<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:20085972;
mso-list-template-ids:709007344;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:286278839;
mso-list-template-ids:-1363404810;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:397823022;
mso-list-template-ids:-1783857502;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:625432078;
mso-list-template-ids:1212609204;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4
{mso-list-id:647979677;
mso-list-template-ids:-473822408;}
@list l4:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5
{mso-list-id:922684875;
mso-list-template-ids:-1648045288;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6
{mso-list-id:1181696233;
mso-list-template-ids:-274311096;}
@list l6:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l6:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7
{mso-list-id:1275331955;
mso-list-template-ids:-1683041594;}
@list l7:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l7:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8
{mso-list-id:1354576213;
mso-list-template-ids:1840431380;}
@list l8:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l8:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9
{mso-list-id:1439375213;
mso-list-template-ids:-961486968;}
@list l9:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l10
{mso-list-id:1441876901;
mso-list-template-ids:-1613577430;}
@list l10:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l10:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l10:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11
{mso-list-id:1796831285;
mso-list-template-ids:-1439895126;}
@list l11:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l11:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l11:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12
{mso-list-id:1812598078;
mso-list-template-ids:1949446234;}
@list l12:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l12:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l12:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13
{mso-list-id:1855221516;
mso-list-template-ids:-115591854;}
@list l13:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l13:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l13:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14
{mso-list-id:1876459110;
mso-list-template-ids:-1362873794;}
@list l14:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l14:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l14:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15
{mso-list-id:1936939263;
mso-list-template-ids:136461572;}
@list l15:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l15:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l15:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Public release of F2F meeting minutes</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Meeting 35 Minutes</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Day 1 <br>Wednesday, 24 June 2015</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>CNNIC application</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>A discussion on the CNNIC application for membership in the CA/B Forum took place. Although it appears their application is complete, two questions arose: 1. They don't appear to be licensed in China (BRs requires that a CA be licensed in the country they do business if a licensing scheme is in place) and 2. they appear to be a registrar for a TLD as well as a CA. Dean stated that they have a valid BR audit which would address item 1 but was asked to get clarification from CNNIC. Further discussion will take place on the next call. <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Working Group reports</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Policy Working Group</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> (Ben) <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>goals: <o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l12 level1 lfo1'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>to make it easier to understand and implement <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l12 level1 lfo1'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>so the structure is in compliance to RFC 3647 <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l12 level1 lfo1'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>implement the Policy in the CAs CP/CPS documents <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l12 level1 lfo1'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>address the EV requirements <o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>issues to resolve: <o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo2'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>revocation <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo2'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>physical security <o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>done on the meeting: <o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo3'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>review of section 1, 2, 3, 4, started with 5 <o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>There where some discussions how detailed the policy should be. To meet all the different requirements or methods of the Standards as example <a href="https://www.cabforum.org/wiki/WebTrust"><span style='color:gray;border:none windowtext 1.0pt;padding:0in'>WebTrust</span></a> or ETSI the document should be a high level statement. Ben invited interested participants to the working group phone calls – the time is 15:00 on Thursday in between the CAB calls <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Validation Working Group</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> (Kirk) <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>goals: <o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level1 lfo4'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>initially to specify procedures for Validation of requests <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level1 lfo4'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>the purpose was changed for verification of Domains and <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level1 lfo4'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>resolving EV issues <o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>status: <o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo5'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>new DV proposal <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo5'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Methods of validation should or may be can reduced from 9 to 7, so 1 to 5 are discussed left 6 to 9 from section 7 of the DV proposal <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo5'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>ballot 147 is ongoing regarding on company letters <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo5'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>there are discussion regarding a new business category named “other” to identify client regarding “local law” <o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>There were also some discussions how to proof the ownership of a domain – when you put something on the website to demonstrate the control of the domain. (more discussion on the second CAB day) The opinion on this method is changing. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>If there are any problems with the validation during the issuance of EV Certs report this to the validation working group members are Kirk, Cecilia, Robin or Jeremy. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Code Signing Working Group</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> (Dean) <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Status: <o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 level1 lfo6'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>The draft has been commented, there are 2 items open <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 level1 lfo6'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Final draft will be released – it will be not perfect – all are requested to bring it forward <o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>What is new with this policy <o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo7'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Formats are described <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo7'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>The certificate has to be stored in hardware device <o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>The information sharing thematic could not be covered it is delegated to the information sharing work group <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Information sharing Working Group</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>The information sharing working group is working to define technical aspects like <o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l10 level1 lfo8'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Data format (what is the best XML or something else) <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l10 level1 lfo8'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>When <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l10 level1 lfo8'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Who <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l10 level1 lfo8'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Control <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l10 level1 lfo8'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Use <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l10 level1 lfo8'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Feed in the system <o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>So there are technical persons required – the call is taking place on every second Friday in the same week like the CAB phone call at 16:00. <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Microsoft Root Program Update</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Consolidated root program in a single group at Microsoft. New changes went live on June 2, 2015. Received comments from information that was sent out in April. Only about 4-5 companies responded. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Program was launched in Windows 95, added auto-update in XP, and added update to certificate properties in Vista. Windows 10 will ship with April 2015 certificate update. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Microsoft currently works with 79 commercial CA's and 47 government CA's which manage 334 roots. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>The overview of the program changes were to do the following: <o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l13 level1 lfo9'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Change program requirements for rules to join, requirements to stay in, and ways to get kicked out. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l13 level1 lfo9'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Streamline audit requirements and require a qualified auditor, baseline requirements audit and set obligation on CA. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l13 level1 lfo9'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Re-wrote contract to address government CA's and commercial CA's. The new agreement supersedes all previous agreements. Agreement must be signed in 90 days. <o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>The changes were made as the requirements were old, out-of-date and conflicting. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Rick stated that there were still new requirements which were confusing such as when SHA-1 was allowed or not allowed. Jody stated that they would look into resolving this issue. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>In the new program all communication would be done by email including contractual notices. The CA's must provide contact information three times per year (it is possible for the CA to add an auditor as a contact). Microsoft may contact certificate subscribers if there are issues with a Root. Audit compliance evidence is CA's responsibility to provide. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Microsoft has streamlined the audit requirements. The auditor must meet Microsoft's qualification requires and as such must be licensed by <a href="https://www.cabforum.org/wiki/WebTrust"><span style='color:gray;border:none windowtext 1.0pt;padding:0in'>WebTrust</span></a> or accredited per <a href="http://www.european-accreditation.org/mla-and-bla-signatories#4"><span style='color:#0044B3;border:none windowtext 1.0pt;padding:0in'>http://www.european-accreditation.org/mla-and-bla-signatories#4</span></a>. Auditor must be one level down and not accredited by others. Qualified audits must match EKUs requirements per the tables in the MS audit requirements document. SSL requires a Baseline Requirement audit. Government CA's must either be commercial or limit the TLDs. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Don suggested that there may be some confusion for how root and third party sub CA's audit reports must be correlated. Jody stated that this issue can be addressed. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>CA's must use separate sub CA's for EV, DV and OV certificates. CA's must also include the industry policy OIDs in both end-entity and sub CA's. OID values were stated, but it was commented that there is an error which will be corrected. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Eddy stated that there are issues with creating new sub CA's on a short term basis. Jody says that Microsoft will be flexible and will allow reasonable time to implement new sub CA's. If the CA has an issue, then they should approach Microsoft with a plan with reasonable dates and provide status updates. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Microsoft requires separate sub CA's to 1) provide greater flexibility to limit or revoke, 2) provide greater certainty to know the type of certificate presented, and 3) provide additional flexibility to implement browser or OS features. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Wayne has issues with creating new sub CA's and to separate OV and DV CA's. Jody emphasized that the CA can propose a plan to implement the requirements. Jody also indicates that all technical requirements can be checked by Microsoft through telemetry. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>The key takeaways are that 1) Microsoft intends to be firm in new requirements, 2) Microsoft knows that changes take time, and 3) Microsoft wants CA's to propose reasonable plans to implement. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>CA's and Microsoft must deal with incident responses for compromise, security incidents and incidents which have exceptional circumstances. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Questions: <o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo10'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Microsoft will provide methodology to provide PKI hierarchy for each root. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo10'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Microsoft does not plan to change the contract unless there is a material issue. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo10'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Why is there a requirement that the CA has to have a time-stamp authority (TSA). <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo10'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Some old roots do not have CNs, but this is a requirement <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo10'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>If there are new sub CA's then the old certificates will not be impacted. Just don't issue any more on the old CA. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo10'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Is there an issue with KPMG not listed for Turkey. No as cross border accreditation will allow KPMG to audit in Turkey. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo10'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>What about S/MIME? Microsoft will need to follow up on S/MIME. <o:p></o:p></span></li></ul><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Short Lived certificates</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ben Wilson: Several years ago we were trying to improve revocation response times in the wake of the Diginotar incident. Looking at all of the things which could be done. Some say that with a short-lived certificate, even when that certificate doesn't include pointers to revocation information, the amount of risk is the same as a longer lived certificate with revocation information because the time for an OCSP response or CRL to expire is comparable with the life of the short lived certificate. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>The BRs require that revocation info be included in all certificates. There is no way no be compliant with the BRs while issuing certificates without revocation info even if the certificate is short lived. There is no prohibition on a CA issuing short lived certificates today - but they must include the revocation pointers. When talking with people who know more than I do about this, they say the best way to try out short lived certificates is to remove the revocation info.<br>Browsers won't check (and won't complain) when no revocation info is present.<br>Eddy: Is the reason to improve the user experience or to protect from Diginotar.<br>Ben: A couple of big customer have come to us and - really it's customer experience.<br>The Conversation around short-lived certificates without revocation pointers has gone on. Some People are opposed to it. Some people support it. Some say you could use CT logging and staple OCSP.<br>Against that, if you're doing CT then you're logging a new certificate every day instead of every 2 years, so the magnitude is very great.<br>option: short lived certificates - put in a different log and roll the CT log over fairly frequently - or prune logs.<br>I don't want to get ito massive CT details. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan: not sure I follow how CT plays into this.. <br>1 argument is simply a matter of performance. It doesn't hold much weight. <br>Dropping CRL URL from certificate saves bytes, but requiring CT adds more bytes back in, so the 'saving bytes' argument is problematic.<br>Wayne: We're doing a lot to add size to certificates. OIDs, CT<br>Ryan - we don't require CT proofs in certificates - they can be stapled or got another way. There is 1 area of concern that a number of partners have asked for clarification - OCSP is hard. Short lived certificates could be a real saving, especially in IOT space (e.g. Digicert-plex)<br>The question is whether or not for the passive attack model (e.g. mis-issuance) - whether the short lived certificates offer the same security. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Robin: Ben, Your premise was that the security of a short lived certificate without revocation info was equivalent in some sense to that of the revocation response. It is comparable maybe, but I would disagree it is equivalent, because if there is a certificate with revocation information there is the opportunity for a CA to revoke the certificate, issue new revocation response and make it available to relying parties.<br>I appreciate there are replay attacks that can be done on revocation responses, but nonetheless you can get the message out to some people and that option isnt available with short lived certificates.<br>Ryan: That was the distinction I was trying to make, Under active attack OCSP responses can be replayed.<br>Under a passive attack (such as loss of key) the revocation can have value. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ben: As you say, There are situations where the circumstances are amenable to short lived certificates (IoT)<br>Ryan: providers want devices to phone home every week. If it hasn't phoned home then they want to 'stop' the certificate by not re-issuing a new short-lived certificate. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Wayne: current viable alternative to highly available OCSP is stapling.<br>Ryan: stapling itself is an alternative, but the way it is structured is that you still have to have the ability to issue a response every day.<br>E.g. The Plex media streaming device. You can load it from anywhere on the internet & need a secure connection to the device.<br>Dean: I've done cable boxes<br>Ryan: Plex is public - they wanted to understand if they could have a short lived certificate.<br>Robin: If they want to do short-lived certificates, to issue the certificate & a single OCSP response is only twice he effort. - not a million times the effort.<br>Ryan: sure - The BRs say an OCSP service must be High Availability <br>Robin: The BRs don't say HA - only 99.9% availability - if you control the application then you know not much internet load will arrive. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ben: It's a different risk model. Web pages - lots of people going to them. - these devices have fewer visitors.<br>Ryan: - Stapling is a great way to reduce OCSP responder loads for CAs. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>There's a reseller who resells Comodo and Digicert and (I think) Symantec reseller based in the US who contributes code to Apache and ngnix, including code supporting OCSP stapling. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Dean: It's good to hear about this new area where this may be a necessary thing. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ben: How do we identify this sort of scenario where this may be permitted. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan: If the forum would like to better understand the use cases:<br>We have the notion in the Mozilla process of having technically constrained CAs.<br>The BRs are more stringent than Mozilla's requirements. It is the BRs that need CRL and OCSP pointers in end entity certificates issued from constrained CAs. Not Mozilla.<br>Mozilla say that if the intermediate itself is BR compliant then that's good enough. Plex could have used a sub-ca Name-Constrained to their own namespace and then issued certificates with no OCSP & CRL and Mozilla would be happy. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Bruce: How is the damage constrained for relying parties?<br>Ryan: by Name-Constraints, the subscriber sets the policy . The subscriber can set a more relaxed policy.<br>Tim: as a relying party - I just know the URL. I have no way of knowing that this portion of the internet is different.<br>Robin: Are you saying that revocation or other responsibilities falls at the sub-CA?<br>Eddy points out that revocation times are long for sub-CAs.<br>Tim: Name-Constrained sub-CAs could be used to avoid some BR requirements.<br>Ryan: Mozilla policy has 'get out of jail free' cards for Name-Constrained CAs.<br>Wayne: Do the browsers view these certificates as compliant?<br>Ryan: Yes. Plexapp.com - is viewed with a browser. <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ballot process/preparation. Demo of new system of marked up version of BRs.</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ben - The Problem: easy to keep track of changes when there was only one set of BRs, changes were minor, and there weren't many people. Coordination of ballot #s wasn't necessary. Had certain rules about ballot format, what the ballot was for, why it was needed, redlined version of proposal. Ben thinks people were starting to get a bit careless about ballots, and it wasn't always clear what changes need to be made to the BRs after ballots had passed. Official ballot needs to be clear about the exact changes being voted on, without any interpretation being necessary. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Kirk suggested unanimous consent could be used to correct minor inconsistencies discovered while updating the BRs to reflect results. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan - The Solution: proxy-presenting for Peter Bowen Ballots done in Word via track changes, need a particular version of Word, production of PDF is painful, etc. Also, there is no good way to track changes to the BRs over time. Peter has put the baselines in a textual, easy to read form, that can be converted into "eye pleasing" formats. Dean asked if it's easy to see which lines were the result of which ballots. Ryan answered this could be done by checking the BRs into a source control tool like git, which has a "blame" feature to figure out where an individual lines came from. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Kirk - Does this apply at all stages of the ballot? Ryan - Yes. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan showed the source document in .md format, and showed the document converted to HTML and PDF. Making a change to the BRs is as easy as editing the text file. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Dean had some concerns about usability of command line tools. It was mentioned that WYSIWIG editors exist for all these tools. Ryan demoed editing the BRs via a github web interface. Ryan demonstrated adding comments inline to discuss changes to the BRs. Kirk asked if comments appeared in the final document. Ryan confirmed that they do not, but comments would be saved and the public could see all the conversation that was involved in creating the baseline requirements. It was mentioned that git might be a bit complex for non-technical users. Ryan mentioned that there are two parts: converting the BRs to text, and the tools used to simplify the process. Wayne mentioned that github really is not all that much more complex than Word. There could be simple instructions for how to create a ballot using github. Ryan mentioned that Ben is currently doing quite a bit of work to create redlined versions of documents, and merging documents, that is error prone and not necessary. Wayne: don't have a good way to track versions today; this is exactly what github is for. Kirk: if we need better version control, we need to do that. Wayne: Manual version control is very costly, tools like this are designed for this. Ben: Ben currently manages the master version of the documents, with a central server to coordinate changes, things might work better. Rick: Could members of the public participate in discussions? Ryan: It's up to us whether we allow public participation. Rick: There is the danger that the comments get split between github, and the email list. Ryan: We'd have to have rules about what goes where, perhaps pre-ballot on github and ballot on list. Again, there are two parts: replacing Word with something more flexible, and