<p dir="ltr">Because, as explained in the prior email, a CA that chose to not use nocheck, as you advocate, would be creating clear performance issues for browsers and, in many subtle ways, could create misconfigurations that would prevent revocation checking from working.</p>
<p dir="ltr">As such, the Forum has chosen to remove the flexibility of allowing CAs to choose between the options, since nocheck can have equivalent security, and without the performance and correctness risks.</p>
<div class="gmail_quote">On Oct 28, 2014 2:41 AM, "Thomas Kopp" <<a href="mailto:thomas.kopp@luxtrust.lu">thomas.kopp@luxtrust.lu</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Dear Ryan,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks for your explanation.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">However, we do understand why does CAB Forum imposes the “nocheck” for an authorized responder approach instead of leaving it at the CA’s discretion, as to
whether they prefer covering OCSP responder certificates by a CRL or not?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-right:14.05pt;margin-bottom:0cm;margin-left:0cm;margin-bottom:.0001pt;text-autospace:none">
<span lang="DE-LU" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">Bescht Gréiss, meilleures salutations, mit freundlichen Grüßen, with best regards,<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-right:14.05pt;margin-bottom:0cm;margin-left:0cm;margin-bottom:.0001pt;text-autospace:none">
<b><span lang="DE-LU" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#c00000"><u></u> <u></u></span></b></p>
<p class="MsoNormal" style="margin-right:14.05pt;margin-bottom:0cm;margin-left:0cm;margin-bottom:.0001pt;text-autospace:none">
<b><span lang="DE-LU" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#c00000">Thomas KOPP
<u></u><u></u></span></b></p>
<p class="MsoNormal" style="margin-right:14.05pt;margin-bottom:0cm;margin-left:0cm;margin-bottom:.0001pt;text-autospace:none">
<span lang="DE-LU" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">Head
</span><span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">of Information Technologies</span><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">P:<span style="letter-spacing:-.65pt">
</span></span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d"><a href="tel:%2B352%C2%A026%2068%2015-574" value="+352266815574" target="_blank">+352 26 68 15-574</a></span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d"> -
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">M:
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">+352<span style="letter-spacing:-.05pt"> </span>621 229 316</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d"> -
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">F:</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d;letter-spacing:-.75pt">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d"><a href="tel:%2B352%C2%A026%2068%2015-789" value="+352266815789" target="_blank">+352 26 68 15-789</a></span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d"> –
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">E:</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="mailto:thomas.kopp@luxtrust.lu" target="_blank"><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif"">thomas.kopp@luxtrust.lu</span></a></span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="DE" style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#bfbfbf"><br>
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">LuxTrust S.A</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf">.</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">
| </span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf"> </span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">IVY<span style="letter-spacing:.15pt">
</span></span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">Building</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">|
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">13-15,<span style="letter-spacing:-.15pt">
</span></span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6;letter-spacing:-.05pt">P</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">a<span style="letter-spacing:-.25pt">r</span>c<span style="letter-spacing:-.15pt">
</span>d’activités</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">|</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">L-8308<span style="letter-spacing:-.45pt">
</span>Capel<span style="letter-spacing:-.2pt">l</span>en</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">|</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="http://www.luxtrust.lu/" target="_blank"><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6;text-decoration:none">ww<span style="letter-spacing:-.4pt">w</span>.luxtru<span style="letter-spacing:-.05pt">s</span>t.lu</span></a></span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6"><u></u><u></u></span></p>
<div style="border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm">
<p class="MsoNormal" style="text-autospace:none;border:none;padding:0cm"><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black"><u></u> <u></u></span></p>
