<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:10.0pt;
        margin-left:.5in;
        mso-add-space:auto;
        line-height:115%;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
        {mso-style-priority:34;
        mso-style-type:export-only;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        mso-add-space:auto;
        line-height:115%;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
        {mso-style-priority:34;
        mso-style-type:export-only;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        mso-add-space:auto;
        line-height:115%;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
        {mso-style-priority:34;
        mso-style-type:export-only;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:10.0pt;
        margin-left:.5in;
        mso-add-space:auto;
        line-height:115%;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:1702779727;
        mso-list-type:hybrid;
        mso-list-template-ids:-1348848602 1717180612 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-number-format:alpha-upper;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:27.75pt;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:63.75pt;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:99.75pt;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:135.75pt;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:171.75pt;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:207.75pt;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:243.75pt;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:279.75pt;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:315.75pt;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Here is another draft of potential ballot language to fix OCSP Stapling in the Baseline Requirements. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Comments welcome –<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Erratum begins:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoListParagraph style='margin-left:27.75pt;mso-add-space:auto;text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='mso-list:Ignore'>A.<span style='font:7.0pt "Times New Roman"'>      </span></span><![endif]>In Section 13.2.1 “Mechanisms” remove the second paragraph and insert the following:<o:p></o:p></p><p class=MsoNormal style='margin-left:27.75pt'>The CA / Browser Forum’s certificate extension OID for mustStaple is 2.23.140.16.1.  If a Subscriber requests a Certificate for use in accordance with OCSP stapling [RFC4366], then the CA SHALL issue the Certificate with the mustStaple certificate extension and the CA SHALL contractually require the Subscriber to pre-fetch the OCSP response from the URL identified in the Certificate and staple that OCSP Response to the Subscriber’s TLS responses to requests for its Certificate from TLS clients that indicate they support OCSP stapling.  <o:p></o:p></p><p class=MsoNormal style='margin-left:27.75pt'><o:p> </o:p></p><p class=MsoListParagraph style='margin-left:27.75pt;mso-add-space:auto;text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='mso-list:Ignore'>B.<span style='font:7.0pt "Times New Roman"'>      </span></span><![endif]>In Appendix B "Subordinate CA Certificate" remove point C (authorityInformationAccess) and insert:<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>C.  authorityInformationAccess <o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'>This extension MUST be present.  It MUST NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). <o:p></o:p></p><p class=MsoNormal style='text-indent:.5in'><o:p> </o:p></p><p class=MsoNormal style='text-indent:.5in'>See Section 13.2.1 for details about OCSP stapling requirements.<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'>Certificates that are not issued by a Root CA SHOULD contain an AIA with the HTTP URL where a copy of the Issuing CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded from a 24x7 online repository.<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoListParagraphCxSpFirst style='margin-left:27.75pt;mso-add-space:auto;text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='mso-list:Ignore'>C.<span style='font:7.0pt "Times New Roman"'>      </span></span><![endif]>In Appendix B "Subscriber Certificate" remove the last sentence that says, “See Section 13.2.1 for details.”<o:p></o:p></p><p class=MsoListParagraphCxSpMiddle style='margin-left:27.75pt;mso-add-space:auto'><o:p> </o:p></p><p class=MsoListParagraphCxSpLast style='margin-left:27.75pt;mso-add-space:auto;text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='mso-list:Ignore'>D.<span style='font:7.0pt "Times New Roman"'>      </span></span><![endif]> In Appendix B "Subscriber Certificate" remove point C (authorityInformationAccess) and insert:<o:p></o:p></p><p class=MsoNormal>                C. authorityInformationAccess <o:p></o:p></p><p class=MsoNormal style='text-indent:.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'>This extension MUST be present.  It MUST NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). <o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='text-indent:.5in'>See Section 13.2.1 for details about OCSP stapling requirements.<o:p></o:p></p><p class=MsoNormal style='text-indent:.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'>Subscriber Certificates SHOULD contain an AIA with the HTTP URL where a copy of the Issuing CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2) can be downloaded from a 24x7 online repository.<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoListParagraph style='margin-left:27.75pt;mso-add-space:auto;text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='mso-list:Ignore'>E.<span style='font:7.0pt "Times New Roman"'>       </span></span><![endif]>   In Appendix B "Subscriber Certificate" remove point D (basicConstraints) and insert:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:45.75pt;text-align:justify;text-indent:26.25pt'><b>D.  basicConstraints (optional)<o:p></o:p></b></p><p class=MsoNormal style='margin-left:1.0in'>If present, this field MUST be marked critical and the cA field MUST be set to false.<o:p></o:p></p><p class=MsoNormal style='margin-left:1.0in'><o:p> </o:p></p><p class=MsoListParagraph style='margin-left:27.75pt;mso-add-space:auto;text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='mso-list:Ignore'>F.<span style='font:7.0pt "Times New Roman"'>       </span></span><![endif]>In Appendix B "Subscriber Certificate" after point F insert a new point G (mustStaple Certificate Extension) as follows:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:45.75pt;text-align:justify;text-indent:26.25pt'><b>G.  mustStaple Certificate Extension (optional)<o:p></o:p></b></p><p class=MsoNormal style='margin-left:.5in'>If present, this certificate extension MUST NOT be marked critical, and it MUST contain the CA/Browser Forum OID of 2.23.140.16.1 (mustStaple).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Erratum ends<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>