<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=gb2312">

</head>

<body>

<div dir="auto">Sounds excellent!</div>

<div id="ms-outlook-mobile-signature" dir="auto">

<div><br>

</div>

</div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Bruce Morton <Bruce.Morton@entrust.com><br>

<b>Sent:</b> Thursday, October 19, 2023 7:55:28 PM<br>

<b>To:</b> cscwg-public@cabforum.org <cscwg-public@cabforum.org>; Tim Hollebeek <tim.hollebeek@digicert.com>; Corey Bonnell <Corey.Bonnell@digicert.com>; Martijn Katerbarg <martijn.katerbarg@sectigo.com><br>

<b>Subject:</b> RE: Ballot CSC-21: Signing Service Update</font>

<div> </div>

</div>

<style>

<!--

@font-face

        {font-family:Wingdings}

@font-face

        {font-family:"Cambria Math"}

@font-face

        {font-family:DengXian}

@font-face

        {font-family:Calibri}

@font-face

        {}

@font-face

        {font-family:"MS PGothic"}

p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal

        {margin:0in;

        font-size:10.0pt;

        font-family:"Calibri",sans-serif}

a:link, span.x_MsoHyperlink

        {color:#0563C1;

        text-decoration:underline}

p.x_MsoListParagraph, li.x_MsoListParagraph, div.x_MsoListParagraph

        {margin-top:0in;

        margin-right:0in;

        margin-bottom:0in;

        margin-left:.5in;

        font-size:10.0pt;

        font-family:"Calibri",sans-serif}

p.x_null, li.x_null, div.x_null

        {margin-right:0in;

        margin-left:0in;

        font-size:10.0pt;

        font-family:"Calibri",sans-serif}

span.x_pl-mh

        {}

span.x_EmailStyle22

        {font-family:"Calibri",sans-serif;

        color:windowtext}

.x_MsoChpDefault

        {font-size:10.0pt}

@page WordSection1

        {margin:1.0in 1.0in 1.0in 1.0in}

div.x_WordSection1

        {}

ol

        {margin-bottom:0in}

ul

        {margin-bottom:0in}

-->

</style>

<div lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">

<p></p>

<div style="background-color:#FAFA03; width:100%; border-style:solid; border-color:#000000; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">

<span style="color:000000">CAUTION:</span> This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</div>

<br>

<p></p>

<div>

<div class="x_WordSection1">

<p class="x_MsoNormal"><span style="font-size:11.0pt">Hi Martijn,</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">We discussed the Signing Service definitions and this is what is proposed, “An organization that generates the Key Pair and securely manages the Private Key associated with a Code Signing Certificate, on

 behalf of a Subscriber.”</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Does this work for you?</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Thanks, Bruce.</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<div>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt"> Cscwg-public <cscwg-public-bounces@cabforum.org>

<b>On Behalf Of </b>Bruce Morton via Cscwg-public<br>

<b>Sent:</b> Tuesday, October 17, 2023 4:49 PM<br>

<b>To:</b> Tim Hollebeek <tim.hollebeek@digicert.com>; Corey Bonnell <Corey.Bonnell@digicert.com>; cscwg-public@cabforum.org; Martijn Katerbarg <martijn.katerbarg@sectigo.com><br>

<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public] Ballot CSC-21: Signing Service Update</span></p>

</div>

</div>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">So I think the allowance is that an entity which operates a CA can use the its Signing Service to generate the its Subscriber keys. Do we need to update the definition? Or put is an note? Or leave as is?</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">We might be over-churning on this definition. What if a third party operates a Signing Service and issues itself key for Code Signing certificates. Same problem.</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">I do think that a definition is a short-cut and not a requirement. Our intention of the BRs is to provide requirements for a Signing Service. The intention of the short-cut Signing Service definition was

 just to say that it is an organization which securely generates and manages the key pair on behalf of a Subscriber. An entity or organization can fill more than one role. As such, the original proposed definition might be OK.</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Bruce.</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<div>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt"> Tim Hollebeek <</span><a href="mailto:tim.hollebeek@digicert.com"><span style="font-size:11.0pt">tim.hollebeek@digicert.com</span></a><span style="font-size:11.0pt">>

<br>

<b>Sent:</b> Tuesday, October 17, 2023 3:45 PM<br>

<b>To:</b> Corey Bonnell <</span><a href="mailto:Corey.Bonnell@digicert.com"><span style="font-size:11.0pt">Corey.Bonnell@digicert.com</span></a><span style="font-size:11.0pt">>;

