<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Bonjour Dean,<br>
<br>
In your table, at issue 3, the counterpoint has "In addition, many
CAs use an anyPolicy OID or omit policy OIDs in their
intermediate, significantly reducing the number of certificates
requiring reissuance."<br>
<br>
Having "anyPolicy" and omitting policy OIDs are not equivalent,
they have in fact opposite results.<br>
CAs that omit policy OIDs in their intemediate certificates WILL
have to reissue those intermediate certificates.<br>
<br>
<pre class="moz-signature" cols="72">--
Erwann ABALEA
</pre>
Le 30/10/2014 15:33, Dean Coclin a écrit :<br>
</div>
<blockquote
cite="mid:14D026C7F297AD44AC82578DD818CDD03452EE8B0D@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.TextodegloboCar
{mso-style-name:"Texto de globo Car";
mso-style-priority:99;
mso-style-link:"Texto de globo";
font-family:"Tahoma","sans-serif";}
p.Textodeglobo, li.Textodeglobo, div.Textodeglobo
{mso-style-name:"Texto de globo";
mso-style-priority:99;
mso-style-link:"Texto de globo Car";
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle29
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle30
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle31
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle32
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle33
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’d
like to circle back and summarize where we are on this
topic. There have been a few points and counterpoints made
and I think it would be helpful to list them here and
determine next steps. It’s best to do this in a table format
and I know sometimes tables can get mangled by various email
programs so I’ve put it into an attachment (pdf). (If I’ve
misrepresented anyone’s points, I apologize and please point
out any corrections). We can discuss further on today’s
call.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
overall goal of the discussion was to get a feeling for
making the current optional OIDs for DV and OV mandatory.
There’s been a lot of valuable discussion here and I noticed
a tangential discussion going on in the Mozilla forum.
Although that one is talking more about whether Firefox
should show more info on OV certs, some of the points relate
to our dialog.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If
anyone outside of the forum wishes to comment on this
discussion, you can submit it to: <a moz-do-not-send="true"
href="mailto:questions@cabforum.org">questions@cabforum.org</a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,<br>
Dean<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Erwann Abalea<br>
<b>Sent:</b> Tuesday, October 21, 2014 11:37 AM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] OIDs for DV and OV<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Bonjour,<br>
<br>
Le 21/10/2014 02:45, Dean Coclin a écrit :<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">On
last week’s CA/B Forum call, we had an additional
discussion on this topic. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">From
my understanding, according to RFC 5280, this is OK:</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
Root -> Intermediate (with no policy OIDs) ->
End-entity (some policy OID)</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
This isn't OK (see below for what OK means). When working on
intermediate, RFC5280 section 6.1.3 step (e) sets the
valid_policy_tree to NULL, and it stays so indefinitely.<br>
An empty CertificatePolicies extension is invalid by
definition (it's a "SEQUENCE SIZE (1..MAX) OF ..."), but
running the algo described at 6.1.3 with an empty extension
will have the same effect as an absent CertificatePolicies
extension.<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Or
this:</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
Root -> Intermediate (with special ‘any policy OID’)
-> End-entity (some policy OID)</span><o:p></o:p></p>
<p class="MsoNormal"><br>
OK. Completely different result than the first example.<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">But
this is not valid:</span> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
Root -> Intermediate (with policy OID A) -> End-entity
(with policy OIDs A and B) <br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><br>
This is OK and valid for policy OID A only.<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
policy OIDs are supposed to “flow down” from intermediate to
end-entity. The end-entity shouldn’t contain a policy OID
that isn’t in the intermediate, except in the first two
special cases above.</span><o:p></o:p></p>
<p class="MsoNormal"><br>
Validity regarding CP is different than validity regarding
other extensions (such as NameConstraints, of
BasicConstraints, for example).<br>
CertificatePolicies: depending on inputs to the validation
algorithm and on extensions found in the path
(PolicyConstraints or PolicyMappings), a certificate can
either be valid for a set of policies (this set can be empty)
or invalid.<br>
NameConstraints: if a name element isn't in the
permittedSubTrees, or is in the excludedSubTrees, the
certificate is invalid.<br>
<br>
So, regarding CP, the examples are all OK if you don't care
about the effective policyId.<br>
If you *require* policyId A at application level, examples 2
and 3 are OK, example 1 is not OK.<br>
If you *require* policyId B at application level, example 2 is
OK, examples 1 and 3 are not OK.<br>
If you *require* either one of {policyId A, policyId B} at
application level, example 2 is OK and will give you both
policies, example 3 is OK and will give you only policyId A,
and example 1 is not OK.<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Now,
we have a list of what some current members are doing here:
</span><a moz-do-not-send="true"
href="https://cabforum.org/object-registry/"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">https://cabforum.org/object-registry/</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">,
which presumable agrees with the above rules (hopefully?).
