outside of the organization. Do not click
links or open attachments unless you recognize
the sender and know the content is safe.</span><span
lang="ES"></span></p>
</div>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span lang="ES"> </span></p>
<div>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;margin-bottom:12.0pt">
<span lang="ES"> </span></p>
<div>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span lang="ES">On 9/3/2022 2:58 μ.μ., Inigo
Barreira wrote:</span></p>
</div>
<blockquote style="margin-top:5.0pt;
margin-bottom:5.0pt">
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span style="" lang="EN-GB">I agree with
Adriano. Point 1 does not make customer
accountable for anything (I will promise I´m
a good guy) and then point 2 is useless
because with point 1 you´re allowing the
customer to do whatever, independently if
they use a hardw device or not. The CSRs can
be generated in a crypto device or not and
with point 1 you, as the CA, are “sure” that
the keys are in a hardware crypto device.
That´s a lot to assume.</span><span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span style="" lang="EN-GB"> </span><span
lang="ES"></span></p>
</blockquote>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;margin-bottom:12.0pt">
<span style="" lang="ES"><br>
You are missing the point of Subscriber
representations and warranties which is
clearly included in the BRs. Subscribers have
obligations as well and we must ensure they
are aware and bound to those obligations.<br>
<br>
Dimitris.</span><span lang="ES"></span></p>
<blockquote style="margin-top:5.0pt;
margin-bottom:5.0pt">
<div>
<div style="border:none; border-top:solid
#E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<b><span lang="ES">De:</span></b><span
lang="ES"> Cscwg-public <a
href="mailto:cscwg-public-bounces@cabforum.org"
target="_blank" rel="noopener
noreferrer" data-auth="NotApplicable"
moz-do-not-send="true">
<cscwg-public-bounces@cabforum.org></a> <b>En nombre de </b>Dimitris
Zacharopoulos (HARICA) via Cscwg-public<br>
<b>Enviado el:</b> miércoles, 9 de marzo
de 2022 13:27<br>
<b>Para:</b> Adriano Santoni <a
href="mailto:adriano.santoni@staff.aruba.it"
target="_blank" rel="noopener
noreferrer" data-auth="NotApplicable"
moz-do-not-send="true">
<adriano.santoni@staff.aruba.it></a>;
<a
href="mailto:cscwg-public@cabforum.org"
target="_blank" rel="noopener
noreferrer" data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext"
moz-do-not-send="true">
cscwg-public@cabforum.org</a><br>
<b>Asunto:</b> Re: [Cscwg-public] Update
to Subscriber Private Key Protection
Requirements (CSC-6 to CSC-13)</span></p>
</div>
</div>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span lang="ES"> </span></p>
<div style="border:solid black 1.0pt;
padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif; line-height: 12pt; background:
rgb(250, 250, 3);">
<span style="font-size: 10pt; color: black;"
lang="ES">CAUTION: This email originated
from outside of the organization. Do not
click links or open attachments unless you
recognize the sender and know the content
is safe.</span><span lang="ES"></span></p>
</div>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span style="" lang="ES"> </span><span
lang="ES"></span></p>
<div>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;margin-bottom:12.0pt">
<span lang="ES">I believe this language and
double confirmation comes from years ago
when tools like remote key attestation
were not available.<br>
<br>
If we are to allow an Applicant to
generate keys remotely (i.e. without the
presence of a CA representative and
without hardware that supports remote key
attestation), which seems to be the case
with the CSCWG today, we need to rely on
policy to accomplish that. It is
reasonable to hold both sides, the
Applicant and the CA, accountable to this
policy. See below.</span></p>
<div>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span lang="ES">On 9/3/2022 11:43 π.μ.,
Adriano Santoni via Cscwg-public wrote:</span></p>
</div>
<blockquote style="margin-top:5.0pt;
margin-bottom:5.0pt">
<p><span lang="ES">As far as I'm concerned,
I find confusing and overly complex the
double requirement:</span></p>
<p><span lang="ES">1) customer must make a
"representation" that they will use a
hardware crypto module (or signing
service), and ...</span></p>
</blockquote>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;margin-bottom:12.0pt">
<span lang="ES"><br>
This is required because a customer could
potentially "fake" the hardware device id
and create a virtual driver that emulates
the actual hardware device. The Applicant
must be held accountable if they try to
manipulate the process or make any changes
to the process and tools provided by the
CA.<br>
<br>
</span></p>
<blockquote style="margin-top:5.0pt;
margin-bottom:5.0pt">
<p><span lang="ES">2) the CA must ensure
that the customer will really use a
hardware crypto module (or signing
service).