</span><a href="mailto:cscwg-public@cabforum.org"><span style="font-size:11.0pt">cscwg-public@cabforum.org</span></a><span style="font-size:11.0pt">; Bruce Morton <</span><a href="mailto:Bruce.Morton@entrust.com"><span style="font-size:11.0pt">Bruce.Morton@entrust.com</span></a><span style="font-size:11.0pt">>;

 Martijn Katerbarg <</span><a href="mailto:martijn.katerbarg@sectigo.com"><span style="font-size:11.0pt">martijn.katerbarg@sectigo.com</span></a><span style="font-size:11.0pt">><br>

<b>Subject:</b> [EXTERNAL] RE: Ballot CSC-21: Signing Service Update</span></p>

</div>

</div>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">I think these are good clarifications.  I think it’s important to make sure the definition of Signing Service accurately encompasses the cases where a Subscriber is relying on the CA to provide key generation

 and protection, but doesn’t accidentally pull anything inappropriate else into scope.</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">If the definition and scope are not properly defined, it is almost inevitable that some existing or future requirement will have unexpected and damaging consequences.</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">-Tim</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<div style="border:none; border-left:solid blue 1.5pt; padding:0in 0in 0in 4.0pt">

<div>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt"> Cscwg-public <</span><a href="mailto:cscwg-public-bounces@cabforum.org"><span style="font-size:11.0pt">cscwg-public-bounces@cabforum.org</span></a><span style="font-size:11.0pt">>

<b>On Behalf Of </b>Corey Bonnell via Cscwg-public<br>

<b>Sent:</b> Tuesday, October 17, 2023 12:34 PM<br>

<b>To:</b> Bruce Morton <</span><a href="mailto:bruce.morton@entrust.com"><span style="font-size:11.0pt">bruce.morton@entrust.com</span></a><span style="font-size:11.0pt">>; Martijn Katerbarg <</span><a href="mailto:martijn.katerbarg@sectigo.com"><span style="font-size:11.0pt">martijn.katerbarg@sectigo.com</span></a><span style="font-size:11.0pt">>;

</span><a href="mailto:cscwg-public@cabforum.org"><span style="font-size:11.0pt">cscwg-public@cabforum.org</span></a><span style="font-size:11.0pt"><br>

<b>Subject:</b> Re: [Cscwg-public] Ballot CSC-21: Signing Service Update</span></p>

</div>

</div>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Hi Bruce,</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">I agree the current definition of Signing Service would encompass the CA’s own Subscriber keys. However, we are proposing to amend the definition to:</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">“An organization other than the Subscriber or any of its Affiliates, that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate”. Under this

 definition, the CA’s own Signing Service would not qualify as a Signing Service for its own Subscriber key pairs.</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Thanks,</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Corey</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<div>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt"> Bruce Morton <</span><a href="mailto:Bruce.Morton@entrust.com"><span style="font-size:11.0pt">Bruce.Morton@entrust.com</span></a><span style="font-size:11.0pt">>

<br>

<b>Sent:</b> Tuesday, October 17, 2023 3:27 PM<br>

<b>To:</b> Corey Bonnell <</span><a href="mailto:Corey.Bonnell@digicert.com"><span style="font-size:11.0pt">Corey.Bonnell@digicert.com</span></a><span style="font-size:11.0pt">>; Martijn Katerbarg <</span><a href="mailto:martijn.katerbarg@sectigo.com"><span style="font-size:11.0pt">martijn.katerbarg@sectigo.com</span></a><span style="font-size:11.0pt">>;

</span><a href="mailto:cscwg-public@cabforum.org"><span style="font-size:11.0pt">cscwg-public@cabforum.org</span></a><span style="font-size:11.0pt"><br>

<b>Subject:</b> RE: Ballot CSC-21: Signing Service Update</span></p>

</div>

</div>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Hi Corey,</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Can you please elaborate why you have the concern?

