<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">I apologize for being so frank but ...
suggesting (and by Microsoft itself) such a huge extension of
the deadline makes me think that the security threats that led
to the introduction of the new requirements on private key
protection were not so well founded or important ....</font></p>
<font face="Calibri">Adriano</font>
<p><font face="Calibri">ACTALIS S.p.A.</font></p>
<p><br>
</p>
<div class="moz-cite-prefix">Il 07/09/2022 16:57, Ian McMillan via
Cscwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:01000183187467e5-7dfccd2b-b6c6-44cb-af0a-5feef90de6d3-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}span.EmailStyle19
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<title></title>
<div align="center">
<table width="30%" cellspacing="2" cellpadding="2" border="1">
<tbody>
<tr>
<td valign="top" bgcolor="#ffff00"> <span style="color:
red;">NOTICE:</span> Pay attention - external email -
Sender is
<a class="moz-txt-link-abbreviated
moz-txt-link-freetext"
href="mailto:01000183187467e5-7dfccd2b-b6c6-44cb-af0a-5feef90de6d3-000000@amazonses.com">01000183187467e5-7dfccd2b-b6c6-44cb-af0a-5feef90de6d3-000000@amazonses.com</a>
</td>
</tr>
</tbody>
</table>
<br>
</div>
<br>
<div class="WordSection1">
<p class="MsoNormal">Hi Folks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Since the announcement of the new
subscriber private key protection requirements in CSBR v2.8
(Ballot CSC-13), I’ve fielded a number of questions and
feedback on the November 15, 2022 deadline. I feel it is in
the best interest of subscribers and CAs to delay this
deadline to be October 1, 2023 for a number of reasons.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3">Subscriber
& CA readiness time window from v2.8 to the November 15,
2022 deadline is too tight.<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3">The November
15, 2022 deadline lands too close to typical end of calendar
year deployment or change “freeze” periods.<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3">The current
global economic state makes investments a challenge and
added operational budget pressure for all parties
(subscribers, CAs, certificate consumers).<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo3">Supply chain
challenges make obtaining the proper key protection solution
by November 15, 2022 increasingly difficult.<o:p></o:p></li>
</ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The accumulation of challenges for both
subscribers and CAs, I feel we need to delay the deadline to
be delayed. That said, I’d like to propose we have a “SHOULD”
date of June 1, 2023, and a “MUST” date of October 1, 2023. I
believe this will allow CAs and subscribers to begin adoption
of the new private key protection requirements ahead of the
enforcement deadline of October 1, 2023. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’d like to discuss this as an immediate
ballot in the next WG meeting scheduled for September 8, 2022.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Cheers,<o:p></o:p></p>
<p class="MsoNormal">Ian McMillan<o:p></o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
</body>
</html>