I’d like to add more data to the list so if your CA is not
listed, please email me the OIDs you use and I’ll add them.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Returning
to the previous discussion, Ryan made a comment that CAs
would have to “re-do” their hierarchies to implement these
OIDs but presumably he meant if they don’t follow the
protocol above, is that right?</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,<br>
Dean</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
</span><a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">public-bounces@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
[</span><a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">mailto:public-bounces@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">]
<b>On Behalf Of </b>Erwann Abalea<br>
<b>Sent:</b> Friday, October 10, 2014 12:02 PM<br>
<b>To:</b> </span><a moz-do-not-send="true"
href="mailto:public@cabforum.org"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">public@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"><br>
<b>Subject:</b> Re: [cabfpub] OIDs for DV and OV</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">I'm a bit late, sorry.<br>
<br>
Le 09/10/2014 20:26, Dean Coclin a écrit :<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">[...]<br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span>
<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">What
I fail to understand from this discussion is how anything
is “broken” or “non-compliant” if everyone is already
doing something as described above?</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
A browser can't programmatically "tag" a certificate as being
OV/DV based on its policyId, because sometimes this policyId
is not present in its chain of issuing CAs.<br>
<br>
For example, take the first 3 CABF members as listed on the
website, click on their link (modify it to be https if
necessary). Those first 3 have an incoherent policyId chain
(right of "=>" is the resulting set of acceptable
policies):<br>
- Actalis:<br>
Baltimore Cybertrust Root is limited to anyPolicy =>
{ anyPolicy }<br>
Actalis Authentication CA G2 is limited to
1.3.6.1.4.1.6334.1.0 => { 1.3.6.1.4.1.6334.1.0 }<br>
portal.actalis.it is 1.3.159.1.4.1 => { empty }<br>
- ANF:<br>
Baltimore Cybertrust Root is limited to anyPolicy =>
{ anyPolicy }<br>
DigiCert High Assurance EV Root CA is limited to
1.3.6.1.4.1.6334.1.0 => { 1.3.6.1.4.1.6334.1.0 }<br>
DigiCert High Assurance CA-3 is limited to
2.16.840.1.114412.1.3.0.2 => { empty }<br>
anf.es is 2.16.840.1.114412.1.1 => { empty }<br>
- AS Sertifitseerimiskeskus:<br>
KLASS3-SK 2010 has no CertificatePolicies extension
=> { empty }<br>
<a moz-do-not-send="true" href="http://www.sk.ee">www.sk.ee</a>
is 1.3.6.1.4.1.10015.7.1.2.5 => { empty }<br>
<br>
Based on X.509/RFC5280 validation algorithm, these subscriber
certificates can at most be valid but for an empty set of
policies. They are RFC5280 compliant, but either invalid or
valid for no identified policy.<br>
<br>
I'm not name dropping, just took the first three.