</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">My first take is an example where a Signing Service must use FIPS 140-2 Level 3 and the Subscriber must use minimum Level 2. So if the Subscriber key was generated by the Signing Service, then Level 3 would

 apply. I don’t see a conflict as both requirements are met. </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">I guess I am not understanding why the Signing Service requirements would not apply even if the CA was using the Signing Service for its Subscriber’s keys.</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Thanks, Bruce.</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<div>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt"> Corey Bonnell <</span><a href="mailto:Corey.Bonnell@digicert.com"><span style="font-size:11.0pt">Corey.Bonnell@digicert.com</span></a><span style="font-size:11.0pt">>

<br>

<b>Sent:</b> Tuesday, October 17, 2023 3:06 PM<br>

<b>To:</b> Martijn Katerbarg <</span><a href="mailto:martijn.katerbarg@sectigo.com"><span style="font-size:11.0pt">martijn.katerbarg@sectigo.com</span></a><span style="font-size:11.0pt">>;

</span><a href="mailto:cscwg-public@cabforum.org"><span style="font-size:11.0pt">cscwg-public@cabforum.org</span></a><span style="font-size:11.0pt">; Bruce Morton <</span><a href="mailto:Bruce.Morton@entrust.com"><span style="font-size:11.0pt">Bruce.Morton@entrust.com</span></a><span style="font-size:11.0pt">><br>

<b>Subject:</b> [EXTERNAL] RE: Ballot CSC-21: Signing Service Update</span></p>

</div>

</div>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">In the case where the CA is generating its own Key Pairs to issue itself code signing certificates, their obligations for key protection would be outlined in the sections pertaining to Subscriber Key Pair

 protection, even if the Private Key so happens to reside in a Signing Service that they run. I think this is fine but want to ensure there’s agreement on this interpretation.</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Thoughts?</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Thanks,</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Corey</span></p>

<div>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt"> Cscwg-public <</span><a href="mailto:cscwg-public-bounces@cabforum.org"><span style="font-size:11.0pt">cscwg-public-bounces@cabforum.org</span></a><span style="font-size:11.0pt">>

<b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br>

<b>Sent:</b> Friday, October 13, 2023 9:17 AM<br>

<b>To:</b> Bruce Morton <</span><a href="mailto:bruce.morton@entrust.com"><span style="font-size:11.0pt">bruce.morton@entrust.com</span></a><span style="font-size:11.0pt">>;

</span><a href="mailto:cscwg-public@cabforum.org"><span style="font-size:11.0pt">cscwg-public@cabforum.org</span></a><span style="font-size:11.0pt"><br>

<b>Subject:</b> Re: [Cscwg-public] Ballot CSC-21: Signing Service Update</span></p>

</div>

</div>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Hi Bruce,</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">I have a concern with the “Signing Service” definition:</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">“**Signing Service**: An organization that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate.”</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">For subscribers that generate their own private keys and use these for signing (i.e., they manage them) I’m inclined to say that this would define them as a Signing Service.</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Should we reword this to “An organization other than the Subscriber or any of its Affiliates, that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing

 Certificate”?</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">Regards,<br>

<br>

Martijn</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<div id="x_mail-editor-reference-message-container">

<div>

<div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt; color:black">From:

</span></b><span style="font-size:12.0pt; color:black">Cscwg-public <</span><a href="mailto:cscwg-public-bounces@cabforum.org"><span style="font-size:12.0pt">cscwg-public-bounces@cabforum.org</span></a><span style="font-size:12.0pt; color:black">> on behalf

 of Bruce Morton via Cscwg-public <</span><a href="mailto:cscwg-public@cabforum.org"><span style="font-size:12.0pt">cscwg-public@cabforum.org</span></a><span style="font-size:12.0pt; color:black">><br>

<b>Date: </b>Thursday, 12 October 2023 at 21:59<br>

<b>To: </b></span><a href="mailto:cscwg-public@cabforum.org"><span style="font-size:12.0pt">cscwg-public@cabforum.org</span></a><span style="font-size:12.0pt; color:black"> <</span><a href="mailto:cscwg-public@cabforum.org"><span style="font-size:12.0pt">cscwg-public@cabforum.org</span></a><span style="font-size:12.0pt; color:black">><br>

<b>Subject: </b>[Cscwg-public] Ballot CSC-21: Signing Service Update</span></p>

</div>

<div style="border:solid black 1.0pt; padding:2.0pt 2.0pt 2.0pt 2.0pt">

<p class="x_MsoNormal" style="line-height:12.0pt; background:#FAFA03"><span style="color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span></p>

</div>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<div>

<p style="margin:0in"><b><span style="font-size:13.5pt; font-family:"Arial",sans-serif; color:black">Purpose of the Ballot</span></b></p>

<p class="x_MsoNormal" id="x_bkmrk-this-ballot-updates-"><span style="font-size:11.0pt">This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.4 in order to clarify language regarding

