<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:333268965;
mso-list-template-ids:-872671488;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:722412905;
mso-list-template-ids:-322955392;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:1258946880;
mso-list-template-ids:-872671488;}
@list l2:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3
{mso-list-id:1440030391;
mso-list-type:hybrid;
mso-list-template-ids:1145707436 1202913084 134807555 134807557 134807553 134807555 134807557 134807553 134807555 134807557;}
@list l3:level1
{mso-level-start-at:2;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Yes, I like Bruce’s rewrite better.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Using MAY to describe exceptions to MUST is common in some standards (including the BRs in places), but strictly speaking it’s a violation of RFC 2119 and we should (MUST? <span style='font-family:"Segoe UI Emoji",sans-serif'>😊</span>) fix them when we find them. “MUST do X and MAY do Y instead” is just wrong.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>A MUST requirement is an absolute requirement. Providing a MAY for a replacement option introduces a contradiction, not an exception.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='mso-ligatures:none'>From:</span></b><span style='mso-ligatures:none'> Cscwg-public <cscwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Bruce Morton via Cscwg-public<br><b>Sent:</b> Wednesday, November 22, 2023 12:03 PM<br><b>To:</b> Martijn Katerbarg <martijn.katerbarg@sectigo.com>; cscwg-public@cabforum.org<br><b>Subject:</b> Re: [Cscwg-public] MUST overridden by a MAY - Subordinate CA policies<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'>Hi Martijn,<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'>I agree that the language needs improvement. It might be better if the requirement was:<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'>A Certificate issued after 31 March 2022 to a Subordinate CA that issues Timestamp Certificates and is an Affiliate of the Issuing CA MUST include one of the following:<o:p></o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoNormal style='mso-list:l0 level1 lfo1'><span style='mso-fareast-language:ZH-CN'>The CA/Browser Forum reserved identifier </span>(2.23.140.1.4.2)<span style='mso-fareast-language:ZH-CN'> to indicate the Subordinate CA’s compliance with these Requirements; OR<o:p></o:p></span></li><li class=MsoNormal style='mso-list:l0 level1 lfo1'><span style='mso-fareast-language:ZH-CN'>The “anyPolicy” identifier (2.5.29.32.0).<o:p></o:p></span></li></ol><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'>Does that work? If so, then maybe we should also cleanup the whole section. Also, we might also consider deleting “to indicate the Subordinate CA’s compliance with these Requirements”.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'>Thanks, Bruce.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:ZH-CN'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='mso-ligatures:none;mso-fareast-language:ZH-CN'>From:</span></b><span style='mso-ligatures:none;mso-fareast-language:ZH-CN'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Wednesday, November 22, 2023 11:07 AM<br><b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> [EXTERNAL] [Cscwg-public] MUST overridden by a MAY - Subordinate CA policies<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=SV>All,<o:p></o:p></span></p><p class=MsoNormal><span lang=SV><o:p> </o:p></span></p><p class=MsoNormal><span lang=SV>CSBR section 7.1.6.3 states:<o:p></o:p></span></p><p>”A Certificate issued to a Subordinate CA that issues Code Signing Certificates and is an Affiliate of the Issuing CA:<o:p></o:p></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2'>MUST include the CA/Browser Forum reserved identifier specified in <a