</span></p>
</blockquote>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;margin-bottom:12.0pt">
<span lang="ES"><br>
The CA must establish a process and
develop the proper tools to provide
reasonable assurance that the Applicant
remotely generates keys in a hardware
crypto module which is usually within a
limited set of devices approved by the CA.
The CA is not allowed to say "please send
me a CSR and pinky swear that it was
generated in a crypto device". They must
develop tools and middleware and establish
a process to make sure the key is
generated in approved crypto-devices only.<br>
<br>
</span></p>
<blockquote style="margin-top:5.0pt;
margin-bottom:5.0pt">
<p><span lang="ES">If the CA will be obliged
to meet req #2, then I do not see what
use is req #1.</span></p>
</blockquote>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;margin-bottom:12.0pt">
<span lang="ES"><br>
Hope this explanation helps.<br>
Dimitris.<br>
<br>
</span></p>
<blockquote style="margin-top:5.0pt;
margin-bottom:5.0pt">
<p><span lang="ES">Adriano</span></p>
<p><span lang="ES">-- Actalis</span></p>
<p><span lang="ES"> </span></p>
<div>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span lang="ES">Il 09/03/2022 10:21,
Inigo Barreira via Cscwg-public ha
scritto:</span></p>
</div>
<blockquote style="margin-top:5.0pt;
margin-bottom:5.0pt">
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span style="" lang="EN-GB">Yes, please.
</span><span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span style="" lang="EN-GB">It looks
like this representation means
something like “click here if you are
over 18” or “click here if you agree”
because these are also facts not
opinions.
</span><span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span style="" lang="EN-GB">IMO the
message here is that CAs will rely in
whatever the subscriber says, e.g.,
“yes, I´m a good guy and promise that
I will keep my keys in a hardware
device …” rather on making the
corresponding tasks to ensure. Is this
the right approach? This is what I
understand from Dean´s response
because CAs are not attesting anything
just relying in a form signed by the
subscriber in where it may say
whatever.</span><span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span style="" lang="EN-GB"> </span><span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span style="" lang="EN-GB">Regards</span><span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span style="" lang="EN-GB"> </span><span
lang="ES"></span></p>
<div>
<div style="border:none;
border-top:solid #E1E1E1 1.0pt;
padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<b><span lang="ES">De:</span></b><span
lang="ES"> Tim Hollebeek <a
href="mailto:tim.hollebeek@digicert.com"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true">
<tim.hollebeek@digicert.com></a> <br>
<b>Enviado el:</b> martes, 8 de
marzo de 2022 20:35<br>
<b>Para:</b> Dean Coclin <a
href="mailto:dean.coclin@digicert.com"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true">
<dean.coclin@digicert.com></a>;
Inigo Barreira <a
href="mailto:Inigo.Barreira@sectigo.com"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true">
<Inigo.Barreira@sectigo.com></a>; <a
href="mailto:cscwg-public@cabforum.org"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext"
moz-do-not-send="true">
cscwg-public@cabforum.org</a>;
Bruce Morton <a
href="mailto:bruce.morton@entrust.com"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true">
<bruce.morton@entrust.com></a>;
Doug Beattie <a
href="mailto:doug.beattie@globalsign.com"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true">
<doug.beattie@globalsign.com></a>; Ian McMillan <a
href="mailto:ianmcm@microsoft.com"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true">
<ianmcm@microsoft.com></a><br>
<b>Asunto:</b> RE: Update to
Subscriber Private Key Protection
Requirements (CSC-6 to CSC-13)</span></p>
</div>
</div>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span lang="ES"> </span></p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
“representation” is being used here in
the legal sense: “<span
style="font-size: 10pt; font-family:
Arial, sans-serif; color: rgb(64, 64,
64); background: white;">a <span
class="x_hvr">statement</span> of <span
class="x_hvr">fact.</span> A <span
class="x_hvr">representation</span> <span
class="x_hvr">should</span> be <span
class="x_hvr">distinguished</span> <span
class="x_hvr">from</span> a <span
class="x_hvr">statement</span> of <span
class="x_hvr">opinion</span> <span
class="x_hvr">for</span> <span
class="x_hvr">many</span> <span
class="x_hvr">legal</span> <span
class="x_hvr">purposes,</span> <span
class="x_hvr">especially</span> in <span
class="x_hvr">relation</span> to <span
class="x_hvr">contractual</span> <span
