<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 2/2/2023 5:56 μ.μ., Bruce Morton
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM5PR11MB004181FE6901BEA266C6DEEC82D69@DM5PR11MB0041.namprd11.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}@font-face
{font-family:"Times New Roman \,serif";}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}h4
{mso-style-priority:9;
mso-style-link:"Heading 4 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
font-weight:bold;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}span.Heading4Char
{mso-style-name:"Heading 4 Char";
mso-style-priority:9;
mso-style-link:"Heading 4";
font-family:"Calibri Light",sans-serif;
color:#2F5496;
font-style:italic;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi Martijn,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I don’t
think I can endorse the current proposal as it does not
appear to be meeting the goal I was hoping for, which was to
simplify the process. I do like the way that the
requirements are defined in the SSL and S/MIME BRs. These
documents give revocation time deadlines and reasons for
each deadline.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I do
understand that signing of suspect code is a little more
complicated as the Subscriber may have good signatures, but
then get compromised. I think we tried to address this
issue, by providing 7-days to revoke a certificate which has
signed suspect code. This would allow the CA, Subscriber and
perhaps the Application Software Supplier to provide the
earliest revocation date. Note, with private keys in
hardware, the Subscriber will more likely be an attacker and
will not respond.</span></p>
</div>
</blockquote>
<br>
If there is no response, then the CA revokes and can set the
revocation date to the date before the signing of the Suspect Code.
My suggestion on a previous meeting was the following:<br>
<ul>
<li>If the CA has reasonable assurance that a Certificate was used
to sign Suspect Code, then the CA shall revoke the Certificate
within 24h and set a revocation date to a date and time before
the signing of the Suspect Code.</li>
</ul>
<p>There were concerns raised that this backdate revocation might
invalidate other Code, not classified as "Suspect" and may cause
more harm than good. I can't really see why we should allow
Suspect Code to be executed and risk user's safety and personal
data, because that Subscriber has signed other "good" Code after
signing the Suspect Code.<br>
</p>
<br>
<blockquote type="cite"
cite="mid:DM5PR11MB004181FE6901BEA266C6DEEC82D69@DM5PR11MB0041.namprd11.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Note, I
don’t believe “Revoking a certificate at current time has
absolutely no impact on existing signed malware” is true. If
the suspect code is not time-stamped, then revoking at the
current time will impact the suspect code signature and all
other signatures which are not time-stamped. This might be
the easiest and quickest way to deal with non-time-stamped
signatures on suspect code. </span></p>
</div>
</blockquote>
<br>
We rarely see non-timestamped code out there but Ian might be able
to share some more insight with real numbers (timestamped code
executed vs non-timestamped).<br>
<br>
I don't disagree with revoking immediately (at "current date") and
setting a revocation date in the past after 5, 7 or 10 days to
further mitigate the Relying Party risk.<br>
<br>
<blockquote type="cite"
cite="mid:DM5PR11MB004181FE6901BEA266C6DEEC82D69@DM5PR11MB0041.namprd11.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">On the other
hand, 7-days would allow the Subscriber to resign code they
did not time-stamp. Although, I am not really in favor of
providing extra time for Subscribers which are not
time-stamping.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
</blockquote>
Agreed. Please see my previous comment.<br>
<br>
<blockquote type="cite"
cite="mid:DM5PR11MB004181FE6901BEA266C6DEEC82D69@DM5PR11MB0041.namprd11.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">It would be
great if after this ballot and the ballot that Dimitris is
doing is if we had just sections 4.9.1.1 for 24-hour
revocation and 4.9.1.2 for 7-day revocation. This would
align the sections with the SSL and S/MIME BRs and probably
our CPS documents.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
If Ian is ok with not requiring long delays for Subscriber impact
assessments and contacting Application Software Suppliers at a
Global level (which in my opinion wouldn't really scale), we could
do the following:<br>
<ul>
<li>set the revocation timelines according to 4.9.1.1 and 4.9.1.2
to align with TLS and S/MIME BR numbering, setting the
"revocation date/time" at "current time"</li>
<li>AND provide an option with a hard 7-days deadline after a
Certificate Problem Report is received only to set the best
"revocation time". The output of this second process will be
either a "revocation time" before the signing of the Suspect
Code, or a "more appropriate" one.</li>
</ul>
<p>Does that seem to work?</p>
<p>Thanks,</p>
<p>Dimitris.<br>
</p>
<br>
<br>
<blockquote type="cite"
cite="mid:DM5PR11MB004181FE6901BEA266C6DEEC82D69@DM5PR11MB0041.namprd11.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br>
<b>Sent:</b> Friday, January 27, 2023 6:04 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Dimitris
