<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:333268965;
mso-list-template-ids:-872671488;}
@list l0:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:722412905;
mso-list-template-ids:-322955392;}
@list l1:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2
{mso-list-id:1258946880;
mso-list-template-ids:-872671488;}
@list l2:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3
{mso-list-id:1440030391;
mso-list-type:hybrid;
mso-list-template-ids:1145707436 1202913084 134807555 134807557 134807553 134807555 134807557 134807553 134807555 134807557;}
@list l3:level1
{mso-level-start-at:2;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style></head><body lang=en-SE link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>Hey Bruce,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>You’re pretty much taking the proposed language in my head and putting it on paper </span><span lang=EN-US style='font-size:11.0pt;font-family:"Apple Color Emoji";mso-fareast-language:EN-US'>😊</span><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>. Same for the listing above, for Code Signing CA Certificates.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>Do we think a separate ballot is more appropriate for this? I’d be a minor one, then again, there’s no shortage of ballot numbers to use.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>Regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'><br>Martijn<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div id=mail-editor-reference-message-container><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span lang=EN-US style='font-size:12.0pt;font-family:"Aptos",sans-serif;color:black'>From: </span></b><span lang=EN-US style='font-size:12.0pt;font-family:"Aptos",sans-serif;color:black'>Bruce Morton <Bruce.Morton@entrust.com><br><b>Date: </b>Wednesday, 22 November 2023 at 18:03<br><b>To: </b>Martijn Katerbarg <martijn.katerbarg@sectigo.com>, cscwg-public@cabforum.org <cscwg-public@cabforum.org><br><b>Subject: </b>RE: MUST overridden by a MAY - Subordinate CA policies<o:p></o:p></span></p></div><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span lang=EN-US style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'>Hi Martijn,</span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'> </span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'>I agree that the language needs improvement. It might be better if the requirement was:</span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'> </span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'>A Certificate issued after 31 March 2022 to a Subordinate CA that issues Timestamp Certificates and is an Affiliate of the Issuing CA MUST include one of the following:</span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><ol style='margin-top:0cm' start=1 type=1><li class=MsoNormal style='mso-list:l0 level1 lfo1'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'>The CA/Browser Forum reserved identifier </span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>(2.23.140.1.4.2)</span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'> to indicate the Subordinate CA’s compliance with these Requirements; OR</span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level1 lfo1'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'>The “anyPolicy” identifier (2.5.29.32.0).</span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></li></ol><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'> </span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'>Does that work? If so, then maybe we should also cleanup the whole section. Also, we might also consider deleting “to indicate the Subordinate CA’s compliance with these Requirements”.</span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'> </span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'> </span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'>Thanks, Bruce.</span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:ZH-CN'> </span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:ZH-CN'>From:</span></b><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:ZH-CN'> Cscwg-public <cscwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Wednesday, November 22, 2023 11:07 AM<br><b>To:</b> cscwg-public@cabforum.org<br><b>Subject:</b> [EXTERNAL] [Cscwg-public] MUST overridden by a MAY - Subordinate CA policies</span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'> <o:p></o:p></span></p><p class=MsoNormal><span lang=SV style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>All,</span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=SV style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'> </span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p class=MsoNormal><span lang=SV style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>CSBR section 7.1.6.3 states:</span><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'><o:p></o:p></span></p><p><span lang=EN-US>”A Certificate issued to a Subordinate CA that issues Code Signing Certificates and is an Affiliate of the Issuing CA:<o:p></o:p></span></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>MUST include the CA/Browser Forum reserved identifier specified in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0">Section 7.1.6.1</a> to indicate the Subordinate CA's compliance with these Requirements, and<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>MAY contain the "anyPolicy" identifier (</span><code><span lang=EN-US style='mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>2.5.29.32.0</span></code><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>) in place of an explicit policy identifier.<o:p></o:p></span></li></ol><p><span lang=EN-US>A Certificate issued after 31 March 2022 to a Subordinate CA that issues Timestamp Certificates and is an Affiliate of the Issuing CA:<o:p></o:p></span></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>MUST include the CA/Browser Forum reserved identifier specified in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0">Section 7.1.6.1</a> to indicate the Subordinate CA’s compliance with these Requirements, and<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>MAY contain the “anyPolicy” identifier (</span><code><span lang=EN-US style='mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>2.5.29.32.0</span></code><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>) in place of an explicit policy identifier.”<o:p></o:p></span></li></ol><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>I find there’s a few issues with this:<o:p></o:p></span></p><ul type=disc><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0cm;mso-list:l3 level1 lfo4'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>“MUST include the CA/Browser Forum reserved identifier specified in <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0">Section 7.1.6.1</a>”, seems to state there’s only one policy OID to use, while in fact there are 3 in the named section, 2 which are for code signing certificates. This is a minor issue though and could be fixed in a cleanup ballot.<o:p></o:p></span></li><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0cm;mso-list:l3 level1 lfo4'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>More concerning I find the MUST and MAY language. If we take the language related to CA Certificates for Code Signing Certificates, what does this language actually state? Should this be interpreted as:<o:p></o:p></span></li></ul><ul type=disc><ul type=circle><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0cm;mso-list:l3 level2 lfo4'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>MUST include a CABF OID and MAY additionally contain the “anyPolicy” OID.<br>or does it state:<o:p></o:p></span></li><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0cm;mso-list:l3 level2 lfo4'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>MUST include either a CABF OID or the “anyPolicy” OID?<o:p></o:p></span></li></ul></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>I would like to think the intent here is to allow CA Certificates with just the “anyPolicy” OID, but at the same time, a MAY overriding a MUST, seems counterproductive.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>Any thoughts on this?<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US'>Regards,<br><br>Martijn<o:p></o:p></span></p><p class=MsoNormal><i><span lang=EN-US style='font-size:11.0pt'>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately and delete the message from your system.</u></span></i><span lang=EN-US style='font-size:11.0pt'> <o:p></o:p></span></p></div></div></div></div></body></html>