</div>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#a6a6a6"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:6.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">The information in this e-mail and any attachment is confidential and for use by the addressee only. Access to this e-mail
by anyone else is not authorized. If you are not the intended recipient, please inform the sender and erase all copies of it from your system. Internet communications are by default not secure. LuxTrust S.A. cannot guarantee the integrity and origin of e-mails
unless they have been properly digitally signed. Confidentiality of e-mails can only be guaranteed if they are encrypted properly using a secure digital certificate.LuxTrust S.A. takes precautions to ensure that e-mails are scanned for viruses but cannot accept
liability for any damage sustained as a result of software viruses.<u></u><u></u></span></p>
<p class="MsoNormal"><a href="https://www.luxtrust.lu/" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d;text-decoration:none"><img border="0" width="414" height="126" src="cid:image001.jpg@01CFF29B.54E748D0" alt="Email_banner_CSS_like"></span></a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Ryan Sleevi [mailto:<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>]
<br>
<b>Sent:</b> Dënschdeg 28 Oktober 2014 10:21<br>
<b>To:</b> Thomas Kopp<br>
<b>Cc:</b> <a href="mailto:questions@cabforum.org" target="_blank">questions@cabforum.org</a>; CABFPub; </span><span style="font-size:10.0pt;font-family:"MS UI Gothic","sans-serif"">王文正</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">; Rick Andrews<br>
<b>Subject:</b> Re: [cabfquest] Question concerning CAB Forum OCSP Requirments<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p>Thomas,<u></u><u></u></p>
<p>As has been explained by several CAs, it is not a misinterpretation, because there is not an intrinsic security issue. Yes, the pkix-nocheck prevents the responder from being revoked, but as has already been discussed at length, that is trivially mitigated.<u></u><u></u></p>
<p>More importantly is the obvious performance AND correctness of a client that encounters a responder WITHOUT such an extension. For performance, if the responder certificate also has to be checked for revocation, either it uses a different delegated responder
(needlessly wasteful of data), it uses the original issuing CAs cert (defeating the purpose and security benefits of a delegated responder), or it requires the client fetch the issuer's CRL, which defeats the point of using OCSP to begin with (performance
over large CRLs).<u></u><u></u></p>
<p>Now, even if you don't value performance (which the browsers and the Forum do and did when crafting these requirements), you could equally argue from the point of view of correctness. At both the time of the original requirement being written and today,
there are still several notable libraries that, if encountering misconfigured OCSP - an all too common problem with CAs, and for which auditors are either ignoring or not examining - then revocation checking can be silently disabled even when requested. Systems
that don't use nocheck - that is, enterprise systems, since BR-compliant CAs MUST use it - all to commonly create cycles in their revocation paths that prevents clients from validating the response.<u></u><u></u></p>
<p>It is a mischaracterization to suggest that nocheck is inherently insecure - it merely trades one basis of security (CRLs for responders, which an attacker can replay for a prolonged window) or a different, equivalent one (certificate validity, offering
an equivalent window as a CRL).<u></u><u></u></p>
<p>Hopefully this restatement of what has been said helps shed light on the clear performance and correctness wins from nocheck, as well as helps explain why requiring it is not, as suggested, an fundamental security issue.<u></u><u></u></p>
<div>
<p class="MsoNormal">On Oct 28, 2014 2:06 AM, "Thomas Kopp" <<a href="mailto:thomas.kopp@luxtrust.lu" target="_blank">thomas.kopp@luxtrust.lu</a>> wrote:<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Dear Rick,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">This was not my point. My question was referring to the CAB Forum requirements, which stipulate …</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none">
<b><span style="font-size:13.0pt;font-family:"Cambria-Bold","serif"">13.2.5 OCSP Signing</span></b><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none">
<span style="font-size:10.0pt;font-family:TimesNewRomanPSMT">OCSP responses MUST conform to RFC2560 and/or RFC5019. OCSP responses MUST either:</span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none">
<span style="font-size:10.0pt;font-family:TimesNewRomanPSMT">1. Be signed by the CA that issued the Certificates whose revocation status is being checked, or</span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none">
<span style="font-size:10.0pt;font-family:TimesNewRomanPSMT">2. Be signed by an OCSP Responder whose Certificate is signed by the CA that issued the Certificate whose</span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none">
<span style="font-size:10.0pt;font-family:TimesNewRomanPSMT">revocation status is being checked.</span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none">
