<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="�" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Bradley Hand ITC";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
p.Standard, li.Standard, div.Standard
{mso-style-name:Standard;
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:0in;
line-height:115%;
punctuation-wrap:simple;
text-autospace:none;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle28
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-IE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Sending to a broader audience.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Ben, please consider this amendment to your motion.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>-Rick<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Rick Andrews <br><b>Sent:</b> Tuesday, July 24, 2012 2:30 PM<br><b>To:</b> 'chris_bailey@trendmicro.com'; Dean Coclin<br><b>Cc:</b> kirk_hall@trendmicro.com; wthayer@godaddy.com; tim.moses@entrust.com<br><b>Subject:</b> RE: Question on Ballot 83 - Network and Certificate System Security Requirements<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>Chris,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>I believe the document imposes password restrictions only on user accounts, not hardware like smart cards. But I think we’re fine delaying the vote to give more people a chance to look more deeply at this (I think few people commented on it before Ben sent it out for balloting).<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>For the air-gap sentence, I propose changing<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>“</span><span style='font-family:"Cambria","serif"'>Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks;</span><span style='color:#1F497D'>”<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>To<o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt;line-height:normal'><span lang=EN-US style='color:#1F497D'>“</span><span lang=EN-US style='font-family:"Cambria","serif"'>Maintain Root CA Systems in a High Security Zone; to the greatest extent possible, keep Root CA Systems in an offline state or air-gapped from all other networks. Minimize the number of legacy Root CA Systems (created before the Effective Date) that must be kept online, and if possible restrict them to CRL signing only.</span><span lang=EN-US style='color:#1F497D'>”</span><span lang=EN-US style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>What do you think of that change?<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>-Rick<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> chris_bailey@trendmicro.com [mailto:chris_bailey@trendmicro.com] <br><b>Sent:</b> Tuesday, July 24, 2012 1:15 PM<br><b>To:</b> Dean Coclin<br><b>Cc:</b> kirk_hall@trendmicro.com; Rick Andrews; wthayer@godaddy.com; tim.moses@entrust.com<br><b>Subject:</b> Re: Question on Ballot 83 - Network and Certificate System Security Requirements<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Dean,<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p></div><div><p class=MsoNormal>I <span class=apple-style-span>agree. Additionally, there are other issues that are in this ballot that I would consider "recommended when practical". For example, there are certain smart cards that only allow a limited set of characters for the password. If these smart cards are used for offline backups, do these backups need to be refreshed every 3 months? I am sure there are other things in here as well, so I would like some more time to measure the impact to our own infrastructure and to make sure that it is not going to be an issue for other CAs as well if this ballot will be required.</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p></div><div><p class=MsoNormal><span class=apple-style-span>So, we can either propose a delay in the vote and then offer to change the language or simply vote no to the ballot.</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p></div><div><p class=MsoNormal><span class=apple-style-span>Any thought?</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Chris<o:p></o:p></p></div><div><p class=MsoNormal><br>Sent from my iPad<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>On Jul 24, 2012, at 12:17 PM, "Dean Coclin" <<a href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a>> wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal><span style='color:#1F497D'>I’ll amend what I said a bit: there are some “legacy” systems that may have issued off the root in the past and will be required to issue CRLs going forward off the root. So I think these reqts should specify some sort of date so that legacy systems should be covered.</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'><br>Dean</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Dean Coclin <br><b>Sent:</b> Monday, July 23, 2012 2:29 PM<br><b>To:</b> '<a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>'; Rick Andrews<br><b>Cc:</b> <a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>; <a href="mailto:tim.moses@entrust.com">tim.moses@entrust.com</a>; <a href="mailto:chris_bailey@trendmicro.com">chris_bailey@trendmicro.com</a><br><b>Subject:</b> RE: Question on Ballot 83 - Network and Certificate System Security Requirements</span><o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>It’s always good security practice to keep the roots offline. This is pretty standard in most PKIs as well as in the Federal CP. We are in support of this requirement.</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Dean</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a> <a href="mailto:[mailto:kirk_hall@trendmicro.com]">[mailto:kirk_hall@trendmicro.com]</a> <br><b>Sent:</b> Monday, July 23, 2012 2:20 PM<br><b>To:</b> Dean Coclin; Rick Andrews<br><b>Cc:</b> <a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>; <a href="mailto:tim.moses@entrust.com">tim.moses@entrust.com</a>; <a href="mailto:chris_bailey@trendmicro.com">chris_bailey@trendmicro.com</a><br><b>Subject:</b> FW: Question on Ballot 83 - Network and Certificate System Security Requirements</span><o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'>Resending with the right people this time.</span><o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Kirk Hall (RD-US) <br><b>Sent:</b> Monday, July 23, 2012 9:55 AM<br><b>To:</b> Derek Lohrey; Wayne Thayer (<a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>); Tim Moses (<a href="mailto:tim.moses@entrust.com">tim.moses@entrust.com</a>)<br><b>Cc:</b> Chris Bailey (RD-US)<br><b>Subject:</b> Question on Ballot 83 - Network and Certificate System Security Requirements</span><o:p></o:p></p></div></div><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Gentlemen – in looking at the Network and Certificate System Security Requirements, we are not convinced that the requirement of keeping the root CAs offline and/or air gapped makes sense. None of the breaches to date involved compromise of the root CAs, and this will limit the ability of a CA to maintain current root CRLs on a frequent (balanced) basis (having the roots push out CRLs in a secure environment in an automated fashion), but arguably will require manual procedures at frequent intervals.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Are you in support of this particular requirement? Is it worth raising this as an issue, and asking for modification?<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>I know we raised this in the past, but I don’t recall that we ever got a specific response back on why roots in particular had to be kept offline or air/gapped. <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><b><i><span style='font-size:14.0pt;font-family:"Bradley Hand ITC";color:#0F243E'>Kirk R. Hall</span></i></b><o:p></o:p></p><p class=MsoNormal>Operations Director, Trust Services<o:p></o:p></p><p class=MsoNormal>Trend Micro<o:p></o:p></p><p class=MsoNormal>+1.503.243.5405<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><table class=MsoNormalTable border=0 cellpadding=0><tr><td style='background:white;padding:.75pt .75pt .75pt .75pt'><pre><span style='color:black'>TREND MICRO EMAIL NOTICE</span><o:p></o:p></pre><pre><span style='color:black'>The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.</span><o:p></o:p></pre></td></tr></table><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> </span><o:p></o:p></p></div></blockquote><table class=MsoNormalTable border=0 cellpadding=0><tr><td style='background:white;padding:.75pt .75pt .75pt .75pt'><pre><span style='color:black'>TREND MICRO EMAIL NOTICE<o:p></o:p></span></pre><pre><span style='color:black'>The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.<o:p></o:p></span></pre></td></tr></table><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p></div></body></html>