<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 22/11/2023 8:16 μ.μ., Bruce Morton
via Cscwg-public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018bf83fcef7-2e8bad6c-70e4-417e-a8cd-9ed4e62b5aa7-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Aptos;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}code
{mso-style-priority:99;
font-family:"Courier New";}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">I think a
separate ballot is required. An alternative would be a
cleanup ballot, but I am not sure we have much content for a
cleanup ballot.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Also, this
information is missing from <a
href="https://cabforum.org/object-registry/"
moz-do-not-send="true" class="moz-txt-link-freetext">https://cabforum.org/object-registry/</a>:
codesigning-requirements(4) timestamping(2) —
2.23.140.1.4.2 (Timestamp Certificate issued in compliance
with the Code Signing Baseline Requirements). Who can update
this page?</span></p>
</div>
</blockquote>
<br>
Done.<br>
Dimitris.<br>
<blockquote type="cite"
cite="mid:0100018bf83fcef7-2e8bad6c-70e4-417e-a8cd-9ed4e62b5aa7-000000@email.amazonses.com">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks,
Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Martijn Katerbarg
<a class="moz-txt-link-rfc2396E" href="mailto:martijn.katerbarg@sectigo.com"><martijn.katerbarg@sectigo.com></a> <br>
<b>Sent:</b> Wednesday, November 22, 2023 1:01 PM<br>
<b>To:</b> Bruce Morton
<a class="moz-txt-link-rfc2396E" href="mailto:Bruce.Morton@entrust.com"><Bruce.Morton@entrust.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] Re: MUST overridden by a MAY
- Subordinate CA policies<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Hey
Bruce,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">You’re
pretty much taking the proposed language in my head and
putting it on paper </span><span
style="font-size:11.0pt;font-family:"Segoe UI Emoji",sans-serif;mso-fareast-language:EN-US">😊</span><span
style="font-size:11.0pt;mso-fareast-language:EN-US">. Same
for the listing above, for Code Signing CA Certificates.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Do we
think a separate ballot is more appropriate for this? I’d
be a minor one, then again, there’s no shortage of ballot
numbers to use.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><br>
Martijn<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:black">From:
</span></b><span
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:black">Bruce
Morton <<a href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true" class="moz-txt-link-freetext">Bruce.Morton@entrust.com</a>><br>
<b>Date: </b>Wednesday, 22 November 2023 at 18:03<br>
<b>To: </b>Martijn Katerbarg <<a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true" class="moz-txt-link-freetext">martijn.katerbarg@sectigo.com</a>>,
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>
<<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>><br>
<b>Subject: </b>RE: MUST overridden by a MAY -
Subordinate CA policies<o:p></o:p></span></p>
</div>
<div
style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="color:black">CAUTION: This email originated
from outside of the organization. Do not click links
or open attachments unless you recognize the sender
and know the content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual">Hi Martijn,</span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual"> </span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual">I agree that
the language needs improvement. It might be better if
the requirement was:</span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual"> </span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual">A Certificate
issued after 31 March 2022 to a Subordinate CA that
issues Timestamp Certificates and is an Affiliate of
the Issuing CA MUST include one of the following:</span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<ol style="margin-top:0in" type="1" start="1">
<li class="MsoNormal" style="mso-list:l0 level1 lfo1"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual">The CA/Browser
Forum reserved identifier </span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">(2.23.140.1.4.2)</span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual"> to indicate
the Subordinate CA’s compliance with these
Requirements; OR</span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></li>
<li class="MsoNormal" style="mso-list:l0 level1 lfo1"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual">The
“anyPolicy” identifier (2.5.29.32.0).</span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></li>
</ol>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual"> </span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual">Does that
work? If so, then maybe we should also cleanup the
whole section. Also, we might also consider deleting
“to indicate the Subordinate CA’s compliance with
these Requirements”.</span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual"> </span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual"> </span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual">Thanks, Bruce.</span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual"> </span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Wednesday, November 22, 2023 11:07 AM<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] [Cscwg-public] MUST
overridden by a MAY - Subordinate CA policies</span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"
lang="SV">All,</span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"
lang="SV"> </span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"
lang="SV">CSBR section 7.1.6.3 states:</span><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p>”A Certificate issued to a Subordinate CA that issues
Code Signing Certificates and is an Affiliate of the
Issuing CA:<o:p></o:p></p>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">MUST
include the CA/Browser Forum reserved identifier
specified in <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0"
moz-do-not-send="true">Section 7.1.6.1</a> to
indicate the Subordinate CA's compliance with these
Requirements, and<o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">MAY
contain the "anyPolicy" identifier (</span><code><span
style="mso-ligatures:standardcontextual;mso-fareast-language:EN-US">2.5.29.32.0</span></code><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">)
in place of an explicit policy identifier.<o:p></o:p></span></li>
</ol>
<p>A Certificate issued after 31 March 2022 to a
Subordinate CA that issues Timestamp Certificates and is
an Affiliate of the Issuing CA:<o:p></o:p></p>
<ol type="1" start="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">MUST
include the CA/Browser Forum reserved identifier
specified in <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0"
moz-do-not-send="true">Section 7.1.6.1</a> to
indicate the Subordinate CA’s compliance with these
Requirements, and<o:p></o:p></span></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">MAY
contain the “anyPolicy” identifier (</span><code><span
style="mso-ligatures:standardcontextual;mso-fareast-language:EN-US">2.5.29.32.0</span></code><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">)
in place of an explicit policy identifier.”<o:p></o:p></span></li>
</ol>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">I
find there’s a few issues with this:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoListParagraph"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l3 level1 lfo4"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">“MUST
include the CA/Browser Forum reserved identifier
specified in <a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fblob%2Fmain%2Fdocs%2FCSBR.md%237161-reserved-certificate-policy-identifiers&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cb60ee174d3db4d5f89fe08dbeb7cee4d%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638362694042639601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=m4fi%2Bly55B%2FLb4V%2FQA6%2BrqSwF%2F6WnA89gQcdx7jaeuY%3D&reserved=0"
moz-do-not-send="true">Section 7.1.6.1</a>”, seems
to state there’s only one policy OID to use, while
in fact there are 3 in the named section, 2 which
are for code signing certificates. This is a minor
issue though and could be fixed in a cleanup ballot.<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l3 level1 lfo4"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">More
concerning I find the MUST and MAY language. If we
take the language related to CA Certificates for
Code Signing Certificates, what does this language
actually state? Should this be interpreted as:<o:p></o:p></span></li>
</ul>
<ul type="disc">
<ul type="circle">
<li class="MsoListParagraph"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l3 level2 lfo4"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">MUST
include a CABF OID and MAY additionally contain
the “anyPolicy” OID.<br>
or does it state:<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l3 level2 lfo4"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">MUST
include either a CABF OID or the “anyPolicy” OID?<o:p></o:p></span></li>
</ul>
</ul>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">I
would like to think the intent here is to allow CA
Certificates with just the “anyPolicy” OID, but at the
same time, a MAY overriding a MUST, seems
counterproductive.<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">Any
thoughts on this?<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual;mso-fareast-language:EN-US">Regards,<br>
<br>
Martijn<o:p></o:p></span></p>
<p class="MsoNormal"><i><span style="font-size:11.0pt">Any
email and files/attachments transmitted with it are
intended solely for the use of the individual or
entity to whom they are addressed. If this message
has been sent to you in error, you must not copy,
distribute or disclose of the information it
contains. <u>Please notify Entrust immediately and
delete the message from your system.</u></span></i><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
</div>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
<br>
</body>
</html>