<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:新細明體;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:新細明體;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@新細明體";
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML 預設格式 字元";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"註解方塊文字 字元";
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.HTML
{mso-style-name:"HTML 預設格式 字元";
mso-style-priority:99;
mso-style-link:"HTML 預設格式";
font-family:"Courier New";
color:black;}
span.a
{mso-style-name:"註解方塊文字 字元";
mso-style-priority:99;
mso-style-link:註解方塊文字;
font-family:"Cambria","serif";
color:black;}
span.TextodegloboCar
{mso-style-name:"Texto de globo Car";
mso-style-priority:99;
mso-style-link:"Texto de globo";
font-family:"Tahoma","sans-serif";}
p.Textodeglobo, li.Textodeglobo, div.Textodeglobo
{mso-style-name:"Texto de globo";
mso-style-priority:99;
mso-style-link:"Texto de globo Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
p.HTMLPreformatted, li.HTMLPreformatted, div.HTMLPreformatted
{mso-style-name:"HTML Preformatted";
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
p.BalloonText, li.BalloonText, div.BalloonText
{mso-style-name:"Balloon Text";
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle29
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle30
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle31
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle32
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle33
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle34
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle35
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle36
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle37
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=ZH-TW link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='color:#040498'>Dear Dean,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#040498'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#040498'> The OV OID used by Chunghwa Telecom Co., Ltd. is 2.16.886.1.1.100.0.3. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#040498'><o:p> </o:p></span></p><p class=MsoNormal style='text-indent:18.0pt'><span lang=EN-US style='color:#040498'>We will add CA/Browser Forum OV/DV OID to our SHA-2 intermediate CA and SHA-2 End Entity SSL Certificate about December. At present , Chunghwa Telecom Co., Ltd. does not issue DV SSL certificate. <o:p></o:p></span></p><p class=MsoNormal style='text-indent:18.0pt'><span lang=EN-US style='color:#040498'><o:p> </o:p></span></p><p class=MsoNormal style='text-indent:18.0pt'><span lang=EN-US style='color:#040498'>But for our old SHA-1 sub CA and SHA-1 SSL certificates, If we want to add CA/Browser Forum OV/DV OID for the few time, then we need to issue a different serial number but same public key of SHA-1 sub CA certificate with these OV/DV OID. I think it is also suitable for <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#040498'>those sub CAs that did not use CA/Browser Forum OV/DV OID before and they will issue new SSL certificate with CA/Browser Forum OV/DV OID.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#040498'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#040498'>Sincerely Yours,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='text-indent:66.0pt'><span lang=EN-US style='color:blue'> Li-Chun CHEN<o:p></o:p></span></p><p class=MsoNormal style='text-indent:78.0pt'><span lang=EN-US style='color:blue'>Engineer<o:p></o:p></span></p><p class=MsoNormal style='text-indent:78.0pt'><span lang=EN-US style='color:blue'>CISSP, CISA, CISM, PMP,<o:p></o:p></span></p><p class=MsoNormal style='text-indent:78.0pt'><span lang=EN-US style='color:blue'>Government Network Service Dept.<o:p></o:p></span></p><p class=MsoNormal style='text-indent:78.0pt'><span lang=EN-US style='color:blue'>Data <a name="OLE_LINK1">Communication</a> Business Group<o:p></o:p></span></p><p class=MsoNormal style='text-indent:78.0pt'><span lang=EN-US style='color:blue'>Chunghwa Telecom Co. Ltd.<o:p></o:p></span></p><p class=MsoNormal style='text-indent:78.0pt'><span lang=EN-US style='color:blue'><a href="mailto:realsky@cht.com.tw"><span style='text-decoration:none'>realsky@cht.com.tw</span></a><o:p></o:p></span></p><p class=MsoNormal style='text-indent:78.0pt'><span lang=EN-US style='color:blue'>+886-2-2344-4820#4025<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Dean Coclin<br><b>Sent:</b> Tuesday, October 21, 2014 8:46 AM<br><b>To:</b> public@cabforum.org<br><b>Subject:</b> [Caution: Message contains Redirect URL content] Re: [cabfpub] OIDs for DV and OV<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>On last week’s CA/B Forum call, we had an additional discussion on this topic. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>From my understanding, according to RFC 5280, this is OK:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> Root -> Intermediate (with no policy OIDs) -> End-entity (some policy OID)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Or this:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> Root -> Intermediate (with special ‘any policy OID’) -> End-entity (some policy OID)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>But this is not valid:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> Root -> Intermediate (with policy OID A) -> End-entity (with policy OIDs A and B)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The policy OIDs are supposed to “flow down” from intermediate to end-entity. The end-entity shouldn’t contain a policy OID that isn’t in the intermediate, except in the first two special cases above.