<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="�" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Tms Rmn";
panose-1:2 2 6 3 4 5 5 2 3 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
h2
{mso-style-priority:99;
mso-style-link:"Heading 2 Char";
margin-top:15.65pt;
margin-right:0in;
margin-bottom:0in;
margin-left:.4in;
margin-bottom:.0001pt;
text-align:justify;
text-indent:-.4in;
page-break-after:avoid;
mso-list:l1 level2 lfo2;
font-size:11.0pt;
font-family:"Tms Rmn","serif";}
h3
{mso-style-priority:99;
mso-style-link:"Heading 3 Char";
margin-top:9.05pt;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
text-align:justify;
text-indent:-.5in;
page-break-after:avoid;
mso-list:l1 level3 lfo2;
font-size:11.0pt;
font-family:"Tms Rmn","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:99;
mso-style-link:"Heading 2";
font-family:"Tms Rmn","serif";
font-weight:bold;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:99;
mso-style-link:"Heading 3";
font-family:"Tms Rmn","serif";
font-weight:bold;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
p.emailquote, li.emailquote, div.emailquote
{mso-style-name:emailquote;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:1.0pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:62803525;
mso-list-template-ids:-695441694;}
@list l0:level1
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:694385313;
mso-list-template-ids:1241913718;}
@list l1:level1
{mso-level-text:%1;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.3in;
text-indent:-.3in;
mso-bidi-font-family:"Times New Roman";}
@list l1:level2
{mso-level-style-link:"Heading 2";
mso-level-text:"%1\.%2";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.4in;
text-indent:-.4in;
mso-bidi-font-family:"Times New Roman";
mso-ansi-font-weight:bold;}
@list l1:level3
{mso-level-style-link:"Heading 3";
mso-level-text:"%1\.%2\.%3";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.5in;
text-indent:-.5in;
mso-bidi-font-family:"Times New Roman";}
@list l1:level4
{mso-level-text:"%1\.%2\.%3\.%4";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.6in;
text-indent:-.6in;
mso-bidi-font-family:"Times New Roman";}
@list l1:level5
{mso-level-text:"%1\.%2\.%3\.%4\.%5";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.7in;
text-indent:-.7in;
mso-bidi-font-family:"Times New Roman";}
@list l1:level6
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.8in;
text-indent:-.8in;
mso-bidi-font-family:"Times New Roman";}
@list l1:level7
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.9in;
text-indent:-.9in;
mso-bidi-font-family:"Times New Roman";}
@list l1:level8
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-1.0in;
mso-bidi-font-family:"Times New Roman";}
@list l1:level9
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8\.%9";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.1in;
text-indent:-1.1in;
mso-bidi-font-family:"Times New Roman";}
@list l2
{mso-list-id:1252395126;
mso-list-template-ids:-1786337736;}
@list l2:level1
{mso-level-start-at:9;
mso-level-text:%1;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:24.0pt;
text-indent:-24.0pt;}
@list l2:level2
{mso-level-start-at:2;
mso-level-text:"%1\.%2";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:24.0pt;
text-indent:-24.0pt;}
@list l2:level3
{mso-level-start-at:2;
mso-level-text:"%1\.%2\.%3";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.5in;
text-indent:-.5in;}
@list l2:level4
{mso-level-text:"%1\.%2\.%3\.%4";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.5in;
text-indent:-.5in;}
@list l2:level5
{mso-level-text:"%1\.%2\.%3\.%4\.%5";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.75in;}
@list l2:level6
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.75in;}
@list l2:level7
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-1.0in;}
@list l2:level8
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-1.0in;}
@list l2:level9
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8\.%9";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-1.25in;}
@list l3
{mso-list-id:1691177554;
mso-list-template-ids:-988242118;}
@list l3:level1
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-IE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>A domain name? I thought it should be revised to state that there should be a SAN containing the permanentIdentifier.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jeremy Rowley [mailto:jeremy.rowley@digicert.com] <br><b>Sent:</b> Monday, June 11, 2012 9:40 AM<br><b>To:</b> Rick Andrews; public@cabforum.org<br><b>Subject:</b> RE: [cabfpub] Questions about [70] EV Code Signing Identifier<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Revised is better. The original intent of that language was to prevent a FQDN from appearing in an EV Code Signing Certificate. Instead of eliminating the Subject Alt Name Extension, we should specify that the Subject Alt Name Extension MUST not contain a Domain Name..