Unfortunately, I see this more often when reviewing Mozilla
inclusion requests.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><br>
Thanks,<br>
Dean</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Kelvin Yiu [</span><a moz-do-not-send="true"
href="mailto:kelviny@exchange.microsoft.com"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">mailto:kelviny@exchange.microsoft.com</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">]
<br>
<b>Sent:</b> Thursday, October 09, 2014 11:13 AM<br>
<b>To:</b> Moudrick M. Dadashov; Ben Wilson; Dean
Coclin; </span><a moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">i-barreira@izenpe.net</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">;
</span><a moz-do-not-send="true"
href="mailto:sleevi@google.com"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">sleevi@google.com</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">;
</span><a moz-do-not-send="true"
href="mailto:public@cabforum.org"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">public@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"><br>
<b>Subject:</b> RE: [cabfpub] OIDs for DV and OV</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">AFAIK,
the additional OIDs would not be compliant with RFC 5280. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Kelvin</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">
Moudrick M. Dadashov [</span><a moz-do-not-send="true"
href="mailto:md@ssc.lt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">mailto:md@ssc.lt</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">]
<br>
<b>Sent:</b> Tuesday, October 7, 2014 3:17 PM<br>
<b>To:</b> Kelvin Yiu; Ben Wilson; Dean Coclin; </span><a
moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">i-barreira@izenpe.net</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">;
</span><a moz-do-not-send="true"
href="mailto:sleevi@google.com"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">sleevi@google.com</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext">;
</span><a moz-do-not-send="true"
href="mailto:public@cabforum.org"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">public@cabforum.org</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext"><br>
<b>Subject:</b> Re: [cabfpub] OIDs for DV and OV</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">Hi Kelvin,<br>
<br>
On 10/8/2014 12:40 AM, Kelvin Yiu wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
don’t have a problem if a CA chooses to use the BR OIDs
instead of their own OIDs to identify BR related
certificate policies as long as it is consistently used in
the certificate chain. My concern is with cases that do
not follow RFC 5280. For example, when BR OIDs are added
to end entity certificates in addition to CA specific OIDs
when the CA certificate explicitly contain only CA
specific OIDs. </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal">I realized this was a real use case where a
single CP presents different types of certificates and adding
a xV OID makes it just more clear. Are you saying this
doesn't follow RFC 5280?<br>
<br>
Thanks,<br>
M.D. <br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Kelvin</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
Ben Wilson [</span><a moz-do-not-send="true"
href="mailto:ben.wilson@digicert.com"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">mailto:ben.wilson@digicert.com</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">]
<br>
<b>Sent:</b> Tuesday, October 7, 2014 12:56 PM<br>
<b>To:</b> Kelvin Yiu; Dean Coclin; </span><a
moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">i-barreira@izenpe.net</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">;
</span><a moz-do-not-send="true"
href="mailto:sleevi@google.com"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">sleevi@google.com</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">;
</span><a moz-do-not-send="true"
href="mailto:public@cabforum.org"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">public@cabforum.org</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><br>
<b>Subject:</b> RE: [cabfpub] OIDs for DV and OV</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
don’t think that the use of a policy OID in a certificate
necessarily “ignores” “rules” around policy processing in
RFC5280. I don’t think anyone has requested that we
require a policy constraints extension. We’re only
talking about putting a policy OID in a BR certificate,
along with any other policy OIDs the CA cares to insert.
The primary purpose of the CP OID is to assert the policy
under which the certificate has been issued. It is not to
build a path up the chain or constrain processing—those
are secondary considerations. I agree about the necessity
of putting the CP OID in your CPS and of being audited for
compliance with the policy (the BRs and EVGs acknowledge
that a point-in-time / readiness audit would be
acceptable). </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
BRs is the closest thing to a Certificate Policy that
currently exists. It is “”A named set of rules that
indicates the applicability of a certificate to a
particular community and/or class of application with
common security requirements.” Section D.7.1.6 of the PKI
Assessment Guidelines states, “The certificate policies
extension is intended to convey policy information or
references to policy information. Specifically, a PKI can
place the object identifier of a certificate policy within
the certificate policies extension. The object identifier
can enable a relying party to configure its systems to
cause its software to look for the OID of an acceptable
certificate policy, permit the transaction to continue if
the system finds the OID of an acceptable CP in the
certificate, and halt the transaction if it does not.”