<span style="font-size:10.0pt;font-family:TimesNewRomanPSMT;background:yellow">In the latter case, the OCSP signing Certificate MUST contain an extension of type id-pkix-ocsp-nocheck, as</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:TimesNewRomanPSMT;background:yellow">defined by RFC2560.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Unfortunately, I’m still waiting for a reasonable clarification and a valuable motivation to justify
the security issue resulting from the above requirement that obviously over- and miss-interprets the respective RFC.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I highlight that status checking of our PKI infrastructure perfectly works for ALL certificates in
a chain up to the self-signed root and in particular for the OCSP responder certificate. Furthermore, we do not need the
</span><span style="font-size:10.0pt;font-family:TimesNewRomanPSMT;background:yellow">id-pkix-ocsp-nocheck</span><span style="font-size:10.0pt;font-family:TimesNewRomanPSMT">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">extension, although we use an authorized responder. As a consequence, we do not understand why CAB Forum imposes to use approaches which are technically not necessary and
which additionally lower security.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<div>
<p class="MsoNormal" style="margin-right:14.05pt;text-autospace:none">
<span lang="DE-LU" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">Bescht Gréiss, meilleures salutations, mit freundlichen Grüßen, with best regards,</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-right:14.05pt;text-autospace:none">
<b><span lang="DE-LU" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#c00000"> </span></b><u></u><u></u></p>
<p class="MsoNormal" style="margin-right:14.05pt;text-autospace:none">
<b><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#c00000">Thomas KOPP
</span></b><u></u><u></u></p>
<p class="MsoNormal" style="margin-right:14.05pt;text-autospace:none">
<span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">Head of Information Technologies</span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none">
<span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">P:<span style="letter-spacing:-.65pt">
</span></span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d"><a href="tel:%2B352%C2%A026%2068%2015-574" target="_blank">+352 26 68 15-574</a> -
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">M:
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">+352<span style="letter-spacing:-.05pt"> </span>621 229 316 -
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">F:</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d;letter-spacing:-.75pt">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d"><a href="tel:%2B352%C2%A026%2068%2015-789" target="_blank">+352 26 68 15-789</a> –
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">E:</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="mailto:thomas.kopp@luxtrust.lu" target="_blank"><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif"">thomas.kopp@luxtrust.lu</span></a></span><u></u><u></u></p>
<p class="MsoNormal" style="text-autospace:none">
<span lang="DE" style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#bfbfbf"><br>
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">LuxTrust S.A</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf">.</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">
| </span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf"> </span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">IVY<span style="letter-spacing:.15pt">
</span>Building</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">|
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">13-15,<span style="letter-spacing:-.15pt">
</span><span style="letter-spacing:-.05pt">P</span>a<span style="letter-spacing:-.25pt">r</span>c<span style="letter-spacing:-.15pt">
</span>d’activités</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">|</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">L-8308<span style="letter-spacing:-.45pt">
</span>Capel<span style="letter-spacing:-.2pt">l</span>en</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">|</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="http://www.luxtrust.lu/" target="_blank"><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6;text-decoration:none">ww<span style="letter-spacing:-.4pt">w</span>.luxtru<span style="letter-spacing:-.05pt">s</span>t.lu</span></a></span><u></u><u></u></p>
<div style="border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm">
<p class="MsoNormal" style="text-autospace:none">
<span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black"> </span><u></u><u></u></p>
</div>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#a6a6a6"> </span><u></u><u></u></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:6.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">The information in this e-mail and any attachment is confidential and for use by the addressee
only. Access to this e-mail by anyone else is not authorized. If you are not the intended recipient, please inform the sender and erase all copies of it from your system. Internet communications are by default not secure. LuxTrust S.A. cannot guarantee the
