<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:333268965;
mso-list-template-ids:-872671488;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:722412905;
mso-list-template-ids:-322955392;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:1258946880;
mso-list-template-ids:-872671488;}
@list l2:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3
{mso-list-id:1440030391;
mso-list-type:hybrid;
mso-list-template-ids:1145707436 1202913084 134807555 134807557 134807553 134807555 134807557 134807553 134807555 134807557;}
@list l3:level1
{mso-level-start-at:2;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>I think a separate ballot is required. An alternative would be a cleanup ballot, but I am not sure we have much content for a cleanup ballot.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Also, this information is missing from <a href="https://cabforum.org/object-registry/">https://cabforum.org/object-registry/</a>: codesigning-requirements(4) timestamping(2) — 2.23.140.1.4.2 (Timestamp Certificate issued in compliance with the Code Signing Baseline Requirements). Who can update this page?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Thanks, Bruce.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Martijn Katerbarg <martijn.katerbarg@sectigo.com> <br><b>Sent:</b> Wednesday, November 22, 2023 1:01 PM<br><b>To:</b> Bruce Morton <Bruce.Morton@entrust.com>; cscwg-public@cabforum.org<br><b>Subject:</b> [EXTERNAL] Re: MUST overridden by a MAY - Subordinate CA policies<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Hey Bruce,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>You’re pretty much taking the proposed language in my head and putting it on paper </span><span style='font-size:11.0pt;font-family:"Segoe UI Emoji",sans-serif;mso-fareast-language:EN-US'>😊</span><span style='font-size:11.0pt;mso-fareast-language:EN-US'>. Same for the listing above, for Code Signing CA Certificates.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Do we think a separate ballot is more appropriate for this? I’d be a minor one, then again, there’s no shortage of ballot numbers to use.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><br>Martijn<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div id=mail-editor-reference-message-container><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:12.0pt;font-family:"Aptos",sans-serif;color:black'>From: </span></b><span style='font-size:12.0pt;font-family:"Aptos",sans-serif;color:black'>Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>><br><b>Date: </b>Wednesday, 22 November 2023 at 18:03<br><b>To: </b>Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>, <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a> <<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>><br><b>Subject: </b>RE: MUST overridden by a MAY - Subordinate CA policies<o:p></o:p></span></p></div><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Hi Martijn,</span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>I agree that the language needs improvement. It might be better if the requirement was:</span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>A Certificate issued after 31 March 2022 to a Subordinate CA that issues Timestamp Certificates and is an Affiliate of the Issuing CA MUST include one of the following:</span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoNormal style='mso-list:l0 level1 lfo1'><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>The CA/Browser Forum reserved identifier </span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>(2.23.140.1.4.2)</span><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> to indicate the Subordinate CA’s compliance with these Requirements; OR</span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level1 lfo1'><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>The “anyPolicy” identifier (2.5.29.32.0).</span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></li></ol><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Does that work? If so, then maybe we should also cleanup the whole section. Also, we might also consider deleting “to indicate the Subordinate CA’s compliance with these Requirements”.</span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'>Thanks, Bruce.</span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual'> </span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Wednesday, November 22, 2023 11:07 AM<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [EXTERNAL] [Cscwg-public] MUST overridden by a MAY - Subordinate CA policies</span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p></div></div><p class=MsoNormal><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'> <o:p></o:p></span></p><p class=MsoNormal><span lang=SV style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>All,</span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=SV style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'> </span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=SV style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>CSBR section 7.1.6.3 states:</span><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p>”A Certificate issued to a Subordinate CA that issues Code Signing Certificates and is an Affiliate of the Issuing CA:<o:p></o:p></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2'><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>MUST include the CA/Browser Forum reserved identifier specified in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0">Section 7.1.6.1</a> to indicate the Subordinate CA's compliance with these Requirements, and<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2'><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>MAY contain the "anyPolicy" identifier (</span><code><span style='mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>2.5.29.32.0</span></code><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>) in place of an explicit policy identifier.<o:p></o:p></span></li></ol><p>A Certificate issued after 31 March 2022 to a Subordinate CA that issues Timestamp Certificates and is an Affiliate of the Issuing CA:<o:p></o:p></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3'><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>MUST include the CA/Browser Forum reserved identifier specified in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0">Section 7.1.6.1</a> to indicate the Subordinate CA’s compliance with these Requirements, and<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3'><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>MAY contain the “anyPolicy” identifier (</span><code><span style='mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>2.5.29.32.0</span></code><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>) in place of an explicit policy identifier.”<o:p></o:p></span></li></ol><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>I find there’s a few issues with this:<o:p></o:p></span></p><ul type=disc><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l3 level1 lfo4'><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>“MUST include the CA/Browser Forum reserved identifier specified in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0">Section 7.1.6.1</a>”, seems to state there’s only one policy OID to use, while in fact there are 3 in the named section, 2 which are for code signing certificates. This is a minor issue though and could be fixed in a cleanup ballot.<o:p></o:p></span></li><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l3 level1 lfo4'><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>More concerning I find the MUST and MAY language. If we take the language related to CA Certificates for Code Signing Certificates, what does this language actually state? Should this be interpreted as:<o:p></o:p></span></li></ul><ul type=disc><ul type=circle><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l3 level2 lfo4'><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>MUST include a CABF OID and MAY additionally contain the “anyPolicy” OID.<br>or does it state:<o:p></o:p></span></li><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l3 level2 lfo4'><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>MUST include either a CABF OID or the “anyPolicy” OID?<o:p></o:p></span></li></ul></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>I would like to think the intent here is to allow CA Certificates with just the “anyPolicy” OID, but at the same time, a MAY overriding a MUST, seems counterproductive.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>Any thoughts on this?<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>Regards,<br><br>Martijn<o:p></o:p></span></p><p class=MsoNormal><i><span style='font-size:11.0pt'>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately and delete the message from your system.</u></span></i><span style='font-size:11.0pt'> <o:p></o:p></span></p></div></div></div></div></body></html>