<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"MS Shell Dlg 2";
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Arial",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'>Dear CABForum,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'>I’ve been working on an issue in the Mozilla mailing lists which I think should be given air time again. Back in June 2012, just prior to the effective date of the Baseline Requirements, it was suggested by me that the Forum reach out to a wider audience of third party providers who created platforms that had the capability to issue certificates to ensure that they met BR compliance needs. Ballot 105 specifically addresses the fact that we didn’t do this by not mandating OCSP services be database based (an example of another area where we should all be striving to meet best practice)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'>Whilst the focus of the discussion in that thread is actually something else (human error in the use of a space in the Common Name), a particular side issue highlights the fact that additional information is added to SSL certificates in order to support WS-Trust services by the Microsoft platform and not many people know what this is. GlobalSign and the end customer concernd (Deutsche Post) meet the BR guidelines as we do know what the OID is for (it’e part of the WS-Trust serviecs automation introduced in Srever 2008 R2) so we fulfil the needs of Appendix B (4) shown below with ***’s around this section. </span><span style='font-size:9.0pt;font-family:"Arial",sans-serif;mso-fareast-language:EN-GB'><a href="https://www.partnerportal-deutschepost.de/nc/login.html">https://www.partnerportal-deutschepost.de/nc/login.html</a> is an example of an end entity having these Microsoft specific additional items. This is the extra ifnromation included:- <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:8.5pt;font-family:"MS Shell Dlg 2",sans-serif'>Template=1.3.6.1.4.1.311.21.8.3675690.6234259.10436751.12227305.62135.141.959321.10252252<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:8.5pt;font-family:"MS Shell Dlg 2",sans-serif'>Major Version Number=100<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:8.5pt;font-family:"MS Shell Dlg 2",sans-serif'>Minor Version Number=6<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'>From <a href="https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf">https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf</a> marked with ***’s<o:p></o:p></span></i></p><p class=MsoNormal><b><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'>(4) All Certificates <o:p></o:p></span></i></b></p><p class=MsoNormal><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'>All other fields and extensions MUST be set in accordance with RFC 5280. The CA SHALL NOT issue a Certificate that contains a keyUsage flag, extendedKeyUsage value, Certificate extension, or other data not specified in this Appendix B ****unless the CA is aware of a reason for including the data in the Certificate****. <o:p></o:p></span></i></p><p class=MsoNormal><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'>CAs SHALL NOT issue a Certificate with: <o:p></o:p></span></i></p><p class=MsoNormal><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'>(a) Extensions that do not apply in the context of the public Internet (such as an extendedKeyUsage value for a service that is only valid in the context of a privately managed network), unless: i. such value falls within an OID arc for which the Applicant demonstrates ownership, or ii. the Applicant can otherwise demonstrate the right to assert the data in a public context; or <o:p></o:p></span></i></p><p class=MsoNormal><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'>(b) semantics that, if included, will mislead a Relying Party about the certificate information verified by the CA (such as including extendedKeyUsage value for a smart card, where the CA is not able to verify that the corresponding Private Key is confined to such hardware due to remote issuance).<o:p></o:p></span></i></p><p class=MsoNormal><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'><o:p> </o:p></span></i></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'>Is there sufficient impetus to bring back the discission and invite third parties to provide compliance plans/timelines? This may also aid our work on OCSP stapling etc ;-)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'>Kind Regards<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'>Steve</span><span style='font-size:8.5pt;font-family:"Arial",sans-serif;color:black;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>