class="x_hvr">obligations.</span></span>”<span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
We should perhaps be using plain English
instead of legalese.<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
-Tim<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span lang="ES"></span></p>
<div style="border:none; border-left:solid
blue 1.5pt; padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;
border-top:solid #E1E1E1 1.0pt;
padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
<b>From:</b> Dean Coclin <<span
lang="ES"><a
href="mailto:dean.coclin@digicert.com"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">dean.coclin@digicert.com</span></a></span>>
<br>
<b>Sent:</b> Tuesday, March 8,
2022 1:00 PM<br>
<b>To:</b> Inigo Barreira <<span
lang="ES"><a
href="mailto:Inigo.Barreira@sectigo.com"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">Inigo.Barreira@sectigo.com</span></a></span>>;
<span lang="ES"><a
href="mailto:cscwg-public@cabforum.org"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">cscwg-public@cabforum.org</span></a></span>;
Bruce Morton <<span lang="ES"><a
href="mailto:bruce.morton@entrust.com" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">bruce.morton@entrust.com</span></a></span>>;
Doug Beattie <<span lang="ES"><a
href="mailto:doug.beattie@globalsign.com" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">doug.beattie@globalsign.com</span></a></span>>;
Ian McMillan <<span lang="ES"><a
href="mailto:ianmcm@microsoft.com" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">ianmcm@microsoft.com</span></a></span>>;
Tim Hollebeek <<span lang="ES"><a
href="mailto:tim.hollebeek@digicert.com" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">tim.hollebeek@digicert.com</span></a></span>><br>
<b>Subject:</b> RE: Update to
Subscriber Private Key Protection
Requirements (CSC-6 to CSC-13)<span
lang="ES"></span></p>
</div>
</div>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span style="font-size:12.0pt">This
means exactly what it says, some
representation that the subscriber
makes to honor the condition. This
traditionally has been something in
writing that the subscriber signs
and submits to the CA. CAs can
provide a form to the subscriber
which they attest to.</span><span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span style="font-size:12.0pt"> </span><span
lang="ES"></span></p>
<div>
<div style="border:none;
border-top:solid #E1E1E1 1.0pt;
padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
<b>From:</b> Cscwg-public <<span
lang="ES"><a
href="mailto:cscwg-public-bounces@cabforum.org"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">cscwg-public-bounces@cabforum.org</span></a></span>>
<b>On Behalf Of </b>Inigo
Barreira via Cscwg-public<br>
<b>Sent:</b> Tuesday, March 8,
2022 11:03 AM<br>
<b>To:</b> Bruce Morton <<span
lang="ES"><a
href="mailto:bruce.morton@entrust.com"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">bruce.morton@entrust.com</span></a></span>>;
<span lang="ES"><a
href="mailto:cscwg-public@cabforum.org"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">cscwg-public@cabforum.org</span></a></span>;
Doug Beattie <<span lang="ES"><a
href="mailto:doug.beattie@globalsign.com" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">doug.beattie@globalsign.com</span></a></span>>;
Ian McMillan <<span lang="ES"><a
href="mailto:ianmcm@microsoft.com" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">ianmcm@microsoft.com</span></a></span>>;
Tim Hollebeek <<span lang="ES"><a
href="mailto:tim.hollebeek@digicert.com" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">tim.hollebeek@digicert.com</span></a></span>><br>
<b>Subject:</b> Re: [Cscwg-public]
Update to Subscriber Private Key
Protection Requirements (CSC-6 to
CSC-13)<span lang="ES"></span></p>
</div>
</div>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES">Hi all,</span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"> </span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="EN-GB">Reviewing the
section 16.3.1 I have a “wording”
question. What does it mean that
“The CA MUST obtain a representation
from the Subscriber that the
Subscriber will use one of the
following options …”. So, what is a
“representation from the
subscriber”?</span><span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="EN-GB"> </span><span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="EN-GB">Regards</span><span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="EN-GB"> </span><span
lang="ES"></span></p>
<div>
<div style="border:none;
border-top:solid #E1E1E1 1.0pt;
padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
<b><span lang="ES">De:</span></b><span
lang="ES"> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext"