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Now, we have a list of what some current members are doing here: <a href="https://cabforum.org/object-registry/">https://cabforum.org/object-registry/</a>, which presumable agrees with the above rules (hopefully?). I’d like to add more data to the list so if your CA is not listed, please email me the OIDs you use and I’ll add them.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Returning to the previous discussion, Ryan made a comment that CAs would have to “re-do” their hierarchies to implement these OIDs but presumably he meant if they don’t follow the protocol above, is that right?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks,<br>Dean<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Erwann Abalea<br><b>Sent:</b> Friday, October 10, 2014 12:02 PM<br><b>To:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] OIDs for DV and OV<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US>I'm a bit late, sorry.<br><br>Le 09/10/2014 20:26, Dean Coclin a écrit :<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US>[...]<br></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>What I fail to understand from this discussion is how anything is “broken” or “non-compliant” if everyone is already doing something as described above?</span><span lang=EN-US><o:p></o:p></span></p></blockquote><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US><br>A browser can't programmatically "tag" a certificate as being OV/DV based on its policyId, because sometimes this policyId is not present in its chain of issuing CAs.<br><br>For example, take the first 3 CABF members as listed on the website, click on their link (modify it to be https if necessary). Those first 3 have an incoherent policyId chain (right of "=>" is the resulting set of acceptable policies):<br> - Actalis:<br> Baltimore Cybertrust Root is limited to anyPolicy => { anyPolicy }<br> Actalis Authentication CA G2 is limited to 1.3.6.1.4.1.6334.1.0 => { 1.3.6.1.4.1.6334.1.0 }<br> portal.actalis.it is 1.3.159.1.4.1 => { empty }<br> - ANF:<br> Baltimore Cybertrust Root is limited to anyPolicy => { anyPolicy }<br> DigiCert High Assurance EV Root CA is limited to 1.3.6.1.4.1.6334.1.0 => { 1.3.6.1.4.1.6334.1.0 }<br> DigiCert High Assurance CA-3 is limited to 2.16.840.1.114412.1.3.0.2 => { empty }<br> anf.es is 2.16.840.1.114412.1.1 => { empty }<br> - AS Sertifitseerimiskeskus:<br> KLASS3-SK 2010 has no CertificatePolicies extension => { empty }<br> <a href="http://www.sk.ee">www.sk.ee</a> is 1.3.6.1.4.1.10015.7.1.2.5 => { empty }<br><br>Based on X.509/RFC5280 validation algorithm, these subscriber certificates can at most be valid but for an empty set of policies. They are RFC5280 compliant, but either invalid or valid for no identified policy.<br><br>I'm not name dropping, just took the first three. Unfortunately, I see this more often when reviewing Mozilla inclusion requests.<br><br><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><br>Thanks,<br>Dean</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> Kelvin Yiu [</span><span lang=EN-US><a href="mailto:kelviny@exchange.microsoft.com"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>mailto:kelviny@exchange.microsoft.com</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>] <br><b>Sent:</b> Thursday, October 09, 2014 11:13 AM<br><b>To:</b> Moudrick M. Dadashov; Ben Wilson; Dean Coclin; </span><span lang=EN-US><a href="mailto:i-barreira@izenpe.net"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>i-barreira@izenpe.net</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>; </span><span lang=EN-US><a href="mailto:sleevi@google.com"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>sleevi@google.com</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>; </span><span lang=EN-US><a href="mailto:public@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>public@cabforum.org</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'><br><b>Subject:</b> RE: [cabfpub] OIDs for DV and OV</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>AFAIK, the additional OIDs would not be compliant with RFC 5280. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Kelvin</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext'> Moudrick M. Dadashov [</span><span lang=EN-US><a href="mailto:md@ssc.lt"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>mailto:md@ssc.lt</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext'>] <br><b>Sent:</b> Tuesday, October 7, 2014 3:17 PM<br><b>To:</b> Kelvin Yiu; Ben Wilson; Dean Coclin; </span><span lang=EN-US><a href="mailto:i-barreira@izenpe.net"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>i-barreira@izenpe.net</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext'>; </span><span lang=EN-US><a href="mailto:sleevi@google.com"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>sleevi@google.com</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext'>; </span><span lang=EN-US><a href="mailto:public@cabforum.org"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>public@cabforum.org</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext'><br><b>Subject:</b> Re: [cabfpub] OIDs for DV and OV</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US>Hi Kelvin,<br><br>On 10/8/2014 12:40 AM, Kelvin Yiu wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I don’t have a problem if a CA chooses to use the BR OIDs instead of their own OIDs to identify BR related certificate policies as long as it is consistently used in the certificate chain. My concern is with cases that do not follow RFC 5280. For example, when BR OIDs are added to end entity certificates in addition to CA specific OIDs when the CA certificate explicitly contain only CA specific OIDs. </span><span lang=EN-US><o:p></o:p></span></p></blockquote><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US>I realized this was a real use case where a single CP presents different types of certificates and adding a xV OID makes it just more clear. Are you saying this doesn't follow RFC 5280?