So while it enables functionality, it doesn’t require it,
in case that is a browser concern.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
</span><a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">public-bounces@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
[</span><a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">mailto:public-bounces@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">]
<b>On Behalf Of </b>Kelvin Yiu<br>
<b>Sent:</b> Tuesday, October 7, 2014 1:03 PM<br>
<b>To:</b> Dean Coclin; </span><a
moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">i-barreira@izenpe.net</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">;
</span><a moz-do-not-send="true"
href="mailto:sleevi@google.com"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">sleevi@google.com</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">;
</span><a moz-do-not-send="true"
href="mailto:public@cabforum.org"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">public@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>
<b>Subject:</b> Re: [cabfpub] OIDs for DV and OV</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">FWIW,
Microsoft provides an API on Windows 7 and later to
determine whether a certificate is EV or not, according to
Microsoft’s root CA program.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><a moz-do-not-send="true"
href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa377163%28v=vs.85%29.aspx"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">http://msdn.microsoft.com/en-us/library/windows/desktop/aa377163(v=vs.85).aspx</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
think it is a bad idea to assert BR OIDs for xV compliance
by ignoring the rules around certificate policies
processing in RFC 5280. While I understand the desire to
have a source of information to identify xV certificates,
the value is questionable to me unless the information is
also in the CPS and the appropriate audit has taken place.
</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Kelvin</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
</span><a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">public-bounces@cabforum.org</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
[</span><a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">mailto:public-bounces@cabforum.org</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">]
<b>On Behalf Of </b>Dean Coclin<br>
<b>Sent:</b> Tuesday, October 7, 2014 9:12 AM<br>
<b>To:</b> </span><a moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">i-barreira@izenpe.net</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">;
</span><a moz-do-not-send="true"
href="mailto:sleevi@google.com"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">sleevi@google.com</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">;
</span><a moz-do-not-send="true"
href="mailto:public@cabforum.org"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">public@cabforum.org</span></a><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><br>
<b>Subject:</b> Re: [cabfpub] OIDs for DV and OV</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Inigo,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Yes,
I did create such a sheet and I’ve enclosed it here. And I
think it proves my point that the current situation
exacerbates the problem, making it difficult for one to
programmatically determine what type of cert they are
encountering. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dean</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
</span><a moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">i-barreira@izenpe.net</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
[</span><a moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">mailto:i-barreira@izenpe.net</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">]
<br>
<b>Sent:</b> Tuesday, October 07, 2014 12:44 AM<br>
<b>To:</b> Dean Coclin; </span><a
moz-do-not-send="true" href="mailto:sleevi@google.com"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">sleevi@google.com</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">;
</span><a moz-do-not-send="true"
href="mailto:public@cabforum.org"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">public@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>
<b>Subject:</b> RE: [cabfpub] OIDs for DV and OV</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dean,
time ago you created an Excel sheet with those CAs that
use their own OIDs for DV and OV, similar to what was done
with EV. The intention of that list was to also have
another “source” of information for considering those
certs as DV or OV for the browsers in case they need it.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">BTW,
Izenpe uses their own OIDs plus the CABF ones.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="line-height:9.75pt"><b><span
style="font-size:8.5pt;font-family:"Tahoma","sans-serif""
lang="ES-TRAD">Iñigo Barreira</span></b><span
style="font-size:8.5pt;font-family:"Tahoma","sans-serif""
lang="ES-TRAD"><br>
Responsable del Área técnica<br>
</span><a moz-do-not-send="true"
href="mailto:i-barreira@izenpe.net"><span
style="font-size:8.5pt;font-family:"Tahoma","sans-serif""
lang="ES-TRAD">i-barreira@izenpe.net</span></a><span
lang="ES-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:8.5pt;font-family:"Tahoma","sans-serif""
lang="ES-TRAD">945067705</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="ES-TRAD"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><img
id="Imagen_x0020_1"
src="cid:part38.04030504.05080106@opentrust.com"
alt="Descripción: cid:image001.png@01CE3152.B4804EB0"
border="0" width="585" height="111"></span><o:p></o:p></p>
<p class="MsoNormal" style="line-height:9.75pt"><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD"
lang="ES">ERNE! Baliteke mezu honen zatiren bat edo mezu
osoa legez babestuta egotea. Mezua badu bere hartzailea.