moz-do-not-send="true">cscwg-public-bounces@cabforum.org</a>>
<b>En nombre de </b>Bruce
Morton via Cscwg-public<br>
<b>Enviado el:</b> jueves, 3 de
marzo de 2022 15:08<br>
<b>Para:</b> Doug Beattie <<a
href="mailto:doug.beattie@globalsign.com" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext"
moz-do-not-send="true">doug.beattie@globalsign.com</a>>;
Ian McMillan <<a
href="mailto:ianmcm@microsoft.com"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext"
moz-do-not-send="true">ianmcm@microsoft.com</a>>;
Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext"
moz-do-not-send="true">tim.hollebeek@digicert.com</a>>;
<a
href="mailto:cscwg-public@cabforum.org"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
class="x_moz-txt-link-freetext
moz-txt-link-freetext"
moz-do-not-send="true">
cscwg-public@cabforum.org</a><br>
<b>Asunto:</b> Re:
[Cscwg-public] Update to
Subscriber Private Key
Protection Requirements (CSC-6
to CSC-13)</span></p>
</div>
</div>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"> </span></p>
<div style="border:solid black 1.0pt;
padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif; line-height:
12pt; background: rgb(250, 250, 3);">
<span style="font-size: 10pt; color:
black;">CAUTION: This email
originated from outside of the
organization. Do not click links
or open attachments unless you
recognize the sender and know the
content is safe.</span><span
lang="ES"></span></p>
</div>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<div>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
Doug,<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
Regarding the 16.2 section, this
statement was also struck-out,
“After 2021-06-01, the same
protection requirements SHALL apply
to Non EV Code Signing
Certificates.” So I believe that the
requirement already applied to
normal code signing certificates.
The edits are just a cleanup.<span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
Bruce.<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<div>
<div style="border:none;
border-top:solid #E1E1E1 1.0pt;
padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
<b>From:</b> Doug Beattie <<span
lang="ES"><a
href="mailto:doug.beattie@globalsign.com"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">doug.beattie@globalsign.com</span></a></span>>
<br>
<b>Sent:</b> Thursday, March 3,
2022 6:56 AM<br>
<b>To:</b> Ian McMillan <<span
lang="ES"><a
href="mailto:ianmcm@microsoft.com"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">ianmcm@microsoft.com</span></a></span>>;
Tim Hollebeek <<span
lang="ES"><a
href="mailto:tim.hollebeek@digicert.com"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">tim.hollebeek@digicert.com</span></a></span>>;
<span lang="ES"><a
href="mailto:cscwg-public@cabforum.org"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">cscwg-public@cabforum.org</span></a></span>;
Bruce Morton <<span lang="ES"><a
href="mailto:Bruce.Morton@entrust.com" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">Bruce.Morton@entrust.com</span></a></span>><br>
<b>Subject:</b> [EXTERNAL] RE:
Update to Subscriber Private Key
Protection Requirements (CSC-6
to CSC-13)<span lang="ES"></span></p>
</div>
</div>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
WARNING: This email originated
outside of Entrust.<br>
DO NOT CLICK links or attachments
unless you trust the sender and know
the content is safe.<span lang="ES"></span></p>
<div class="x_MsoNormal"
style="margin: 0in; font-size: 11pt;
font-family: Calibri,
sans-serif;text-align:center"
align="center">
<hr width="100%" size="1"
align="center">
</div>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
Hi Ian,<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
Good work on section 16.3, that is
much more clear now. I have 2 more
comments for your consideration.<span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
Comment #1:<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
In Section 11.7 we say:<span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri,
sans-serif;margin-left:.5in">
If the CA is aware that the
Applicant was the victim of a
Takeover Attack, the CA MUST verify
that the Applicant is protecting its
Code Signing Private Keys under
Section 16.3.1(1) or Section
16.3.1(2). The CA MUST verify the
Applicant’s compliance with Section
16.3.1(1) or Section 16.3.1(2) (i)
through technical means that confirm
the Private Keys are protected using
the method described in 16.3.1(1) or
16.3.1(2) or (ii) by relying on a
report provided by the Applicant
that is signed by an auditor who is
approved by the CA and who has IT
and security training or is a CISA.<span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
But now there are actually 2 lists
in sections 16.3.1(1) or Section
16.3.1(2) with those list numbers.