Zacharopoulos (HARICA) <a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a><br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public] Proposal
to make changes to revocation based on malware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">WARNING:
This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the
sender and know the content is safe.<o:p></o:p></span></p>
<div class="MsoNormal" style="text-align:center" align="center"><span
style="font-size:11.0pt">
<hr width="100%" size="2" align="center">
</span></div>
<p class="MsoNormal"><span class="EmailStyle22"><span
style="font-size:11.0pt">All, the language has been
updated and is available on
<a
href="https://github.com/cabforum/code-signing/pull/10/files"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/code-signing/pull/10/files</a>
for review</span></span><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Cscwg-public
<<a href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
on behalf of Martijn Katerbarg via Cscwg-public <<a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>><br>
<b>Date: </b>Tuesday, 24 January 2023 at 22:45<br>
<b>To: </b>Dimitris Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr" moz-do-not-send="true"
class="moz-txt-link-freetext">dzacharo@harica.gr</a>>,
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>
<<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>><br>
<b>Subject: </b>Re: [Cscwg-public] Proposal to make
changes to revocation based on malware<o:p></o:p></span></p>
</div>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt
2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="color:black">CAUTION: This email originated from
outside of the organization. Do not click links or open
attachments unless you recognize the sender and know the
content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">> T</span><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">here is nothing preventing the CA to
revoke a certificate right away. Revoking a certificate
<b>at current time</b> has absolutely no impact on
existing signed malware. The impact assessment affects
cases of backdating the revocation. I'm afraid this
"SHOULD" is just going to be ignored, unless you feel that
the CA has enough evidence to backdate revoke a
certificate and does not want to wait for an impact
assessment of affected Relying Parties by the Subscriber.
If it's the latter, I agree but we need to write it a bit
clearer.</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"> </span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">That
latter case is indeed the one I’d like to address. I’ll
take a look at appropriate language for it.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"> </span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">>
</span><span style="font-size:12.0pt;font-family:"Times
New Roman",serif">Yes. 7 days seem reasonable to
pause the revocation process waiting for a response from
the Application Software Supplier but IMO no more than
that.<br>
<br>
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">No
objection from my end with that approach, but I would then
like to combine bullet 2 and 3 into one since they are
strongly connected. It takes away any doubt in
interpretation.</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">I’ll
get on adding these changes in GH</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Dimitris Zacharopoulos
(HARICA) <<a href="mailto:dzacharo@harica.gr"
moz-do-not-send="true" class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
<br>
<b>Sent:</b> Tuesday, 24 January 2023 16:25<br>
<b>To:</b> Martijn Katerbarg <<a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true" class="moz-txt-link-freetext">martijn.katerbarg@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to make
changes to revocation based on malware</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt
2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="color:black">CAUTION: This email originated from
outside of the organization. Do not click links or open
attachments unless you recognize the sender and know the
content is safe.</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"> </span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">On
24/1/2023 11:47 π.μ., Martijn Katerbarg wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Thanks
for the proposal Dimitris.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">I
have a few remarks on this:</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">“<i>The
CA SHALL request the Subscriber to respond with an
impact assessment of affected Relying Parties if the
revocation date is set before the time that the
Private Key became compromised or likely used to
sign Suspect Code, and to state the associated
Application Software Supplier(s).”</i><br>
I’d like to propose we change this into:<br>
“<i>The CA SHALL request the Subscriber to respond
with an acknowledgement and SHOULD request the
Subscriber to respond with an impact assessment of
affected Relying Parties if the revocation date is
set before the time that the Private Key became
compromised or likely used to sign Suspect Code, and
to state the associated Application Software
Supplier(s).</i>”</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">This
offers CA’s the option not to request an impact
assessment if they deem the evidence clear enough
warranting revocation right away.