integrity and origin of e-mails unless they have been properly digitally signed. Confidentiality of e-mails can only be guaranteed if they are encrypted properly using a secure digital certificate.LuxTrust S.A. takes precautions to ensure that e-mails are
scanned for viruses but cannot accept liability for any damage sustained as a result of software viruses.</span><u></u><u></u></p>
<p class="MsoNormal"><a href="https://www.luxtrust.lu/" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d;text-decoration:none"><img border="0" width="414" height="126" src="cid:image001.jpg@01CFF29B.54E748D0" alt="Email_banner_CSS_like"></span></a><u></u><u></u></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Rick Andrews [mailto:<a href="mailto:Rick_Andrews@symantec.com" target="_blank">Rick_Andrews@symantec.com</a>]
<br>
<b>Sent:</b> Méindeg 27 Oktober 2014 21:51<br>
<b>To:</b> Thomas Kopp; </span><span style="font-size:10.0pt;font-family:"MS UI Gothic","sans-serif"">王文正</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">;
<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>; <a href="mailto:questions@cabforum.org" target="_blank">
questions@cabforum.org</a><br>
<b>Subject:</b> RE: [cabfquest] Question concerning CAB Forum OCSP Requirments</span><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thomas,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The paragraph you quoted:</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">A CA may specify that an OCSP client can trust a responder for the</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> lifetime of the responder's certificate. The CA does so by</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> including the extension id-pkix-ocsp-nocheck. This SHOULD be a</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> non-critical extension. The value of the extension SHALL be NULL.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> CAs issuing such a certificate should realize that a compromise of</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> the responder's key is as serious as the compromise of a CA key</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> used to sign CRLs, at least for the validity period of this</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> certificate….</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">does not *<b>require</b>* the CA to use id-pkix-ocsp-nocheck. It starts with “A CA *<b>may</b>* specify…”
You don’t have to use it.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">-Rick</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:36.0pt">
<b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:questions-bounces@cabforum.org" target="_blank">questions-bounces@cabforum.org</a> [<a href="mailto:questions-bounces@cabforum.org" target="_blank">mailto:questions-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Thomas Kopp<br>
<b>Sent:</b> Monday, October 27, 2014 8:12 AM<br>
<b>To:</b> </span><span style="font-size:10.0pt;font-family:"MS UI Gothic","sans-serif"">王文正</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">;
<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>; <a href="mailto:questions@cabforum.org" target="_blank">
questions@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfquest] Question concerning CAB Forum OCSP Requirments</span><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:36.0pt">
<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Dear Wen-Cheng,</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">We have well understood the wording of the RFC. However, our goal is to completely avoid issuing responder certificates containing the id-pkix-ocsp-nocheck extension because even
with a short life time of a responder certificate we consider such an approach as an unnecessary lowering of security.
</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">In addition, I’m not sure whether you are aware what issuance of an OCSP responder certificates within hours means in practice. Such a rule seems a bit far away from reality because
it requires key ceremonies charging a couple responsible people for several hours.</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Finally, our question concerning the motivation behind the requirement has not been answered yet.</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<div>
<p class="MsoNormal" style="margin-right:14.05pt;margin-left:36.0pt;text-autospace:none">
<span lang="DE-LU" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">Bescht Gréiss, meilleures salutations, mit freundlichen Grüßen, with best regards,</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-right:14.05pt;margin-left:36.0pt;text-autospace:none">
<b><span lang="DE-LU" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#c00000"> </span></b><u></u><u></u></p>
<p class="MsoNormal" style="margin-right:14.05pt;margin-left:36.0pt;text-autospace:none">
<b><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#c00000">Thomas KOPP
</span></b><u></u><u></u></p>
<p class="MsoNormal" style="margin-right:14.05pt;margin-left:36.0pt;text-autospace:none">