Do we need to be more specific, or
renumber the second list a-c?
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
After 15 November, what is the right
remediation for Take Over attack, do
we need to reference one or more of
the items in the new list (the list
we might renumber a-c), or is there
no remediation now?<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
There are multiple references to
16.3.1(1) so we’d want to apply the
same logic to all instances.<span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
Comment #2:<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
Section 16.2 removed the reference
to EV in the scope so this applies
to normal Code signing
certificates. Since this does not
have a date associated with it, do
we assume that this requirement
change for normal code signing certs
is effective immediately?<span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<div>
<div style="border:none;
border-top:solid #E1E1E1 1.0pt;
padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
<b>From:</b> Ian McMillan <<span
lang="ES"><a
href="mailto:ianmcm@microsoft.com"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">ianmcm@microsoft.com</span></a></span>>
<br>
<b>Sent:</b> Wednesday, March 2,
2022 5:56 PM<br>
<b>To:</b> Tim Hollebeek <<span
lang="ES"><a
href="mailto:tim.hollebeek@digicert.com"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">tim.hollebeek@digicert.com</span></a></span>>;
<span lang="ES"><a
href="mailto:cscwg-public@cabforum.org"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">cscwg-public@cabforum.org</span></a></span>;
Doug Beattie <<span lang="ES"><a
href="mailto:doug.beattie@globalsign.com" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">doug.beattie@globalsign.com</span></a></span>>;
Bruce Morton <<span lang="ES"><a
href="mailto:bruce.morton@entrust.com" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">bruce.morton@entrust.com</span></a></span>><br>
<b>Subject:</b> RE: Update to
Subscriber Private Key
Protection Requirements (CSC-6
to CSC-13)<span lang="ES"></span></p>
</div>
</div>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
Thank you, Tim, I really like the
structure suggestions here. I’ve
made those updates per your
suggestion in the attached copy of
the redline document.
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
I’ll note your endorsement.<span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
Cheers,<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
Ian<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<div>
<div style="border:none;
border-top:solid #E1E1E1 1.0pt;
padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
<b>From:</b> Tim Hollebeek <<span
lang="ES"><a
href="mailto:tim.hollebeek@digicert.com"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">tim.hollebeek@digicert.com</span></a></span>>
<br>
<b>Sent:</b> Wednesday, March 2,
2022 4:57 PM<br>
<b>To:</b> Ian McMillan <<span
lang="ES"><a
href="mailto:ianmcm@microsoft.com"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">ianmcm@microsoft.com</span></a></span>>;
<span lang="ES"><a
href="mailto:cscwg-public@cabforum.org"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">cscwg-public@cabforum.org</span></a></span>;
Doug Beattie <<span lang="ES"><a
href="mailto:doug.beattie@globalsign.com" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">doug.beattie@globalsign.com</span></a></span>>;
Bruce Morton <<span lang="ES"><a
href="mailto:bruce.morton@entrust.com" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">bruce.morton@entrust.com</span></a></span>><br>
<b>Subject:</b> [EXTERNAL] RE:
Update to Subscriber Private Key
Protection Requirements (CSC-6
to CSC-13)<span lang="ES"></span></p>
</div>
</div>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
I would recommend against using
parentheticals to express the
deprecation dates, as it makes the
sentences more complicated than they
need to be. I’d just modify the
first sentence of each part so the