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
There is nothing preventing the CA to revoke a
certificate right away. Revoking a certificate
<b>at current time</b> has absolutely no impact on
existing signed malware. The impact assessment affects
cases of backdating the revocation. I'm afraid this
"SHOULD" is just going to be ignored, unless you feel
that the CA has enough evidence to backdate revoke a
certificate and does not want to wait for an impact
assessment of affected Relying Parties by the
Subscriber. If it's the latter, I agree but we need to
write it a bit clearer.<br>
<br>
<br>
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">I’m
also wondering on the interpretation of the following
2 clauses:</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">“<i>2.
Based on the feedback received, the CA MAY determine
a more appropriate revocation date to be associated
with the revocation of the Certificate.</i></span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt;mso-fareast-language:EN-US">3.
The CA SHALL revoke the Certificate within 7 days
after the CA received the Certificate Problem
Report.</span></i><span
style="font-size:11.0pt;mso-fareast-language:EN-US">”</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">I
like to think this means that even with a plan
submitted to the Application Software Suppliers,
revocation MUST occur no later than 7 days after the
CPR was received. Is that what you also intend here?</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
Yes. 7 days seem reasonable to pause the revocation
process waiting for a response from the Application
Software Supplier but IMO no more than that.<br>
<br>
<br>
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><br>
In my option that should be the maximum time before
revocation needs to happen, however, it feels like the
whole impact assessment may be a lot of work for a
Subscriber, in order to only get 48 hours of extra
time before a revocation needs to happen (Although to
be fair these may be the very few edge cases, for
which it could be useful). <br>
<br>
<br>
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Thoughts?</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
We may need some more feedback from CAs that have
actually experienced such cases. From my perspective, 48
hours for an quick impact assessment, seems reasonable
considering the impact of a malware to millions of users
worldwide that could be stopped by a single backdate
revocation action from the CA.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Cscwg-public
<a href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris Zacharopoulos
(HARICA) via Cscwg-public<br>
<b>Sent:</b> Thursday, 15 December 2022 14:27<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to
make changes to revocation based on malware</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt
2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="color:black">CAUTION: This email originated
from outside of the organization. Do not click links
or open attachments unless you recognize the sender
and know the content is safe.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman \,serif""> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">On
12/15/2022 11:59 AM, Martijn Katerbarg via
Cscwg-public wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">All,</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">We
had a good discussion on the malware proposal during
the last call. I believe we’re nearly there. Trevoli
and Tim you had suggestions (and thank you Dean for
spelling it out in the minutes!) to make is more
clear and also allow for the exceptional cases where
revoking a CS cert would do more damage then not.
<br>
<br>
Based on this, it seems we were leaning into making
the following changes:</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><br>
Change:</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">
a. If the Subscriber responds within 72 hours, the
CA and Subscriber MAY determine a "reasonable date"
to revoke the certificate. The revocation date MUST
NOT be more than 7 calendar days after the CA
received the Certificate Problem Report.<br>
Into:<br>
a. If the Subscriber responds within 72 hours,
the CA MAY determine a "reasonable date" to revoke
the certificate. The CA:</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:.75in;text-indent:-.25in;mso-list:l3
level1 lfo1">
<!--[if !supportLists]--><span
style="font-size:11.0pt"><span
style="mso-list:Ignore">1.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:11.0pt;mso-fareast-language:EN-US">MUST
revoke the certificate no later than 7 calendar days
after the CA received the Certificate Problem
Report; or,</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:.75in;text-indent:-.25in;mso-list:l3
level1 lfo1">
<!--[if !supportLists]--><span
style="font-size:11.0pt"><span
style="mso-list:Ignore">2.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:11.0pt;mso-fareast-language:EN-US">MUST
submit a plan for revocation to all Application
Software Suppliers based on discussions with the
Subscriber no later than 7 calendar days after the
CA received the Certificate Problem Report</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><br>
Thoughts on this?<br>
The one thought I have on this is, are Application
Software Suppliers (i.e Certificate Consumers, but
that’s not a CSCBR defined term) willing to take on
these plans and provide responses to the CA?