<br><br>Thanks,<br>M.D. <br><br><br><o:p></o:p></span></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Kelvin</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> Ben Wilson [</span><span lang=EN-US><a href="mailto:ben.wilson@digicert.com"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>mailto:ben.wilson@digicert.com</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>] <br><b>Sent:</b> Tuesday, October 7, 2014 12:56 PM<br><b>To:</b> Kelvin Yiu; Dean Coclin; </span><span lang=EN-US><a href="mailto:i-barreira@izenpe.net"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>i-barreira@izenpe.net</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>; </span><span lang=EN-US><a href="mailto:sleevi@google.com"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>sleevi@google.com</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>; </span><span lang=EN-US><a href="mailto:public@cabforum.org"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>public@cabforum.org</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><br><b>Subject:</b> RE: [cabfpub] OIDs for DV and OV</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I don’t think that the use of a policy OID in a certificate necessarily “ignores” “rules” around policy processing in RFC5280. I don’t think anyone has requested that we require a policy constraints extension. We’re only talking about putting a policy OID in a BR certificate, along with any other policy OIDs the CA cares to insert. The primary purpose of the CP OID is to assert the policy under which the certificate has been issued. It is not to build a path up the chain or constrain processing—those are secondary considerations. I agree about the necessity of putting the CP OID in your CPS and of being audited for compliance with the policy (the BRs and EVGs acknowledge that a point-in-time / readiness audit would be acceptable). </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The BRs is the closest thing to a Certificate Policy that currently exists. It is “”A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements.” Section D.7.1.6 of the PKI Assessment Guidelines states, “The certificate policies extension is intended to convey policy information or references to policy information. Specifically, a PKI can place the object identifier of a certificate policy within the certificate policies extension. The object identifier can enable a relying party to configure its systems to cause its software to look for the OID of an acceptable certificate policy, permit the transaction to continue if the system finds the OID of an acceptable CP in the certificate, and halt the transaction if it does not.” So while it enables functionality, it doesn’t require it, in case that is a browser concern.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> </span><span lang=EN-US><a href="mailto:public-bounces@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>public-bounces@cabforum.org</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> [</span><span lang=EN-US><a href="mailto:public-bounces@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>mailto:public-bounces@cabforum.org</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>] <b>On Behalf Of </b>Kelvin Yiu<br><b>Sent:</b> Tuesday, October 7, 2014 1:03 PM<br><b>To:</b> Dean Coclin; </span><span lang=EN-US><a href="mailto:i-barreira@izenpe.net"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>i-barreira@izenpe.net</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>; </span><span lang=EN-US><a href="mailto:sleevi@google.com"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>sleevi@google.com</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>; </span><span lang=EN-US><a href="mailto:public@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>public@cabforum.org</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br><b>Subject:</b> Re: [cabfpub] OIDs for DV and OV</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>FWIW, Microsoft provides an API on Windows 7 and later to determine whether a certificate is EV or not, according to Microsoft’s root CA program.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa377163%28v=vs.85%29.aspx"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>http://msdn.microsoft.com/en-us/library/windows/desktop/aa377163(v=vs.85).aspx</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think it is a bad idea to assert BR OIDs for xV compliance by ignoring the rules around certificate policies processing in RFC 5280. While I understand the desire to have a source of information to identify xV certificates, the value is questionable to me unless the information is also in the CPS and the appropriate audit has taken place. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Kelvin</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><span lang=EN-US><a href="mailto:public-bounces@cabforum.org"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>public-bounces@cabforum.org</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> [</span><span lang=EN-US><a href="mailto:public-bounces@cabforum.org"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>mailto:public-bounces@cabforum.org</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>] <b>On Behalf Of </b>Dean Coclin<br><b>Sent:</b> Tuesday, October 7, 2014 9:12 AM<br><b>To:</b> </span><span lang=EN-US><a href="mailto:i-barreira@izenpe.net"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>i-barreira@izenpe.net</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>; </span><span lang=EN-US><a href="mailto:sleevi@google.com"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>sleevi@google.com</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>; </span><span lang=EN-US><a href="mailto:public@cabforum.org"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>public@cabforum.org</span></a></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><br><b>Subject:</b> Re: [cabfpub] OIDs for DV and OV</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Inigo,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Yes, I did create such a sheet and I’ve enclosed it here. And I think it proves my point that the current situation exacerbates the problem, making it difficult for one to programmatically determine what type of cert they are encountering. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Dean</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> </span><span lang=EN-US><a href="mailto:i-barreira@izenpe.net"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>i-barreira@izenpe.net</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> [</span><span lang=EN-US><a href="mailto:i-barreira@izenpe.net"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>mailto:i-barreira@izenpe.net</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>] <br><b>Sent:</b> Tuesday, October 07, 2014 12:44 AM<br><b>To:</b> Dean Coclin; </span><span lang=EN-US><a href="mailto:sleevi@google.com"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>sleevi@google.com</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>; </span><span lang=EN-US><a href="mailto:public@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>public@cabforum.org</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br><b>Subject:</b> RE: [cabfpub] OIDs for DV and OV</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Dean, time ago you created an Excel sheet with those CAs that use their own OIDs for DV and OV, similar to what was done with EV. The intention of that list was to also have another “source” of information for considering those certs as DV or OV for the browsers in case they need it.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>BTW, Izenpe uses their own OIDs plus the CABF ones.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'>Iñigo Barreira</span></b><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'><br>Responsable del Área técnica<br></span><span lang=EN-US><a href="mailto:i-barreira@izenpe.net"><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'>i-barreira@izenpe.net</span></a></span><span lang=ES-US><o:p></o:p></span></p><p class=MsoNormal><span lang=ES-TRAD style='font-size:8.5pt;font-family:"Tahoma","sans-serif"'>945067705</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=ES-TRAD style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><img border=0 width=585 height=111 id="_x0000_i1029" src="cid:image001.png@01CFF3A5.D1703960" alt="Descripción: cid:image001.png@01CE3152.B4804EB0"></span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='line-height:9.75pt'><span lang=ES style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span lang=ES style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'><br></span><span lang=ES style='font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD'>ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><span lang=ES-US><o:p></o:p></span></p></div><p class=MsoNormal><span lang=ES style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=ES-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=ES style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>De:</span></b><span lang=ES style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> </span><span lang=EN-US><a href="mailto:public-bounces@cabforum.org"><span lang=ES style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>public-bounces@cabforum.org</span></a></span><span lang=ES style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> [</span><span lang=EN-US><a href="mailto:public-bounces@cabforum.org"><span lang=ES style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>mailto:public-bounces@cabforum.org</span></a></span><span lang=ES style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>] <b>En nombre de </b>Dean Coclin<br><b>Enviado el:</b> lunes, 06 de octubre de 2014 21:17<br><b>Para:</b> Ryan Sleevi; </span><span lang=EN-US><a href="mailto:public@cabforum.org"><span lang=ES style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>public@cabforum.org</span></a></span><span lang=ES style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br><b>Asunto:</b> Re: [cabfpub] OIDs for DV and OV</span><span lang=ES-US><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=ES> </span><span lang=ES-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>So I get the part that Chrome (and likely other browsers in the CA/B forum) don’t intend to distinguish DV and OV certs in any way. Got that. Not a point of contention. In fact, I knew that when I started this thread. So no need to go down that path anymore. Having different OIDs does not oblige a browser do anything. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I would have expected more negative commentary from CAs but so far there has been none. And only 1 browser has chimed in.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>However, browsers are not the only application that use SSL certificates. There are others out there and I distinctly recall a conversation about 2-3 years ago where Paypal (a CA/B member) explicitly asked that these OIDs be mandatory. Brad stated that their security group had deemed DV certs to be a security threat to their ecosystem and wanted an easy programmatic way to distinguish them. At the time, there was some pushback (I don’t believe from browsers) and the OIDs ended up being optional. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It looks as if some CAs do use OIDs in their DV and OV certs but some don’t use the CA/B Forum OIDs (rather their own). This makes it difficult to apply a uniform decision process. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Certs conforming to policy and issued correctly are one aspect that some folks are looking for. The type of certificate is another. One that has not been vetted is different from one that has some vetting completed (other security issues being equal). Perhaps that benefit is not tangible to some but it certainly is to others. I can spew some stats on DV cert use and fraud but that will just muddle this thread so I’ll save it for another day. </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Why do browsers care one way or the other if other parties want to make this distinction? The CA/B Forum has defined different baseline standards for these types of certs. Why not make transparency around those standards easy for those that want to draw a distinction?</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Certainly would love to hear from some other interested parties.</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Dean</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Sleevi </span><span lang=EN-US><a href="mailto:[mailto:sleevi@google.com]"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>[mailto:sleevi@google.com]</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <br><b>Sent:</b> Thursday, October 02, 2014 8:56 PM<br><b>To:</b> Dean Coclin<br><b>Cc:</b> </span><span lang=EN-US><a href="mailto:public@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>public@cabforum.org</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br><b>Subject:</b> Re: [cabfpub] OIDs for DV and OV</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US>On Thu, Oct 2, 2014 at 5:31 PM, Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>> wrote:<o:p></o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks for the response and pointers. I’ve read through the threads but still have additional questions/comments. I’ll readily admit that I don’t understand all the commentary in the Mozilla threads so I apologize if these questions sound somewhat naïve. Happy to be educated:</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>You've heard repeatedly from several browsers about an explicit non-goal of distinguishing DV and OV. As the Forum is comprised of CAs and Browsers, do we have any Browsers that wish to make such a distinction? If not, it would be wholly inappropriate for the Forum to require it.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>>>I haven’t heard of any browsers that want to make that distinction (yet). It is my understanding that the Forum BRs do require an OID for EV certs. So why is it “inappropriate” for the Forum to require OIDs for DV/OV?</span><span lang=EN-US><o:p></o:p></span></p></div></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Browsers have agreed to make a distinction between EV and !EV, so have required there be a way to detect that.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Browsers have not agreed that there is a distinction between DV or OV, nor is there a need to detect the difference.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>That the browsers have required (effectively all stores at this point, AFAIK) is that the root program members be BR compliant. So any new certs issued (technically, independent of the notBefore, and we know CAs regularly backdate from time of issuance, but it's a rough heuristic) are, by definition, BR compliant.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>If there are non-browser relying parties interested in such distinctions, the CA can always provide such distinctions themselves.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>>>Can you elaborate on what you mean by this? If there’s another way to accomplish the end result, happy to explore further. But it would have to be uniform among all CAs that issue these certs.</span><span lang=EN-US><o:p></o:p></span></p></div></div></blockquote><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>I don't see why it needs to be uniform.