href="https://url.avanan.click/v2/___https:/github.com/cabforum/code-signing/blob/main/docs/CSBR.md%237161-reserved-certificate-policy-identifiers___.YXAzOmRpZ2ljZXJ0OmE6bzphZDZmYjdhNGUxNjE2YWYzMGY3MmJkNzdjOGUyMTNlMTo2OmZiZWE6ZmFkNDJkNDllOWM5ZTVjNjVmNmJkY2RkMzQyY2YyMmFiZjJmODJhOTFhYzY5YzNiY2VhMjZiNjQ2ZGNlMjU4MzpoOkY" title="Protected by Avanan: https://github.com/cabforum/code-signing/blob/main/docs/CSBR.md#7161-reserved-certificate-policy-identifiers">Section 7.1.6.1</a> to indicate the Subordinate CA's compliance with these Requirements, and<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2'>MAY contain the "anyPolicy" identifier (<code><span style='font-size:10.0pt'>2.5.29.32.0</span></code>) in place of an explicit policy identifier.<o:p></o:p></li></ol><p>A Certificate issued after 31 March 2022 to a Subordinate CA that issues Timestamp Certificates and is an Affiliate of the Issuing CA:<o:p></o:p></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3'>MUST include the CA/Browser Forum reserved identifier specified in <a href="https://url.avanan.click/v2/___https:/github.com/cabforum/code-signing/blob/main/docs/CSBR.md%237161-reserved-certificate-policy-identifiers___.YXAzOmRpZ2ljZXJ0OmE6bzphZDZmYjdhNGUxNjE2YWYzMGY3MmJkNzdjOGUyMTNlMTo2OmQzYjQ6NGQzNTc4ZDUxOWExZDZlOTQ3M2M2YWM2MjQxMjBjZDZjMzBlOWNiODA4MDZhODNiYmYzZTM1YmQ5NWJiNDY3NjpoOkY" title="Protected by Avanan: https://github.com/cabforum/code-signing/blob/main/docs/CSBR.md#7161-reserved-certificate-policy-identifiers">Section 7.1.6.1</a> to indicate the Subordinate CA’s compliance with these Requirements, and<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3'>MAY contain the “anyPolicy” identifier (<code><span style='font-size:10.0pt'>2.5.29.32.0</span></code>) in place of an explicit policy identifier.”<o:p></o:p></li></ol><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I find there’s a few issues with this:<o:p></o:p></p><ul type=disc><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l3 level1 lfo4'>“MUST include the CA/Browser Forum reserved identifier specified in <a href="https://url.avanan.click/v2/___https:/github.com/cabforum/code-signing/blob/main/docs/CSBR.md%237161-reserved-certificate-policy-identifiers___.YXAzOmRpZ2ljZXJ0OmE6bzphZDZmYjdhNGUxNjE2YWYzMGY3MmJkNzdjOGUyMTNlMTo2OjhiNjM6MzI3NzY3ZjlhMDc3YTIyNzZjOWY3MjgxNjA1YjVjZDFhODk4Y2NmNzBkYzA1MTdiNThkNTgxOGY3ZmE2MTliYTpoOkY" title="Protected by Avanan: https://github.com/cabforum/code-signing/blob/main/docs/CSBR.md#7161-reserved-certificate-policy-identifiers">Section 7.1.6.1</a>”, seems to state there’s only one policy OID to use, while in fact there are 3 in the named section, 2 which are for code signing certificates. This is a minor issue though and could be fixed in a cleanup ballot.<o:p></o:p></li><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l3 level1 lfo4'>More concerning I find the MUST and MAY language. If we take the language related to CA Certificates for Code Signing Certificates, what does this language actually state? Should this be interpreted as:<o:p></o:p></li></ul><ul type=disc><ul type=circle><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l3 level2 lfo4'>MUST include a CABF OID and MAY additionally contain the “anyPolicy” OID.<br>or does it state:<o:p></o:p></li><li class=MsoListParagraph style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l3 level2 lfo4'>MUST include either a CABF OID or the “anyPolicy” OID?<o:p></o:p></li></ul></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I would like to think the intent here is to allow CA Certificates with just the “anyPolicy” OID, but at the same time, a MAY overriding a MUST, seems counterproductive.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Any thoughts on this?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Regards,<br><br>Martijn<o:p></o:p></p><p class=MsoNormal><i><span style='mso-ligatures:none'>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately and delete the message from your system.</u></span></i><span style='mso-ligatures:none'> <o:p></o:p></span></p></div></div></body></html>