<br>
Cause if they don’t, it seems we again have a loop
hole in which revocation can be done much later
based upon subscriber request…</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt;font-family:"Times New
Roman \,serif""><br>
I have the same concerns with the second bullet. And
how do we determine "all" Suppliers? CAs have no
visibility on Relying Party software.<br>
<br>
I believe that the reason to "contact
negatively-affected Application Software Suppliers" is
to determine the proper "reasonable date" that would
invalidate the malware signatures and not affect other
"good signatures" that would have a significant impact
on Relying Parties. If there is no response from the
Application Software Supplier, the CA should revoke
with a "reasonable date" based on its investigation at
the time.<br>
<br>
Please take a look at the following proposal. I'd
appreciate feedback and language improvements to
describe the process accurately and safely in order to
protect Relying Parties from executing Suspect Code as
much as possible. Worse case, CAs will revoke the
Certificate with a revocation date set at the time of
the revocation event which does not affect any
previously signed code, including the Suspect Code
which will be executed successfully by Relying Parties
even after the revocation of the Certificate.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<h4><i>4.9.1.3 Revocation Based on Reported or Detected
Compromise or Use in Suspect Code</i><o:p></o:p></h4>
<p><i>Except for cases that fall under Section 4.9.1.1,
if, while investigating a Certificate Problem Report,
the CA determines the Subscriber's Private Key is
compromised or likely being used for Suspect Code, the
CA SHALL revoke the corresponding Code Signing
Certificate in accordance with and within the
following maximum time frames. Nothing herein
prohibits a CA from revoking a Code Signing
Certificate prior to these time frames.</i><o:p></o:p></p>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level1 lfo2">
<i><span
style="font-size:12.0pt;font-family:"Times
New Roman \,serif"">The CA SHALL contact the
Subscriber within 24 hours after the CA received
the Certificate Problem Report, notifying that the
Certificate is scheduled to be revoked with a
revocation date set before the time that the
Private Key became compromised or likely used to
sign Suspect Code. This revocation date is set in
the past to prevent Relying Parties from executing
Suspect Code signed with the affected Code Signing
Certificate.</span></i><span
style="font-size:11.0pt"><o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level1 lfo2">
<i><span
style="font-size:12.0pt;font-family:"Times
New Roman \,serif"">The CA SHALL request the
Subscriber to respond with an impact assessment of
affected Relying Parties if the revocation date is
set before the time that the Private Key became
compromised or likely used to sign Suspect Code,
and to state the associated Application Software
Supplier(s).</span></i><span
style="font-size:11.0pt"><o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level1 lfo2">
<i><span
style="font-size:12.0pt;font-family:"Times
New Roman \,serif"">The CA SHALL request the
Subscriber to respond to the CA within 72 hours of
the CA sending the notification.
</span></i><span style="font-size:11.0pt"><o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level1 lfo2">
<i><span
style="font-size:12.0pt;font-family:"Times
New Roman \,serif"">If the Subscriber
responds within 72 hours,
</span></i><i><span style="font-size:12.0pt">then
based on the Subscriber's impact assessment:</span></i><span
style="font-size:11.0pt"><o:p></o:p></span></li>
</ol>
<ol type="1" start="4">
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level2 lfo2">
<i><span style="font-size:12.0pt">the CA MAY submit
a revocation plan to associated Application
Software Suppliers no later than 7 calendar days
after the CA received the Certificate Problem
Report. The revocation plan:</span></i><span
style="font-size:11.0pt"><o:p></o:p></span></li>
</ol>
</ol>
<ol type="1" start="4">
<ol type="1" start="1">
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level3 lfo2">
<i><span style="font-size:12.0pt">SHALL contain
informing about the planned revocation date to
be set for the to-be-revoked Certificate; and</span></i><span
style="font-size:11.0pt"><o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level3 lfo2">
<i><span style="font-size:12.0pt">SHALL request
suggestions for a "more appropriate"
revocation date in case the proposed
revocation date has a significant impact on
Relying Parties associated with that
particular Application Software Supplier.