Okerreko helbidera heldu bada (helbidea gaizki idatzi,
transmisioak huts egin) eman abisu igorleari, korreo
honi erantzuna. KONTUZ!</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#888888;mso-fareast-language:ES-TRAD"
lang="ES"><br>
</span><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888;mso-fareast-language:ES-TRAD"
lang="ES">ATENCION! Este mensaje contiene informacion
privilegiada o confidencial a la que solo tiene derecho
a acceder el destinatario. Si usted lo recibe por error
le agradeceriamos que no hiciera uso de la informacion y
que se pusiese en contacto con el remitente.</span><span
lang="ES-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="ES"> </span><span lang="ES-US"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="ES">De:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="ES"> </span><a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="ES">public-bounces@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="ES"> [</span><a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="ES">mailto:public-bounces@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="ES">] <b>En nombre de </b>Dean Coclin<br>
<b>Enviado el:</b> lunes, 06 de octubre de 2014 21:17<br>
<b>Para:</b> Ryan Sleevi; </span><a
moz-do-not-send="true"
href="mailto:public@cabforum.org"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="ES">public@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="ES"><br>
<b>Asunto:</b> Re: [cabfpub] OIDs for DV and OV</span><span
lang="ES-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="ES"> </span><span
lang="ES-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So
I get the part that Chrome (and likely other browsers in
the CA/B forum) don’t intend to distinguish DV and OV
certs in any way. Got that. Not a point of contention. In
fact, I knew that when I started this thread. So no need
to go down that path anymore. Having different OIDs does
not oblige a browser do anything. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
would have expected more negative commentary from CAs but
so far there has been none. And only 1 browser has chimed
in.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">However,
browsers are not the only application that use SSL
certificates. There are others out there and I distinctly
recall a conversation about 2-3 years ago where Paypal (a
CA/B member) explicitly asked that these OIDs be
mandatory. Brad stated that their security group had
deemed DV certs to be a security threat to their ecosystem
and wanted an easy programmatic way to distinguish them.
At the time, there was some pushback (I don’t believe from
browsers) and the OIDs ended up being optional. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">It
looks as if some CAs do use OIDs in their DV and OV certs
but some don’t use the CA/B Forum OIDs (rather their own).
This makes it difficult to apply a uniform decision
process. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Certs
conforming to policy and issued correctly are one aspect
that some folks are looking for. The type of certificate
is another. One that has not been vetted is different from
one that has some vetting completed (other security issues
being equal). Perhaps that benefit is not tangible to some
but it certainly is to others. I can spew some stats on DV
cert use and fraud but that will just muddle this thread
so I’ll save it for another day. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Why
do browsers care one way or the other if other parties
want to make this distinction? The CA/B Forum has defined
different baseline standards for these types of certs. Why
not make transparency around those standards easy for
those that want to draw a distinction?</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Certainly
would love to hear from some other interested parties.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dean</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Ryan Sleevi </span><a moz-do-not-send="true"
href="mailto:[mailto:sleevi@google.com]"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">[mailto:sleevi@google.com]</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<br>
<b>Sent:</b> Thursday, October 02, 2014 8:56 PM<br>
<b>To:</b> Dean Coclin<br>
<b>Cc:</b> </span><a moz-do-not-send="true"
href="mailto:public@cabforum.org"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">public@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>
<b>Subject:</b> Re: [cabfpub] OIDs for DV and OV</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On Thu, Oct 2, 2014 at 5:31 PM,
Dean Coclin <<a moz-do-not-send="true"
href="mailto:Dean_Coclin@symantec.com"
target="_blank">Dean_Coclin@symantec.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks
for the response and pointers. I’ve read through
the threads but still have additional
questions/comments. I’ll readily admit that I
don’t understand all the commentary in the
Mozilla threads so I apologize if these
questions sound somewhat naïve. Happy to be
educated:</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">You've
heard repeatedly from several browsers about an
explicit non-goal of distinguishing DV and OV. As
the Forum is comprised of CAs and Browsers, do we
have any Browsers that wish to make such a
distinction? If not, it would be wholly
inappropriate for the Forum to require it.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">>>I
