<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1515802985;
mso-list-type:hybrid;
mso-list-template-ids:170553064 67698709 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-number-format:alpha-upper;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>All,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>As noted during our last telephone meeting on 19 November, Yngve would like to move forward on a resolution of BR Issue 7. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>His recent changes include an effective date of 1 August 2013, since we already have an OCSP update deadline for that date (as noted below, please respond if you do not like this suggestion, and provide an alternative, and a reason why yours is better). <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Motivations for resolving this issue include:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> - OCSP: OCSP URL will still be needed for legacy clients, server configuration is easier if the URL is included in the certificate.<o:p></o:p></p><p class=MsoNormal> - issuer URL: Improve the user experience by helping clients verify certificates for misconfigured servers (as he has mentioned earlier, 1 server<o:p></o:p></p><p class=MsoNormal>in 50 does not send a full chain, 1 in 1000 does not send a full chain and automatic completion is not possible, although neither number says<o:p></o:p></p><p class=MsoNormal>anything about user impact of those servers, but the server admins purchased certificates for some reason).<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Open issues:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> - Is the effective date sufficient?<o:p></o:p></p><p class=MsoNormal> - Does this fix the issues already mentioned, and are there any other issues with the text?<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>In conversations with him, I have suggested that we hold off balloting and refine the language further, if necessary, because recent history shows that even if we started the review and voting period there may be a multitude of comments that bog-down the approval process. Instead of pushing this to a vote, Yngve and I discussed the idea of creating an issues list for this issue. That is Item #5 on the agenda tomorrow. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In anticipation of tomorrow’s discussion, could those of you who are concerned about implementation timeframes for mandatory issuer AIAs, about the proposal altogether, or other questions about it either respond to this email with their comments or send an email to me and Yngve, so that all issues can be consolidated into a comment-and-response framework? The first comment or question received will be numbered 7a, the second 7b, and so forth. The most current language being considered is as follows:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>For C. authorityInformationAccess for Subordinate CAs<o:p></o:p></p><p class=MsoNormal style='margin-left:.25in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in'>This extension MUST be present. It MUST NOT be marked critical, and it MUST contain:<o:p></o:p></p><p class=MsoNormal style='margin-left:.25in'><o:p> </o:p></p><p class=MsoNormal> * the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). See Section 13.2.1 for details about OCSP revocation<o:p></o:p></p><p class=MsoNormal>requirements.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> * for certificates issued after August 1, 2013 that are not issued by a Root CA, the HTTP URL where a copy of the Issuing CA’s certificate (accessMethod =<o:p></o:p></p><p class=MsoNormal>1.3.6.1.5.5.7.48.2) can be downloaded from a 24x7 online repository.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>For C. authorityInformationAccess for Subscriber Certificates<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This extension MUST be present. It MUST NOT be marked critical, and it MUST contain:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal> * the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). See Section 13.2.1 for details about OCSP revocation<o:p></o:p></p><p class=MsoNormal>requirements.<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> * for certificates issued after August 1, 2013, the HTTP URL where a copy of the Issuing CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded from a 24x7 online repository, and each Issuing CA certificate in the chain, except the Root and the Subordinate CA issued by the Root, MUST contain this extension.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ben<o:p></o:p></p></div></body></html>