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US><br>The requirement as to what shape it takes is dictated by the relying party applications.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>The browsers, as relying party applications, do not and have not yet cared about the shape of DV and OV, and as per our recent F2F, aren't really keen to either.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>So having the browsers dictate the shape of the solution seems unnecessary, and an issue for these relying party applications (e.g. Netcraft) to work with CAs.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>As someone very keen on programatic checks and detection for misissuance, there's no question that this would NOT meaningfully help address the concerns we see.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>>>I wasn’t suggesting that this addition would in any way help you with your programmatic checks for mis-issuance. Rather, it would make the task for organizations like Netcraft, EFF or others that tabulate statistics on various types of certificates easier to do. Is that not the case?</span><span lang=EN-US><o:p></o:p></span></p></div></div></blockquote><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>Not really. These organizations are interested in the same discussions and distinctions we are - what are the certificates being issued and do they conform to the policies that they're supposed to.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>We've established that there's no 'uniform' definition of what constitutes OV, only that the BR requires certain vetting steps for certain subject fields that are OPTIONAL. CAs have taken these and marketed them as OV, but there's no such distinction as a level, nor a particular profile spelled out in the appendices as to what constitutes a "DV" vs "OV".<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>If that was the only degree of distinction required, it's just as easy as checking the Subject fields for any of the OPTIONAL fields.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>That is, there would need to be an OID _per revision_ of the BRs, to indicate "which" version of the BRs something was complying to. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>>>Fully admit that I don’t understand how this works. But wouldn’t that also be the case for EV (which currently requires this OID)?</span><span lang=EN-US><o:p></o:p></span></p></div></div></blockquote><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>YES! And it's one of the many reasons why EV is somewhat muddled for programatic checks or distinctions. And yet this is also necessary because any change in policy, by definition, necessitates a change in OID to (meaningfully) reflect that. And that constitutes rolling a new hierarchy (and updating browsers' lists of recognized EV OIDs)<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I’m just trying to suggest a way that someone can say: X is a DV cert, Y is an OV cert, Z is an EV cert without a doubt. If OIDs are not the place to do that, is there another mechanism available?<br>I’m sure you are familiar with Ryan Hurst’s blog on how difficult the task currently is.</span><span lang=EN-US><o:p></o:p></span></p></div></div></blockquote><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>I am (you're talking about <a href="http://unmitigatedrisk.com/?p=203">http://unmitigatedrisk.com/?p=203</a> in particular). But I'm also not supportive of encouraging a distinction that we neither recognize nor have plans to recognize, and especially not supportive of mandating such distinctions.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>This is especially true, as these distinctions don't offer any tangible security benefits to the Web, as previously discussed.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US>If we go to the point of mandating anything additional in certificates, which requires a variety of changes in processes, profiles, and CPSes, I want it to have meaningful security value. This change - which, as has been shown by the development of audit standards and then the eventual incorporation of those audit standards into the root programs, and then FINALLY the <b>enforcement</b> of those audit standards of the root programs - would take several years, at BEST, to deploy, and would communicate nothing of actionable value. It's a hard sell.<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><br>Thanks,<br>Dean</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> </span><span lang=EN-US><a href="mailto:public-bounces@cabforum.org" target="_blank"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>public-bounces@cabforum.org</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> [mailto:</span><span lang=EN-US><a href="mailto:public-bounces@cabforum.org" target="_blank"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>public-bounces@cabforum.org</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>] <b>On Behalf Of </b>Ryan Sleevi<br><b>Sent:</b> Thursday, October 02, 2014 3:37 PM<br><b>To:</b> Dean Coclin<br><b>Cc:</b> </span><span lang=EN-US><a href="mailto:public@cabforum.org" target="_blank"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>public@cabforum.org</span></a></span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br><b>Subject:</b> Re: [cabfpub] OIDs for DV and OV</span><span lang=EN-US><o:p></o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>On Thu, Oct 2, 2014 at 10:33 AM, Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>> wrote:<o:p></o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>Further to today’s discussion on our call, I’d like to get more feedback on a proposal to make a unique standardized OID mandatory for DV and OV certificates in the Baseline Requirements. Currently we have a mandatory OID for EV certificates but optional for OV and DV. This makes things difficult for at least two groups of constituents:<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p><p><span lang=EN-US>1.