<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
p.emailquote, li.emailquote, div.emailquote
{mso-style-name:emailquote;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:1.0pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:177473635;
mso-list-template-ids:-519298832;}
@list l0:level1
{mso-level-start-at:5;
mso-level-number-format:alpha-lower;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:196820616;
mso-list-template-ids:747006058;}
@list l1:level1
{mso-level-start-at:2;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:297534234;
mso-list-template-ids:1551282506;}
@list l2:level1
{mso-level-start-at:6;
mso-level-number-format:alpha-lower;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level4
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level7
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3
{mso-list-id:577517816;
mso-list-template-ids:1774989868;}
@list l3:level1
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level3
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level4
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level7
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4
{mso-list-id:1580753763;
mso-list-template-ids:260350484;}
@list l4:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5
{mso-list-id:2047176680;
mso-list-template-ids:-791507742;}
@list l5:level1
{mso-level-start-at:3;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Sorry, typo – Trend Micro has NO outstanding 1024 bit certs…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>kirk_hall@trendmicro.com<br>
<b>Sent:</b> Monday, June 24, 2013 5:36 PM<br>
<b>To:</b> Kathleen Wilson; public@cabforum.org<br>
<b>Subject:</b> Re: [cabfpub] To revoke or not to revoke 1024<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">Kathleen – on your code signing cert comments – Trend Micro isn’t issuing them now, and has now outstanding 1024 bit certs -- but I think Rick made the point
in the past that a lot of good code has been signed with 1024 bit code signing certs in prior years, and I think everyone has to keep those signing certs valid past 2013
<u>in order to allow ongoing revocation checking in 2014 and beyond</u> – if the old code signing certs are revoked, won’t that render the underlying code signed by the certs invalid (even though there is nothing wrong with the code)?</span><span style="color:windowtext"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext"> </span><span style="color:windowtext"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">Wouldn’t it make more sense to say that 1024 bit code signing certs may not be USED to sign NEW code after 12/31/2013, but will not be revoked (i.e., will
be allowed to expire according to their expiration date) in order that revocation checking may continue after 2013? I’m not sure how you make sure the holder of a code signing cert does not use to sign new code after 2013 – maybe the browsers check signed
code for the issue date for code signing certs used to sign code after 2013, and throw up a warning if the cert was used to sign new code after 2013?</span><span style="color:windowtext"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">We still favor allowing 1024 bit certs issued before the BR effective date for non-web page legacy devices to be allowed to expire UNLESS an actual security
threat is shown (in which case all CAs with outstanding certs of this type proceed to speedy revocation) – obviously, CAs would need to notify their customers this year (as early as possible) of the possibility of sudden revocation in 2014, and urge transition
to 2048 bit certs as quickly as possible.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Kathleen Wilson<br>
<b>Sent:</b> Monday, June 24, 2013 3:32 PM<br>
<b>To:</b> public@cabforum.org<br>
<b>Subject:</b> Re: [cabfpub] To revoke or not to revoke 1024<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Rick,<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">Please comment, especially browser vendors.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Mozilla's wiki page about this (<a href="https://wiki.mozilla.org/CA:MD5and1024">https://wiki.mozilla.org/CA:MD5and1024</a>) was created in April 2010, and email about it was also sent to CAs (<a href="https://wiki.mozilla.org/CA:Communications#October_11.2C_2010">https://wiki.mozilla.org/CA:Communications#October_11.2C_2010</a>)<br>
<br>
The wiki page allows for use of 1024-bit certs when needed for interoperability reasons:<br>
"- This means that CAs should only consider issuing a 1024-bit certificate if it is requested and justified by the subscriber for a specific reason, such as interoperability with devices that do not yet support certificates with larger key sizes.