<span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">Head of Information Technologies</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-autospace:none">
<span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">P:<span style="letter-spacing:-.65pt">
</span></span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d"><a href="tel:%2B352%C2%A026%2068%2015-574" target="_blank">+352 26 68 15-574</a> -
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">M:
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">+352<span style="letter-spacing:-.05pt"> </span>621 229 316 -
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">F:</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d;letter-spacing:-.75pt">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d"><a href="tel:%2B352%C2%A026%2068%2015-789" target="_blank">+352 26 68 15-789</a> –
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">E:</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#1f497d">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="mailto:thomas.kopp@luxtrust.lu" target="_blank"><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif"">thomas.kopp@luxtrust.lu</span></a></span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-autospace:none">
<span lang="DE" style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#bfbfbf"><br>
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">LuxTrust S.A</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf">.</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">
| </span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf"> </span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">IVY<span style="letter-spacing:.15pt">
</span>Building</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">|
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">13-15,<span style="letter-spacing:-.15pt">
</span><span style="letter-spacing:-.05pt">P</span>a<span style="letter-spacing:-.25pt">r</span>c<span style="letter-spacing:-.15pt">
</span>d’activités</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">|</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">L-8308<span style="letter-spacing:-.45pt">
</span>Capel<span style="letter-spacing:-.2pt">l</span>en</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">|</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="http://www.luxtrust.lu/" target="_blank"><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6;text-decoration:none">ww<span style="letter-spacing:-.4pt">w</span>.luxtru<span style="letter-spacing:-.05pt">s</span>t.lu</span></a></span><u></u><u></u></p>
<div style="border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm">
<p class="MsoNormal" style="margin-left:36.0pt;text-autospace:none">
<span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black"> </span><u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-left:36.0pt">
<span lang="DE" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#a6a6a6"> </span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<span lang="EN-GB" style="font-size:6.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">The information in this e-mail and any attachment is confidential and for use by the addressee only. Access to this e-mail by anyone else is not authorized. If you are
not the intended recipient, please inform the sender and erase all copies of it from your system. Internet communications are by default not secure. LuxTrust S.A. cannot guarantee the integrity and origin of e-mails unless they have been properly digitally
signed. Confidentiality of e-mails can only be guaranteed if they are encrypted properly using a secure digital certificate.LuxTrust S.A. takes precautions to ensure that e-mails are scanned for viruses but cannot accept liability for any damage sustained
as a result of software viruses.</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<a href="https://www.luxtrust.lu/" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d;text-decoration:none"><img border="0" width="414" height="126" src="cid:image001.jpg@01CFF29B.54E748D0" alt="Email_banner_CSS_like"></span></a><u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-left:36.0pt">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-left:36.0pt">
<b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
</span><span style="font-size:10.0pt;font-family:"MS UI Gothic","sans-serif"">王文正</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> [<a href="mailto:wcwang@cht.com.tw" target="_blank">mailto:wcwang@cht.com.tw</a>]
<br>
<b>Sent:</b> Méindeg 27 Oktober 2014 15:49<br>
<b>To:</b> Thomas Kopp; <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>;
<a href="mailto:questions@cabforum.org" target="_blank">questions@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfquest] Question concerning CAB Forum OCSP Requirments</span><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:36.0pt">
<u></u><u></u></p>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">
Thomas,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">
<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">
The CAB forum does not impose any high risk on trust service providers or relying parties. You misquote the text, please read the full paragraph in the RFC.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">