structure is as follows:<span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
For Non-EV Code Signing
Certificates issued prior to
November 15, 2022, …<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
For EV Code Signing Certificates
issued prior to November 15, 2022, …<span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
Effective November 15, 2022, …<span
lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
But otherwise, the updates look good
and we are willing to endorse
CSC-13.<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
-Tim<span lang="ES"></span></p>
<p class="x_MsoNormal" style="margin:
0in; font-size: 11pt; font-family:
Calibri, sans-serif;">
<span lang="ES"></span></p>
<div style="border:none;
border-left:solid blue 1.5pt;
padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;
border-top:solid #E1E1E1 1.0pt;
padding:3.0pt 0in 0in 0in">
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
<b>From:</b> Ian McMillan <<span
lang="ES"><a
href="mailto:ianmcm@microsoft.com"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">ianmcm@microsoft.com</span></a></span>>
<br>
<b>Sent:</b> Wednesday, March
2, 2022 11:31 AM<br>
<b>To:</b> <span lang="ES"><a
href="mailto:cscwg-public@cabforum.org" target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">cscwg-public@cabforum.org</span></a></span>;
Doug Beattie <<span
lang="ES"><a
href="mailto:doug.beattie@globalsign.com"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">doug.beattie@globalsign.com</span></a></span>>;
Bruce Morton <<span
lang="ES"><a
href="mailto:bruce.morton@entrust.com"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">bruce.morton@entrust.com</span></a></span>>;
Tim Hollebeek <<span
lang="ES"><a
href="mailto:tim.hollebeek@digicert.com"
target="_blank"
rel="noopener noreferrer"
data-auth="NotApplicable"
moz-do-not-send="true"><span
lang="EN-US">tim.hollebeek@digicert.com</span></a></span>><br>
<b>Subject:</b> Update to
Subscriber Private Key
Protection Requirements (CSC-6
to CSC-13)<span lang="ES"></span></p>
</div>
</div>
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
Hi Folks,<span lang="ES"></span></p>
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
Attached you will find an updated
redline doc of v2.7 of the CSBRs
with the updates to the subscriber
private key protection
requirements as outlined
previously in CSC-6. This updated
version also includes edits to
address issues Doug Beattie raised
during the voting period of CSC-6,
so I am looking for confirmation
from Doug on these edits
addressing the concerns he raised.
<span lang="ES"></span></p>
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
Additionally, I’m looking to get
endorsements on this ballot under
<span lang="ES">
<a
href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Fwiki.cabforum.org*2Fcscwg*2Fcsc_13_-_update_to_subscriber_private_key_protection_requirements%26data%3D04*7C01*7Cianmcm*40microsoft.com*7Ce6a5592ea98440d1462508da01f05f7d*7C72f988bf86f141af91ab2d7cd011db47*7C0*7C0*7C637824429178363769*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3D9so2*2BiOyK9XXEQ8Y*2F*2FnOEd0ZymEoU*2Fub9lk8VS6ucbE*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!FJ-Y8qCqXTj2!JS-t5TK8xNLRrrr-l8arUfUupgt7PadMcuUOBT4reSeB5x7-jWypHWzhZNsG6GTE_x0%24&data=04%7C01%7Cianmcm%40microsoft.com%7C930e1d88bad74c7a3ec408da02dab235%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637825435611904880%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=uCj7cFUrdj%2FvFKrzwe0QUzczK%2FhPyYfwVyDwD2hRFF0%3D&reserved=0"
target="_blank" rel="noopener
noreferrer"
data-auth="NotApplicable"
title="cscwg:csc_13_-_update_to_subscriber_private_key_protection_requirements"
moz-do-not-send="true"><span
lang="EN-US">CSC 13 - Update
to Subscriber Private Key
Protection Requirements</span></a></span>,
and hope that Bruce and Tim, as
previous endorsers can review the
edits and endorse the new ballot.
Once we have endorsers I’ll
proceed with the formal ballot
process.