<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Jeremy<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Rick Andrews<br><b>Sent:</b> Friday, June 08, 2012 2:35 PM<br><b>To:</b> public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] Questions about [70] EV Code Signing Identifier<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>One more thing: The guidelines currently contain this:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><h3 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:10.0pt;margin-left:.5in;mso-list:l2 level3 lfo4'><a name="_Toc253979387"><![if !supportLists]><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><span style='mso-list:Ignore'>9.2.2<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Subject Alternative Name</span></a><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> Extension<o:p></o:p></span></h3><p class=MsoNormal style='margin-bottom:10.0pt'>This field should not be included in the EV Code Signing Objects.<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Which I presume should be removed or revised.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rick<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-right:solid blue 1.5pt;padding:0in 0in 0in 0in'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Rick Andrews<br><b>Sent:</b> Friday, June 08, 2012 11:36 AM<br><b>To:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> [cabfpub] Questions about [70] EV Code Signing Identifier<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>I have a few questions about this ballot. I apologize for not bringing this up during the review period, but you often don’t see things until you’re trying to implement...<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>First of all, I haven’t been able to find a concise list on the wiki of what is the current status of each ballot. I assume someone maintains that list, but it would be nice to see it on one page.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Secondly, a few questions have come up about the construction of the permanentIdentifier. Here’s the current text:<o:p></o:p></span></p></div><div style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-size:10.0pt;color:#0070C0'>"(B) the Certificate MUST include a SubjectAltName:permanentIdentifier which MUST contain the following: </span><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-size:10.0pt;color:#0070C0'>"(1) The ISO 3166-2 country code in uppercase characters corresponding to the Subject’s Jurisdiction of Incorporation or Registration (CC), as specified in the subject:jurisdictionOfIncorporationCountryName field; </span><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-size:10.0pt;color:#0070C0'>"(2) If applicable, the state, province, or locality of the Subject’s Jurisdiction of Incorporation in uppercase characters as specified in the subjectjurisdictionOfIncorporationLocalityName or subject:jurisdictionofIncorporationStateorProvinceName field, expressed in an unabbreviated format (STATE); and </span><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-size:10.0pt;color:#0070C0'>"(3) The first one of the following that applies: a. The Registration Number as included in the Subject:serialNumber field (REG), b. A date of Incorporation or Registration in YYYY-MM-DD format (DATE) and the Subject’s Organization Name as included in the organizationName field (ORG), c. A verifiable date of creation in YYYY-MM-DD format (DATE) and the Subject’s Organization Name as included in the organizationName field (ORG), or d. The Subject’s Organization Name as included in the organizationName field (ORG). </span><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-size:10.0pt;color:#0070C0'>"The CA SHALL format data in the SubjectAltName:permanentIdentifier extension using Unicode as follows: CC-STATE (if applicable)- REG or DATE (if available)-ORG (if REG is not present). Characters representing the organization name MUST be uppercase Unicode. Any included “-“ characters MUST be Unicode 002D and any included spaces in REG, STATE, or ORG MUST be Unicode 0020. A CA MAY truncate or abbreviate an organization name included in this field to ensure that the combination does not exceed 64 characters provided that the CA checks this field in accordance with section 10.11.1 and a Relying Party will not be misled into thinking that they are dealing with a different organization. If this is not possible, the CA MUST NOT issue the EV Code Signing Certificate.</span><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><ol start=1 type=a><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo7'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Since the STATE part is “if applicable”, what happens if the STATE is not applicable? Is the permanentIdentifier “CC--REG or DATE”?<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo7'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Can a State or Province include a hyphen? If so, I would expect it would need to be escaped somehow so as not to be interpreted as a delimiter.<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo7'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>Same question about Org, except that I know that Orgs can contain hyphens (e.g., “Hewlett-Packard”).<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo7'><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>We don’t understand the need to allow the CA to truncate so the combination doesn’t exceed 64 characters. That’s the max length of DN components, but this is an extension. If the intent is to insure that any CA would come up with the same combination for a given organization, this seems to allow for variability that will cause incompatibilities.<o:p></o:p></span></li></ol><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>-Rick<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div></div></div></div></body></html>