haven’t heard of any browsers that want to make
that distinction (yet). It is my understanding
that the Forum BRs do require an OID for EV
certs. So why is it “inappropriate” for the
Forum to require OIDs for DV/OV?</span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Browsers have agreed to make a
distinction between EV and !EV, so have required
there be a way to detect that.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Browsers have not agreed that
there is a distinction between DV or OV, nor is
there a need to detect the difference.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">That the browsers have required
(effectively all stores at this point, AFAIK) is
that the root program members be BR compliant. So
any new certs issued (technically, independent of
the notBefore, and we know CAs regularly backdate
from time of issuance, but it's a rough heuristic)
are, by definition, BR compliant.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">If
there are non-browser relying parties interested
in such distinctions, the CA can always provide
such distinctions themselves.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">>>Can
you elaborate on what you mean by this? If
there’s another way to accomplish the end
result, happy to explore further. But it would
have to be uniform among all CAs that issue
these certs.</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I don't see why it needs to be
uniform.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
The requirement as to what shape it takes is
dictated by the relying party applications.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The browsers, as relying party
applications, do not and have not yet cared about
the shape of DV and OV, and as per our recent F2F,
aren't really keen to either.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">So having the browsers dictate
the shape of the solution seems unnecessary, and an
issue for these relying party applications (e.g.
Netcraft) to work with CAs.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">As
someone very keen on programatic checks and
detection for misissuance, there's no question
that this would NOT meaningfully help address
the concerns we see.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">>>I
wasn’t suggesting that this addition would in
any way help you with your programmatic checks
for mis-issuance. Rather, it would make the
task for organizations like Netcraft, EFF or
others that tabulate statistics on various
types of certificates easier to do. Is that
not the case?</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Not really. These organizations
are interested in the same discussions and
distinctions we are - what are the certificates
being issued and do they conform to the policies
that they're supposed to.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">We've established that there's no
'uniform' definition of what constitutes OV, only
that the BR requires certain vetting steps for
certain subject fields that are OPTIONAL. CAs have
taken these and marketed them as OV, but there's no
such distinction as a level, nor a particular
profile spelled out in the appendices as to what
constitutes a "DV" vs "OV".<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">If that was the only degree of
distinction required, it's just as easy as checking
the Subject fields for any of the OPTIONAL fields.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">That
is, there would need to be an OID _per revision_
of the BRs, to indicate "which" version of the
BRs something was complying to. <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">>>Fully
admit that I don’t understand how this works.
But wouldn’t that also be the case for EV
(which currently requires this OID)?</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">YES! And it's one of the many
reasons why EV is somewhat muddled for programatic
checks or distinctions. And yet this is also
necessary because any change in policy, by
definition, necessitates a change in OID to
(meaningfully) reflect that. And that constitutes
rolling a new hierarchy (and updating browsers'
lists of recognized EV OIDs)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’m
just trying to suggest a way that someone can
say: X is a DV cert, Y is an OV cert, Z is an
EV cert without a doubt. If OIDs are not the
place to do that, is there another mechanism
available?<br>
I’m sure you are familiar with Ryan Hurst’s
blog on how difficult the task currently is.</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I am (you're talking about <a
moz-do-not-send="true"
href="http://unmitigatedrisk.com/?p=203">http://unmitigatedrisk.com/?p=203</a>
in particular). But I'm also not supportive of
encouraging a distinction that we neither recognize
nor have plans to recognize, and especially not
supportive of mandating such distinctions.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">This is especially true, as these
distinctions don't offer any tangible security
benefits to the Web, as previously discussed.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">If we go to the point of
mandating anything additional in certificates, which
requires a variety of changes in processes,
profiles, and CPSes, I want it to have meaningful
security value. This change - which, as has been