<span lang="ES"></span></p>
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
<span lang="ES"></span></p>
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
Cheers,<span lang="ES"></span></p>
<p class="x_MsoNormal"
style="margin: 0in; font-size:
11pt; font-family: Calibri,
sans-serif;">
Ian <span lang="ES"></span></p>
</div>
</div>
</div>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;margin-bottom:12.0pt">
<span lang="ES"> </span></p>
<pre style="margin: 0in; font-size: 12pt; font-family: "MS Gothic";"><span lang="ES">_______________________________________________</span></pre>
<pre style="margin: 0in; font-size: 12pt; font-family: "MS Gothic";"><span lang="ES">Cscwg-public mailing list</span></pre>
<pre style="margin: 0in; font-size: 12pt; font-family: "MS Gothic";"><span lang="ES"><a href="mailto:Cscwg-public@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable" class="x_moz-txt-link-freetext moz-txt-link-freetext" moz-do-not-send="true">Cscwg-public@cabforum.org</a></span></pre>
<pre style="margin: 0in; font-size: 12pt; font-family: "MS Gothic";"><span lang="ES"><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Flists.cabforum.org*2Fmailman*2Flistinfo*2Fcscwg-public%26data%3D04*7C01*7Cianmcm*40microsoft.com*7Ce6a5592ea98440d1462508da01f05f7d*7C72f988bf86f141af91ab2d7cd011db47*7C0*7C0*7C637824429178363769*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DLnP7dwOGGX87Z6tZNa*2BnglvDc7Px*2BrqaClOqrPsfS48*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!FJ-Y8qCqXTj2!JS-t5TK8xNLRrrr-l8arUfUupgt7PadMcuUOBT4reSeB5x7-jWypHWzhZNsGCdboIbM%24&data=04%7C01%7Cianmcm%40microsoft.com%7C930e1d88bad74c7a3ec408da02dab235%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637825435611954879%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=aPPWwtxmIuwxR9iSMbGSVKmtV%2FjraFwjEVoN4LyCqYc%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a></span></pre>
</blockquote>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;margin-bottom:12.0pt">
<span lang="ES"> </span></p>
<pre style="margin: 0in; font-size: 12pt; font-family: "MS Gothic";"><span lang="ES">_______________________________________________</span></pre>
<pre style="margin: 0in; font-size: 12pt; font-family: "MS Gothic";"><span lang="ES">Cscwg-public mailing list</span></pre>
<pre style="margin: 0in; font-size: 12pt; font-family: "MS Gothic";"><span lang="ES"><a href="mailto:Cscwg-public@cabforum.org" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable" class="x_moz-txt-link-freetext moz-txt-link-freetext" moz-do-not-send="true">Cscwg-public@cabforum.org</a></span></pre>
<pre style="margin: 0in; font-size: 12pt; font-family: "MS Gothic";"><span lang="ES"><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Flists.cabforum.org*2Fmailman*2Flistinfo*2Fcscwg-public%26data%3D04*7C01*7Cianmcm*40microsoft.com*7Ce6a5592ea98440d1462508da01f05f7d*7C72f988bf86f141af91ab2d7cd011db47*7C0*7C0*7C637824429178363769*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C3000%26sdata%3DLnP7dwOGGX87Z6tZNa*2BnglvDc7Px*2BrqaClOqrPsfS48*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!FJ-Y8qCqXTj2!JS-t5TK8xNLRrrr-l8arUfUupgt7PadMcuUOBT4reSeB5x7-jWypHWzhZNsGCdboIbM%24&data=04%7C01%7Cianmcm%40microsoft.com%7C930e1d88bad74c7a3ec408da02dab235%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637825435611954879%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=aPPWwtxmIuwxR9iSMbGSVKmtV%2FjraFwjEVoN4LyCqYc%3D&reserved=0" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a></span></pre>
</blockquote>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span style="" lang="ES"> </span><span
lang="ES"></span></p>
</div>
</blockquote>
<p class="x_MsoNormal" style="margin: 0in;
font-size: 11pt; font-family: Calibri,
sans-serif;">
<span style="" lang="ES"> </span><span lang="ES"></span></p>
</div>
</blockquote>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<span style="" lang="ES"> </span></p>
</div>
<p class="x_MsoNormal" style="margin: 0in; font-size:
11pt; font-family: Calibri, sans-serif;">
<i><span style="">Any email and files/attachments
transmitted with it are confidential and are
intended solely for the use of the individual or
entity to whom they are addressed. If this message
has been sent to you in error, you must not copy,
distribute or disclose of the information it
contains. <u>Please notify Entrust immediately</u>
and delete the message from your system.</span></i><span
style="">
</span></p>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</body>
</html>