<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">
The intention of the text you highlighted in yellow color is to remind CAs that it is dangrous if the lifetime of a 'nocheck' OCSP responder's certificate is too long. That is why the subsequent text says "CAs may choose to issue this type of certificate
with a very short lifetime and renew it frequently."<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">
<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">
The RFC is intent to tell CAs that it will be safe if they keep the lifetime of a 'nocheck' OCSP responder's certificate very short. In a typical implemention, the lifetime might range from several hours to several days.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">
<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">
Wen-Cheng Wang<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt;margin-left:36.0pt">
<br>
<br>
<br>
-------- <span style="font-family:"MS Mincho"">原始郵件</span> --------<br>
<span style="font-family:"MS Mincho"">自:</span> Thomas Kopp <<a href="mailto:thomas.kopp@luxtrust.lu" target="_blank">thomas.kopp@luxtrust.lu</a>>
<br>
<span style="font-family:"MS Mincho"">日期:</span> <br>
<span style="font-family:"MS Mincho"">至:</span> <a href="mailto:public@cabforum.org,questions@cabforum.org" target="_blank">
public@cabforum.org,questions@cabforum.org</a> <br>
<span style="font-family:"MS Mincho"">主旨:</span> [cabfquest] Question concerning CAB Forum OCSP Requirments
<u></u><u></u></p>
<div>
<p class="MsoNormal" style="margin-left:36.0pt">
Dear all,<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
Can you please clarify the subsequent point?<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
In the CAB baseline requirements <a href="https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_1_9.pdf" target="_blank">
https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_1_9.pdf</a> section 13.2.5 imposes the id-pkix-ocsp-nocheck extension in the case of an authorized responder scenario.<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
By contrast, RFC 2560 and the successor RFC 6960 stipulate (cf. section 4.2.2.2.1):<u></u><u></u></p>
<pre style="margin-left:36.0pt">A CA may specify that an OCSP client can trust a responder for the<u></u><u></u></pre>
<pre style="margin-left:36.0pt"> lifetime of the responder's certificate. The CA does so by<u></u><u></u></pre>
<pre style="margin-left:36.0pt"> including the extension id-pkix-ocsp-nocheck. This SHOULD be a<u></u><u></u></pre>
<pre style="margin-left:36.0pt"> non-critical extension. The value of the extension SHALL be NULL.<u></u><u></u></pre>
<pre style="margin-left:36.0pt"> <span style="background:yellow">CAs issuing such a certificate should realize that a compromise of</span><u></u><u></u></pre>
<pre style="margin-left:36.0pt"><span style="background:yellow"> the responder's key is as serious as the compromise of a CA key</span><u></u><u></u></pre>
<pre style="margin-left:36.0pt"><span style="background:yellow"> used to sign CRLs, at least for the validity period of this</span><u></u><u></u></pre>
<pre style="margin-left:36.0pt"><span style="background:yellow"> certificate</span>….<u></u><u></u></pre>
<p class="MsoNormal" style="margin-left:36.0pt">
<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
How can CAB Forum impose such a requirement, which imposes to trust service providers such a high security risk?<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
Please provide us a reasonable explanation for this particular requirement. Please note that we would not want to hear any technical reasoning like possible “self-looping” during OCSP responder certificate status checking, because such issues can perfectly
be addressed without having to lower security.<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<u></u><u></u></p>
<p class="MsoNormal" style="margin-right:14.05pt;margin-left:36.0pt;text-autospace:none">
<span lang="DE-LU" style="font-size:8.0pt;font-family:"Arial","sans-serif"">Bescht Gréiss, meilleures salutations, mit freundlichen Grüßen, with best regards,</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-right:14.05pt;margin-left:36.0pt;text-autospace:none">
<b><span lang="DE-LU" style="font-family:"Arial","sans-serif";color:#c00000"> </span></b><u></u><u></u></p>
<p class="MsoNormal" style="margin-right:14.05pt;margin-left:36.0pt;text-autospace:none">
<b><span lang="EN-GB" style="font-family:"Arial","sans-serif";color:#c00000">Thomas KOPP
</span></b><u></u><u></u></p>
<p class="MsoNormal" style="margin-right:14.05pt;margin-left:36.0pt;text-autospace:none">
<span lang="EN-GB" style="font-size:8.0pt;font-family:"Arial","sans-serif"">Head of Information Technologies</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-autospace:none">
<span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">P:<span style="letter-spacing:-.65pt">
</span></span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif""><a href="tel:%2B352%C2%A026%2068%2015-574" target="_blank">+352 26 68 15-574</a> -
<span style="color:#c00000">M: </span>+352<span style="letter-spacing:-.05pt"> </span>621 229 316 -
<span style="color:#c00000">F:</span><span style="letter-spacing:-.75pt"> </span>