shown by the development of audit standards and then
the eventual incorporation of those audit standards
into the root programs, and then FINALLY the <b>enforcement</b> of
those audit standards of the root programs - would
take several years, at BEST, to deploy, and would
communicate nothing of actionable value. It's a hard
sell.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><br>
Thanks,<br>
Dean</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
</span><a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">public-bounces@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
[mailto:</span><a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">public-bounces@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">]
<b>On Behalf Of </b>Ryan Sleevi<br>
<b>Sent:</b> Thursday, October 02, 2014 3:37
PM<br>
<b>To:</b> Dean Coclin<br>
<b>Cc:</b> </span><a moz-do-not-send="true"
href="mailto:public@cabforum.org"
target="_blank"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">public@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>
<b>Subject:</b> Re: [cabfpub] OIDs for DV and
OV</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On
Thu, Oct 2, 2014 at 10:33 AM, Dean
Coclin <<a moz-do-not-send="true"
href="mailto:Dean_Coclin@symantec.com"
target="_blank">Dean_Coclin@symantec.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Further
to today’s discussion on our call,
I’d like to get more feedback on a
proposal to make a unique
standardized OID mandatory for DV
and OV certificates in the
Baseline Requirements. Currently
we have a mandatory OID for EV
certificates but optional for OV
and DV. This makes things
difficult for at least two groups
of constituents:<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p>1.<span style="font-size:7.0pt">
</span>Relying parties that would
like to distinguish between these
certificates<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">You've
heard repeatedly from several
browsers about an explicit non-goal
of distinguishing DV and OV. As the
Forum is comprised of CAs and
Browsers, do we have have any
Browsers that wish to make such a
distinction?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">If
not, it would be wholly
inappropriate for the Forum to
require it. If there are non-browser
relying parties interested in such
distinctions, the CA can always
provide such distinctions
themselves.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p>2.<span style="font-size:7.0pt">
</span>Analysts that report on
SSL certificate data who have
had to issue revised reports
because of cert
misclassification<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">As
mentioned on the call, this has been
discussed with Mozilla in the past
- <a moz-do-not-send="true"
href="https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/hEOQK-ubGRcJ"
target="_blank">https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/hEOQK-ubGRcJ</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">As
someone very keen on programatic
checks and detection for
misissuance, there's no question
that this would NOT meaningfully
help address the concerns we see.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">That
is, there would need to be an OID
_per revision_ of the BRs, to
indicate "which" version of the BRs
something was complying to. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I
would hope that <a
moz-do-not-send="true"
href="https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/2tRUS444krwJ"
target="_blank">https://groups.google.com/d/msg/mozilla.dev.security.policy/-mCAK5zfhFQ/2tRUS444krwJ</a>
would capture some of these concerns
more fully.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Finally,
to do anything meaningful with this
in all major clients, it would
require that CAs redo their
certificate hierarchy, as policy
OIDs are inherited. That's a silly
thing, especially when CAs are still
struggling to migrate from SHA-1 to
SHA-256 in their intermediates.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<blockquote
style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">My
proposal is for CAs to put in
OID X if it’s a DV certificate
and OID Y if it’s an OV
certificate.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">As
Rick reminded me on the call, we
currently have something like
this for EV certificates (except
that CAs are free to use the
standard OID or define one of
their own).<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I’d
like to hear pros/cons of this.
Ryan S indicated that Google
would not support such a
proposal but we didn’t have time
to discuss the reasons.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I’m
sure there are both technical
and policy reasons. Personally
I’d like to focus on the latter
but remarks on both are welcome.
This proposal doesn’t require
anyone to do anything with this
data (i.e relying parties can
choose whether or not to utilize
it).<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>
Thanks,<br>
Dean<o:p></o:p></p>
<p> <o:p></o:p></p>
<p> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><br>
_______________________________________________<br>
Public mailing list<br>
<a moz-do-not-send="true"
href="mailto:Public@cabforum.org"
target="_blank">Public@cabforum.org</a><br>
<a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a></pre>
</blockquote>
<br>
</body>
</html>