</span><span lang=EN-US style='font-size:7.0pt'> </span><span lang=EN-US>Relying parties that would like to distinguish between these certificates<o:p></o:p></span></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>You've heard repeatedly from several browsers about an explicit non-goal of distinguishing DV and OV. As the Forum is comprised of CAs and Browsers, do we have have any Browsers that wish to make such a distinction?<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>If not, it would be wholly inappropriate for the Forum to require it. If there are non-browser relying parties interested in such distinctions, the CA can always provide such distinctions themselves.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><p><span lang=EN-US>2.</span><span lang=EN-US style='font-size:7.0pt'> </span><span lang=EN-US>Analysts that report on SSL certificate data who have had to issue revised reports because of cert misclassification<o:p></o:p></span></p></div></div></blockquote><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>As mentioned on the call, this has been discussed with Mozilla in the past - <a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/hEOQK-ubGRcJ" target="_blank">https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/hEOQK-ubGRcJ</a><o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>As someone very keen on programatic checks and detection for misissuance, there's no question that this would NOT meaningfully help address the concerns we see.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>That is, there would need to be an OID _per revision_ of the BRs, to indicate "which" version of the BRs something was complying to. <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>I would hope that <a href="https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/2tRUS444krwJ" target="_blank">https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/2tRUS444krwJ</a> would capture some of these concerns more fully.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>Finally, to do anything meaningful with this in all major clients, it would require that CAs redo their certificate hierarchy, as policy OIDs are inherited. That's a silly thing, especially when CAs are still struggling to migrate from SHA-1 to SHA-256 in their intermediates.<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>My proposal is for CAs to put in OID X if it’s a DV certificate and OID Y if it’s an OV certificate.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>As Rick reminded me on the call, we currently have something like this for EV certificates (except that CAs are free to use the standard OID or define one of their own).<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>I’d like to hear pros/cons of this. Ryan S indicated that Google would not support such a proposal but we didn’t have time to discuss the reasons.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US>I’m sure there are both technical and policy reasons. Personally I’d like to focus on the latter but remarks on both are welcome. This proposal doesn’t require anyone to do anything with this data (i.e relying parties can choose whether or not to utilize it).<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US><br>Thanks,<br>Dean<o:p></o:p></span></p><p><span lang=EN-US> <o:p></o:p></span></p><p><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span lang=EN-US><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></span></p></blockquote></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> <o:p></o:p></span></p></div></div></div></div></div></div></blockquote></div><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US><br><br><br><br><o:p></o:p></span></p><pre><span lang=EN-US>_______________________________________________<o:p></o:p></span></pre><pre><span lang=EN-US>Public mailing list<o:p></o:p></span></pre><pre><span lang=EN-US><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></span></pre><pre><span lang=EN-US><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></span></pre></blockquote><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US><br><br><o:p></o:p></span></p><pre><span lang=EN-US>_______________________________________________<o:p></o:p></span></pre><pre><span lang=EN-US>Public mailing list<o:p></o:p></span></pre><pre><span lang=EN-US><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></span></pre><pre><span lang=EN-US><a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></span></pre><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div><B><BR><BR><font size="-1">本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件.
如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
<BR>Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.</font></B>
</body></html>