 Signing Service and signing requests. The main goals of this ballot are to:</span></p>

<ol start="1" type="1" id="x_bkmrk-remove-dependencies-">

<li class="x_null" style=""><span class="x_pl-mh"><span style="font-size:11.0pt">Clarify the Signing Service definition and the expected deployment model.</span></span></li><li class="x_null" style=""><span class="x_pl-mh"><span style="font-size:11.0pt">Remove requirements for signing request.</span></span></li><li class="x_null" style=""><span class="x_pl-mh"><span style="font-size:11.0pt">Change text so Signing Service is not categorized as a Delegated Third Party.</span></span></li><li class="x_null" style=""><span class="x_pl-mh"><span style="font-size:11.0pt">Not allow Signing Service to transport Private Key to Subscriber.</span></span></li><li class="x_null" style=""><span class="x_pl-mh"><span style="font-size:11.0pt">Ensure Network Security Requirements are applicable to Signing Service.</span></span></li><li class="x_null" style=""><span class="x_pl-mh"><span style="font-size:11.0pt">State audit requirements for Signing Service.</span></span></li></ol>

<p class="x_MsoNormal"><span style="font-size:11.0pt">The following motion has been proposed by Bruce Morton of Entrust and endorsed by Tim Hollebeek of DigiCert and Ian McMillan.</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p style="margin:0in"><b><span style="font-size:13.5pt; font-family:"Arial",sans-serif; color:#0E101A">MOTION BEGINS</span></b></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline Requirements") based on version 3.4. MODIFY the Code

 Signing Baseline Requirements as specified in the following redline: </span><a href="https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw4GyZ1-pOj0h-PvD9Z5okpQ_IY$___.YXAzOmRpZ2ljZXJ0OmE6bzpiZjFlN2QwMWExMzg3MTlkZjRjMGM1ZTcyOGQwMzk5Nzo2Ojk3ZGE6MjI3ZTJmZTM1NjM2OTBlOGU0ZDIyMzAwZDYyNTc0YjY4NzM0OTEzM2FiZWU0ZDhhMTNhMDMxNmI4ZDBlMDA2MjpoOkY" originalsrc="https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw4GyZ1-pOj0h-PvD9Z5okpQ_IY$___.YXAzOmRpZ2ljZXJ0OmE6bzpiZjFlN2QwMWExMzg3MTlkZjRjMGM1ZTcyOGQwMzk5Nzo2Ojk3ZGE6MjI3ZTJmZTM1NjM2OTBlOGU0ZDIyMzAwZDYyNTc0YjY4NzM0OTEzM2FiZWU0ZDhhMTNhMDMxNmI4ZDBlMDA2MjpoOkY" shash="nZulafjGYp7BNBH52gBllDTgQCTovcVvZNGMxFQs+xNDg6oUU+A+0Vz2IzcAqAHXT1BkQAcQ2DDGz+vkxf4EDkEvz+tniAdRG21YDxu1jzhrpytzhY8wFKSgwBiQnnezGDGPpfUH1ZhAadio0N4fWCEg8SwjqPKeBBJ5zP8wtvY=" title="Protected by Avanan: https://urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw"><span style="font-size:11.0pt">https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866</span></a></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt"> </span></p>

<p style="margin:0in"><b><span style="font-size:13.5pt; font-family:"Arial",sans-serif; color:#0E101A">MOTION ENDS</span></b></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt">The procedure for this ballot is as follows:</span> Discussion (7 days)</p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoListParagraph" style="margin-left:52.2pt; text-indent:-34.2pt"><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">                

</span></span></span>Start Time: 2023-10-12 20:00 UTC</p>

<p class="x_MsoListParagraph" style="margin-left:52.2pt; text-indent:-34.2pt"><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">                

</span></span></span>End Time: Not before 2023-10-19 20:00 UTC</p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal">Vote for approval (7 days)</p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoListParagraph" style="margin-left:52.2pt; text-indent:-34.2pt"><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">                

</span></span></span>Start Time: TBD</p>

<p class="x_MsoListParagraph" style="margin-right:0in; margin-bottom:12.0pt; margin-left:52.2pt; text-indent:-34.2pt">

<span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">                

</span></span></span>End Time: TBD</p>

</div>

</div>

</div>

</div>

</div>

<i>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains.

<u>Please notify Entrust immediately and delete the message from your system.</u></i>

</div>

</div>

</body>

</html>