<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1720089253;
mso-list-type:hybrid;
mso-list-template-ids:130834206 678183802 403243011 403243013 403243009 403243011 403243013 403243009 403243011 403243013;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-IE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:black'>While we agree with the “spirit” of this ballot, Symantec will probably vote against this, for these reasons:<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='color:black'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:black'>In our opinion, this will have little practical effect because if an attacker subverts a CA and uses the CA’s infrastructure to issue a fraudulent cert, that cert will have a valid serial number and will therefore have a “good” status (until the fraud is discovered). If the attacker does not subvert the CA’s infrastructure (instead mounts a hash collision attack, for example), s/he could easily choose to use an existing serial number and therefore get a “good” status (until the fraud is discovered and the legitimate certificate is revoked). The motion will only help in the very limited case in which the attacker does not subvert the CA’s infrastructure, and uses a non-existent serial number.<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='color:black'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:black'>Any CA that uses a CRL-based OCSP responder product (and Symantec does, for a subset of our CAs) will be unable to comply until the vendor builds in that functionality (we think it’s non-trivial) and the CA deploys it, or the CA replaces the CRL-based OCSP responder with one not based on CRLs. Neither option can be accomplished in 6 months; both options will probably take a year or more.<o:p></o:p></span></p><p class=MsoListParagraph><span style='color:black'><o:p> </o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='color:black'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:black'>The BRs currently treat CRLs almost the same as OCSP (Section 13.2.2 "Repository" essentially says that the CA must support OCSP and may support CRLs), and if a relying party uses CRLs instead of OCSP, they will interpret anything not on the CRL as "good". So this ballot will do nothing at all to help those relying parties.</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>-Rick<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Tim Moses<br><b>Sent:</b> Friday, July 20, 2012 11:41 AM<br><b>To:</b> CABFPub<br><b>Subject:</b> [cabfpub] Ballot[80] - BR Response for non-issued certificates<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=line874 style='background:white'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>Yngve Pettersen made the following motion and Ben Wilson and Carsten Dahlenkamp endorsed it:<o:p></o:p></span></p><p class=line874 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>... Motion begins....<o:p></o:p></span></p><p class=line874 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>Effective 1 Feb 2013<o:p></o:p></span></p><p class=line874 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>... Erratum begins ...<o:p></o:p></span></p><p class=line874 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>Insert a new section at the end of section 13.2 of the Baseline Requirements with the following heading and text:<o:p></o:p></span></p><p class=line874 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>"13.2.6 Response for non-issued certificates<o:p></o:p></span></p><p class=line874 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>If the OCSP responder receives a request for status of a certificate that has not been issued, then the responder MUST NOT respond with a "good" status. The CA SHOULD monitor the responder for such requests as part of its security response procedures."<o:p></o:p></span></p><p class=line874 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>... Erratum ends ...<o:p></o:p></span></p><p class=line874 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>The ballot review period comes into effect at 21:00 UTC on 19 July 2012 and will close at 21:00 UTC on 26 July 2012. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 21:00 UTC on 2 August 2012. Votes must be cast by posting an on-list reply to this thread.<o:p></o:p></span></p><p class=line874 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>... Motions ends ...<o:p></o:p></span></p><p class=line874 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>A vote in favor of the motion must indicate a clear 'yes' in the response.<o:p></o:p></span></p><p class=line874 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted.<o:p></o:p></span></p><p class=line874 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>Voting members are listed here:<o:p></o:p></span></p><p class=line867 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'><a href="http://www.cabforum.org/forum.html"><span style='border:none windowtext 1.0pt;padding:0in'>http://www.cabforum.org/forum.html</span></a><o:p></o:p></span></p><p class=line862 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>with the addition of<span class=apple-converted-space> </span><a href="https://www.cabforum.org/wiki/TrendMicro"><span style='color:gray;border:none windowtext 1.0pt;padding:0in'>TrendMicro</span></a>.<o:p></o:p></span></p><p class=line874 style='background:white;orphans: 2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-US style='font-family:"Arial","sans-serif";color:black'>In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and one half or more of the votes cast by members in the browser category must be in favour. Also, at least seven members must participate in the ballot, either by voting in favour, voting against or abstaining.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>T: +1 613 270 3183<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div></div></body></html>