<br>
- The CA must assess the risk involved in issuing such a certificate for legacy use/interoperability, and determine if they are willing to accept the risk, as well as any possible liability. The subject and relying parties also need to determine if they will
accept any risks and liabilities."<br>
<br>
The wiki page also makes it clear that CAs should not expect continued support of 1024-bit certs in Mozilla products:<br>
"Under no circumstances should any party expect continued support for RSA key size smaller than 2048 bits past December 31, 2013."<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">Do CAs need to revoke 1024-bit end-entity certs by the end of 2013?</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
I think that depends on the type of cert and when it expires.<br>
<br>
I am fine with S/MIME certs being transitioned whenever they expire, even if it is a couple of years out. Though, I won't guarantee support of those certs in Mozilla products.<br>
<br>
I would like to see the transition from 1024-bit SSL and code signing certs happen soon. However, it really doesn't matter to me what the exact date is, as long as the transition is completed before it becomes an emergency.<br>
<br>
Also on the wiki page: "December 31, 2013 – Mozilla will disable the SSL and Code Signing trust bits for root certificates with RSA key sizes smaller than 2048 bits. If those root certificates are no longer needed for S/MIME, then Mozilla will remove them from
NSS."<br>
<br>
In hindsight, I should have said "after December 31...". My goal is Q1 2014, and I am working on this in Mozilla Bugzilla #881553.<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">Since the BRs effectively cover only certs issued after “the effective date”, does that mean that certs issued before “the effective date” don’t need to be revoked?</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
That was my interpretation of the BRs, but Mozilla's communication about phasing out 1024-bit certs started in 2010. In 2010 I also exchanged direct email with representatives of the CAs that had 1024-bit root certs included in Mozilla products at that time,
so all impacted CAs were well aware of Mozilla's requirements.<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">What about code signing certs?</span><o:p></o:p></p>
<p class="MsoNormal"><br>
What I said above applies to both SSL and code signing certs.<br>
<br>
<br>
Kathleen<br>
<br>
<br>
<br>
On 6/23/13 12:32 PM, Rick Andrews wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">We discussed this a bit in our face-to-face meeting in Munich, but did not reach consensus. I’d like to continue the conversation with all via the list.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">Putting aside the question of “web pki” vs. “non-web pki”, Symantec and other CAs would like to see if we can achieve consensus on these questions:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo1">
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">Do CAs need to revoke 1024-bit end-entity certs by the end of 2013?<o:p></o:p></span></li></ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;text-indent:-.25in;mso-list:l3 level1 lfo2">
<![if !supportLists]><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">I believe that some CAs believed that revoking such certs was mandatory. However, I see no hard evidence of that.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;text-indent:-.25in;mso-list:l3 level1 lfo2">
<![if !supportLists]><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">The BRs say that 1024-bit can be issued as long as the end date is before December 31, 2013. Others have said that a CA that was compliant with the BRs would not
have issued a 1024-bit end entity cert after the effective date if its end date was 2014 or later. However, we’ve seen that not all CAs became compliant on July 1, 2012. Given what we now know about audits and effective dates, it seems to me that there is
a lot of uncertainty here. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;text-indent:-.25in;mso-list:l3 level1 lfo2">
<![if !supportLists]><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""><span style="mso-list:Ignore">c.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">Apart from the BRs, CAs have to consider browser policy which may go above and beyond the BRs. In a private conversation with Tom Albertson of Microsoft, he told
me that “Our policy doesn't contemplate CAs revoking EE certs issued before 1 Jan 2014, unless or until an RSA factoring attack is imminent, and we all go into response mode.” Mozilla’s policy seems to be similar – it says that such certs must expire by January
1, 2014, but it does not mandate that CAs revoke any such certs that would live beyond that date.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;text-indent:-.25in;mso-list:l3 level1 lfo2">
<![if !supportLists]><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""><span style="mso-list:Ignore">d.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">If there is no clear direction here, I propose that CAs simply let all 1024-bit end entity certs expire naturally, as long as the CA has stopped issuing 1024-bit
end entity certs, and made an honest effort to comply with the BRs (hard to define, but at the very least would mean that the CA wasn’t still issuing multi-year 1024-bit certs in 2013).<o:p></o:p></span></p>
<ol start="2" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3">
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">Since the BRs effectively cover only certs issued after “the effective date”, does that mean that certs issued before “the effective date” don’t need to be revoked?<o:p></o:p></span></li></ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;text-indent:-.25in;mso-list:l0 level1 lfo4">
<![if !supportLists]><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""><span style="mso-list:Ignore">e.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">That is my interpretation. Given what I said in 1) above, even those certs issued after the effective date don’t need to be revoked, unless some browser’s policy
mandates that action.<o:p></o:p></span></p>
<ol start="3" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo5">
<span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">What about code signing certs?<o:p></o:p></span></li></ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;text-indent:-.25in;mso-list:l2 level1 lfo6">
<![if !supportLists]><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""><span style="mso-list:Ignore">f.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">The BRs don’t cover non-EV code signing certs, so again this goes back to browser policy. And unless some browser comes forth with unambiguous policy on code signing
certs, I would suggest they are also off the table (do not need to be revoked).<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">Please comment, especially browser vendors. Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif"">-Rick<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="background:white;padding:.75pt .75pt .75pt .75pt">
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<pre><o:p> </o:p></pre>
<pre>TREND MICRO EMAIL NOTICE<o:p></o:p></pre>
<pre>The information contained in this email and any attachments is confidential <o:p></o:p></pre>
<pre>and may be subject to copyright or other intellectual property protection. <o:p></o:p></pre>
<pre>If you are not the intended recipient, you are not authorized to use or <o:p></o:p></pre>
<pre>disclose this information, and we request that you notify us by reply mail or<o:p></o:p></pre>
<pre>telephone and delete the original message from your mail system.<o:p></o:p></pre>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
</div>
</body>
</html>
<table><tr><td bgcolor=#ffffff><font color=#000000><pre><table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table></pre></font></td></tr></table>