</span></i><span style="font-size:11.0pt"><o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level3 lfo2">
<i><span style="font-size:12.0pt">The CA SHALL
request the Application Software Supplier to
respond within 72 hours.</span></i><span
style="font-size:11.0pt"><o:p></o:p></span></li>
</ol>
</ol>
</ol>
<ol type="1" start="4">
<ol type="1" start="2">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level2 lfo2">
<i><span style="font-size:12.0pt">Based on the
feedback received, the CA MAY determine a more
appropriate revocation date to be associated
with the revocation of the Certificate.</span></i><span
style="font-size:11.0pt"><o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level2 lfo2">
<i><span
style="font-size:12.0pt;font-family:"Times
New Roman \,serif"">The CA SHALL revoke the
Certificate within 7 days after the CA received
the Certificate Problem Report.</span></i><span
style="font-size:11.0pt"><o:p></o:p></span></li>
</ol>
</ol>
<ol type="1" start="5">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level1 lfo2">
<i><span
style="font-size:12.0pt;font-family:"Times
New Roman \,serif"">If the CA does not
receive a response from the Subscriber, then the
CA SHALL revoke the Certificate within 24 hours
from the end of the response period.</span></i><span
style="font-size:11.0pt"><o:p></o:p></span></li>
</ol>
<p><i>A CA revoking a Certificate because the Certificate
was associated with signed Suspect Code or other
fraudulent or illegal conduct SHOULD provide all
relevant information and risk indicators to other CAs,
Application Software Suppliers, or industry groups.
The CA SHOULD contact the Application Software
Suppliers within 24 hours after the CA received the
Certificate Problem Report.</i><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt;font-family:"Times New
Roman \,serif""><br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Note:
I won’t be able to attend todays call, but feel free
to discuss.</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Cscwg-public
<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris Zacharopoulos
(HARICA) via Cscwg-public<br>
<b>Sent:</b> Tuesday, 29 November 2022 10:13<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal to
make changes to revocation based on malware</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<div style="border:solid black 1.0pt;padding:2.0pt 2.0pt
2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="color:black">CAUTION: This email originated
from outside of the organization. Do not click
links or open attachments unless you recognize the
sender and know the content is safe.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman \,serif""> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">On
28/11/2022 2:50 μ.μ., Martijn Katerbarg via
Cscwg-public wrote:<o:p></o:p></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">All,
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">I
just pushed a new commit (<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F8e7e3b4e57960994edea267f0e753358aad99574&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb0ad76f0d0d84163312b08dafe543e45%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638101935049093423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4VTnkUUEk8p7Cykjw8c1Ga3wAOAuNu7ohnm4sX88Rik%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10/commits/8e7e3b4e57960994edea267f0e753358aad99574</a>)
based on the discussions and comments I’ve had
and received. </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">The
complete ballot “redline” in GitHub is available
for review on
</span><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb0ad76f0d0d84163312b08dafe543e45%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638101935049093423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ps7Oy4e3YBZnHgi5BlCIRceY0N71PJuPm47v8QecEMM%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10/files</a></span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt;font-family:"Times
New Roman \,serif""><br>
If the CA confirms that a Subscriber has signed
"Suspect Code", how would the group feel with a
proposal to require CAs to
<b>backdate revoke</b> the Code Signing
Certificate to a date and time that would
neutralize the Suspect Code? If this date and time
is unlikely to be determined, backdate revoke 1''
after the notBefore date and time of the Code
Signing Certificate?<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<br>
<br>
<br>
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Cscwg-public
<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Monday, 26 September 2022 11:58<br>
<b>To:</b> Dimitris Zacharopoulos (HARICA) <a
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true"><dzacharo@harica.gr></a>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposal
to make changes to revocation based on
malware</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<div style="border:solid black 1.0pt;padding:2.0pt
2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="color:black">CAUTION: This email
originated from outside of the organization.
Do not click links or open attachments unless
you recognize the sender and know the content
is safe.</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman \,serif""> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Thank
you Dimitris. That makes sense. I’ve pushed an
update to the draft-PR</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Cscwg-public
<<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Dimitris
Zacharopoulos (HARICA) via Cscwg-public<br>
<b>Sent:</b> Friday, 23 September 2022
18:47<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public]
Proposal to make changes to revocation
based on malware</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<div style="border:solid black 1.0pt;padding:2.0pt
2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="color:black">CAUTION: This email
originated from outside of the organization.