<a href="tel:%2B352%C2%A026%2068%2015-789" target="_blank">+352 26 68 15-789</a> –
<span style="color:#c00000">E:</span> </span><a href="mailto:thomas.kopp@luxtrust.lu" target="_blank"><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif"">thomas.kopp@luxtrust.lu</span></a><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-autospace:none">
<span lang="DE" style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#bfbfbf"><br>
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">LuxTrust S.A</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf">.</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">
| </span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf"> </span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">IVY<span style="letter-spacing:.15pt">
</span>Building</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">|
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">13-15,<span style="letter-spacing:-.15pt">
</span><span style="letter-spacing:-.05pt">P</span>a<span style="letter-spacing:-.25pt">r</span>c<span style="letter-spacing:-.15pt">
</span>d’activités</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">|</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">L-8308<span style="letter-spacing:-.45pt">
</span>Capel<span style="letter-spacing:-.2pt">l</span>en</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#bfbfbf">
</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#c00000">|</span><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black">
</span><a href="http://www.luxtrust.lu/" target="_blank"><span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#a6a6a6;text-decoration:none">ww<span style="letter-spacing:-.4pt">w</span>.luxtru<span style="letter-spacing:-.05pt">s</span>t.lu</span></a><u></u><u></u></p>
<div style="border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm">
<p class="MsoNormal" style="margin-left:36.0pt;text-autospace:none">
<span lang="DE" style="font-size:8.0pt;font-family:"Arial","sans-serif";color:black"> </span><u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-left:36.0pt">
<span lang="DE" style="color:#a6a6a6"> </span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<span lang="EN-GB" style="font-size:6.0pt;font-family:"Arial","sans-serif";color:#a6a6a6">The information in this e-mail and any attachment is confidential and for use by the addressee only. Access to this e-mail by anyone else is not authorized. If you are
not the intended recipient, please inform the sender and erase all copies of it from your system. Internet communications are by default not secure. LuxTrust S.A. cannot guarantee the integrity and origin of e-mails unless they have been properly digitally
signed. Confidentiality of e-mails can only be guaranteed if they are encrypted properly using a secure digital certificate.LuxTrust S.A. takes precautions to ensure that e-mails are scanned for viruses but cannot accept liability for any damage sustained
as a result of software viruses.</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<a href="https://www.luxtrust.lu/" target="_blank"><span style="color:windowtext;text-decoration:none"><img border="0" width="414" height="126" src="cid:image001.jpg@01CFF29B.54E748D0" alt="Email_banner_CSS_like"></span></a><u></u><u></u></p>
<p class="MsoNormal" style="margin-left:36.0pt">
<u></u><u></u></p>
</div>
<p class="MsoNormal" style="margin-left:36.0pt">
<b><br>
<br>
</b><b><span style="font-size:10.0pt;font-family:"MS Mincho"">本信件可能包含中華電信股份有限公司機密資訊</span></b><b><span style="font-size:10.0pt">,</span></b><b><span style="font-size:10.0pt;font-family:"MS Mincho"">非指定之收件者</span></b><b><span style="font-size:10.0pt">,</span></b><b><span style="font-size:10.0pt;font-family:"MS Mincho"">請勿蒐集、處理或利用本信件</span></b><b><span style="font-size:10.0pt;font-family:"Batang","serif"">內容</span></b><b><span style="font-size:10.0pt">,</span></b><b><span style="font-size:10.0pt;font-family:"MS Mincho"">並請銷毀此信件</span></b><b><span style="font-size:10.0pt">.
</span></b><b><span style="font-size:10.0pt;font-family:"MS Mincho"">如為指定收件者</span></b><b><span style="font-size:10.0pt">,</span></b><b><span style="font-size:10.0pt;font-family:"MS Mincho"">應確實保護郵件中本公司之營業機密及個人資料</span></b><b><span style="font-size:10.0pt">,</span></b><b><span style="font-size:10.0pt;font-family:"MS Mincho"">不得任意傳佈或揭露</span></b><b><span style="font-size:10.0pt">,</span></b><b><span style="font-size:10.0pt;font-family:"MS Mincho"">並應自行確認本郵件之附檔與超連結之安全性</span></b><b><span style="font-size:10.0pt">,</span></b><b><span style="font-size:10.0pt;font-family:"MS Mincho"">以共同善盡資訊安全與個資保護責任</span></b><b><span style="font-size:10.0pt">.
<br>
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further
collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your
system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also,
please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.</span></b>
<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Questions mailing list<br>
<a href="mailto:Questions@cabforum.org" target="_blank">Questions@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/questions" target="_blank">https://cabforum.org/mailman/listinfo/questions</a><u></u><u></u></p>
</div>
</div>
</div>
</blockquote></div>