Do not click links or open attachments
unless you recognize the sender and know the
content is safe.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman \,serif""> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt">I posted some
proposed changes for consistency and
accuracy.<o:p></o:p></span></p>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4
level1 lfo3">
<span style="font-size:11.0pt"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%23pullrequestreview-1118760785&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb0ad76f0d0d84163312b08dafe543e45%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638101935049093423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2mK8YkkM4ZtzE3XAuW4S6iAjpMorn%2FpysXEhmB3WR4s%3D&reserved=0"
moz-do-not-send="true">https://github.com/cabforum/code-signing/pull/10#pullrequestreview-1118760785</a><o:p></o:p></span></li>
</ol>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-size:11.0pt"><br>
Thanks,<br>
Dimitris.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt">On 23/9/2022 3:55
μ.μ., Bruce Morton via Cscwg-public wrote:<o:p></o:p></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt">Hi Martjin,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">I will endorse
the ballot.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">Thanks, Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Cscwg-public
<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Martijn Katerbarg
via Cscwg-public<br>
<b>Sent:</b> Friday, September 23,
2022 3:44 AM<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] Re:
[Cscwg-public] Proposal to make
changes to revocation based on malware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">WARNING: This
email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless
you trust the sender and know the content
is safe.<o:p></o:p></span></p>
<div class="MsoNormal"
style="text-align:center" align="center"><span
style="font-size:11.0pt">
<hr width="44%" size="1" align="center">
</span></div>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">All,</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">As
discussed on yesterdays call, the latest
changes which Tim and I were discussing
are pushed into Github.
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">The
complete change can be found at
<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb0ad76f0d0d84163312b08dafe543e45%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638101935049249631%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=N6vnfTt1i%2B06M%2BDgN35FV45DEdGMSTgdTvm26dLZTPM%3D&reserved=0"
moz-do-not-send="true">
https://github.com/cabforum/code-signing/pull/10/files</a> for review.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Bruce,
Ian, since I earlier had your
endorsements, please let me know if they
still stand. The changes since the
endorsements, are captured in
<a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F90fa38ab4dc5e5f9b25fce844b750d693f7256b7&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb0ad76f0d0d84163312b08dafe543e45%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638101935049249631%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aDQ3AJP4g4mv2wmkPaEKDe%2BAcgM45AXNOFBDrSPuHo4%3D&reserved=0"
moz-do-not-send="true">
https://github.com/cabforum/code-signing/pull/10/commits/90fa38ab4dc5e5f9b25fce844b750d693f7256b7</a></span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">If
there are no other comments, then
hopefully we can start a ballot process on
this.</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><br>
Regards,</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Martijn</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Cscwg-public
<<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Martijn Katerbarg
via Cscwg-public<br>
<b>Sent:</b> Tuesday, 19 July 2022
09:22<br>
<b>To:</b> Tim Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>;
<a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public]
Proposal to make changes to revocation
based on malware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<div style="border:solid black
1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="color:black">CAUTION: This email
originated from outside of the
organization. Do not click links or open
attachments unless you recognize the
sender and know the content is safe.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt">Thanks Tim,<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:.5in;text-indent:-.25in"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<ol style="margin-top:0in" type="1"
start="1">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l2
level1 lfo4"><span
style="font-size:11.0pt">What is the
motivation for allowing a waiver if
approved by just “at least one” of the
stakeholders, instead of all of them?<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l2
level1 lfo4"><span
style="font-size:11.0pt">I’m a bit
concerned that language might be
increasingly troublesome as we
continue to expand the scope and
participation of this group.<o:p></o:p></span></li>
</ol>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">I believe it
might be difficult to get approval from
all stakeholders within a certain amount
of time, meaning the CA would possibly
never get all approvals, and never be
able to utilize the waiver.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">Considering
that signed code is often (but not
exclusively) targeted for a specific
platform, stakeholders of other
platforms might not be inclined to give
approval for something that does not
even affect them. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">I do share your
concern, but I also don’t see a better
path towards the same goal.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<ol style="margin-top:0in" type="1"
start="3">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l2
level1 lfo4"><span
style="font-size:11.0pt">Similarly,
I’m unsure how I feel about making
compliance distinctions based on
whether a particular root program has
decided to have a contractual
relationship with its issuers or not.
That seems like an implementation
detail of the relationship that the
guidelines should remain silent on.
But I appreciate what that definition
is intended to do, and would like to
perhaps find a different way to
express the same intent.<o:p></o:p></span></li>
</ol>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Good
point, and maybe the word “contract” is
too much here?</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Although
I would note this language is already
part of the “Certificate Beneficiaries”
definition right now.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">I’m
open for a different suggestion
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Tim
Hollebeek <<a
href="mailto:tim.hollebeek@digicert.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">tim.hollebeek@digicert.com</a>>
<br>
<b>Sent:</b> Friday, 15 July 2022
18:18<br>
<b>To:</b> Martijn Katerbarg <<a
href="mailto:martijn.katerbarg@sectigo.com" moz-do-not-send="true"
class="moz-txt-link-freetext">martijn.katerbarg@sectigo.com</a>>;
<a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> RE: [Cscwg-public]
Proposal to make changes to
revocation based on malware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<div style="border:solid black
1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="color:black">CAUTION: This
email originated from outside of the
organization. Do not click links or
open attachments unless you recognize
the sender and know the content is
safe.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt">What is the
motivation for allowing a waiver if
approved by just “at least one” of the
stakeholders, instead of all of them?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">I’m a bit
concerned that language might be
increasingly troublesome as we
continue to expand the scope and
participation of this group.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">Similarly,
I’m unsure how I feel about making
compliance distinctions based on
whether a particular root program has
decided to have a contractual
relationship with its issuers or not.
That seems like an implementation
detail of the relationship that the
guidelines should remain silent on.
But I appreciate what that definition
is intended to do, and would like to
perhaps find a different way to
express the same intent.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<div style="border:none;border-left:solid
blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div
style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0in 0in
0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt">
Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Martijn
Katerbarg via Cscwg-public<br>
<b>Sent:</b> Monday, June 27,
2022 10:04 AM<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [Cscwg-public]
Proposal to make changes to
revocation based on malware<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">All,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">As already
hinted during the last meeting
during the F2F, Ian and I, have been
working on a proposal affecting the
guidelines regarding malware based
revocation.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">The intent
of this change is to:<o:p></o:p></span></p>
<ol style="margin-top:0in" type="1"
start="1">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0
level1 lfo5"><span
style="font-size:11.0pt">Limit the
number of days before a
certificate needs to be revoked,
especially when the subscriber is
not responding to inquiries<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0
level1 lfo5"><span
style="font-size:11.0pt">Remove
the OCSP log analysis requirements<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0
level1 lfo5"><span
style="font-size:11.0pt">Simplify
the process that has to be
followed<o:p></o:p></span></li>
</ol>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">I have
attached 3 documents: one with the
current language, one with the
proposed language, as well as a
redlined version.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">The changes
have been made based on upcoming
version 3.0 of the CSCBRs. In case
you wish to compare with version
2.8, the relevant section is
13.1.5.3. Besides to that section,
there is also a change to the
“Suspect Code” definition, as well
as a new definition in the proposal.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">Once <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F6&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb0ad76f0d0d84163312b08dafe543e45%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638101935049249631%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1iFOtQNrpUfGxTg8MxDcRq4n8q4fzjYYLmtxcy4gTHk%3D&reserved=0"
moz-do-not-send="true">
PR6</a> has been merged, I will
also prepare the changes in GIT for
those that prefer comparing there.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">Looking
forward to comments to this and move
towards a potential ballot.<br>
<br>
Regards,<br>
<br>
Martijn<o:p></o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><i><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">Any email and
files/attachments transmitted with it
are confidential and are intended solely
for the use of the individual or entity
to whom they are addressed. If this
message has been sent to you in error,
you must not copy, distribute or
disclose of the information it contains.
<u>Please notify Entrust immediately</u>
and delete the message from your system.</span></i><span
style="font-size:12.0pt;font-family:"Times New Roman \,serif"">
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb0ad76f0d0d84163312b08dafe543e45%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638101935049249631%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3vC3Zsi9ykJceVKVsVAof8R7UAzWtcr7nCjJL0X6454%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman \,serif""> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt;font-family:"Times
New Roman \,serif""><br>
<br>
<br>
<br>
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb0ad76f0d0d84163312b08dafe543e45%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638101935049405854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1XHkYB4Ul4%2BdzUkhxGK1QMhwbpS%2B%2BsJ82ueHvRyD7%2Fs%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman \,serif""> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt;font-family:"Times New
Roman \,serif""><br>
<br>
<br>
</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true" class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb0ad76f0d0d84163312b08dafe543e45%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638101935049405854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1XHkYB4Ul4%2BdzUkhxGK1QMhwbpS%2B%2BsJ82ueHvRyD7%2Fs%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman \,serif""> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>