using github. Rick: Could we use Google Docs? The UI is more friendly. Ryan: Perhaps, but the version control features are less powerful. Kirk: Once a ballot is over, who makes the changes? Ryan: If we were using github, Ben would just have to press a button to accept the results. The view of the BRs is the latest version. Kirk: Do I have to scroll through the entire document to see the changes? Ryan: No, the default view shows only the changes, and a few lines of context around the changes. <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>WebTrust Update</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Don Sheehy from Deloitte LLP then gave the following WebTrust update: <o:p></o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoNormal style='color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l4 level1 lfo11'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>The WebTrust committee met once in Seattle since the last Forum meeting with a focus on auditor licensing, looking at the need for updates and understanding Microsoft’s new requirements. <o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l4 level1 lfo11'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Auditor licensing - There were a few issues identified at the last CAB Forum meeting with regard to potential independence (for example, the size of engagement relative to practice) and issues identified with respect to the performance and reporting . For a recent CA’s audit (TrustCor), CPA Canada awarded a WebTrust seal on an incorrect report. The seal was suspended until a period of time audit is completed and a proper period of time report issued. The seal was recently reinstated but it was noted that the wrong report is attached to the seal. In addition there were a number of deficiencies in the report. Don offered to share information with the company to make sure they post the correct report. With regard to independence, CPA Canada acknowledged that this is a practitioner determination – all auditors are aware of the requirement of independence so it is their responsibility. <o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l4 level1 lfo11'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>The Task Force began redoing the Baseline and Network security audit guidelines. The process is very slow due to the use of the RFC 3647 format for the Baseline Requirements (the mapping from the BRs to the BR WebTrust audit requirements is not as clean as it once was). Further complications arise from the fact that the new network security requirements are not in same format. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo11'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Certain issues were identified with the recent Microsoft root program changes <o:p></o:p></span></li><ol start=1 type=a><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level2 lfo11'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Responsibility for reporting hierarchy completeness rests with CA (it will not be an auditor responsibility). Auditor identification of all non-technically constrained sub-CAs may be an issue at times (independent sub-CAs, cross-signed roots, etc.). There will be a number of scenarios where one or more auditing firm are involved in auditing the entire hierarchy – organized by root. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level2 lfo11'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>New Roots may be needed to satisfy the requirement for dedicated sub-CAs for DV, OV, and EV certs. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level2 lfo11'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Timing of audits and timeliness of reporting issues – it is the client responsibility to submit audit reports and issues with reports to browsers. Use of third party data centers may not allow timeliness of reporting of certain issues in infrastructure. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level2 lfo11'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>There could be a need for additional reports if specific browsers add new requirements. Microsoft stated it didn’t think auditors would need to audit its new root program requirements – it will use telemetry to monitor compliance. <o:p></o:p></span></li></ol></ol><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Browser News</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Microsoft</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>: No update on Internet Explorer or Edge <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Google</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>: Ryan said there wasn't much news to report. He indicated that Chrome was considering a feature that Microsoft's new Edge browser implemented: blocking all mixed content on sites using HSTS. To explain: There are two types of mixed content: "Active" vs "Passive" (browsers are now calling these "Blockable Content" and "Optionally-Blockable Content" under the Mixed Content spec). <b><script></b> is an example of Blockable content; <b><img></b> is Optionally-Blockable. Edge blocks both Blockable and Optionally-Blockable for HSTS domains. Chrome currently blocks Blockable (for all domains, HSTS or not), and doesn't block Optionally-Blockable (for any domain, HSTS or not). Ryan said that Chrome may change in the future, such that it adopts Edge's behavior. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan added that Google is continuing to expand the Developer Tool Console in Chrome, and is working on better explaining why a security indicator was degraded. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Opera</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>: Operas browser is now based on Chromium, haven’t taking all the code - lower level APIs are used, but not the UI. We did previously run our own root store, but this is replaced by the use of the OS root store similar to the Chromium project. Presto is still based on our online root store and it is still millions of installations of Presto. The online root store use Mozilla root store (NSS). Opera Mini run Presto on the server-side. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Opera deals with certificate related errors slightly different than Chromium. Instead of showing a crossed out https or an exclamation mark for mixed content we simply drop the security status to "web" which is the same as for http. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Opera will show user installed roots differently than pre-installed roots. You will get a hint when you start a session. Google will show all roots the same way. Many virus companies use user installed roots to monitor traffic and the use of such user installed roots will give the user a warning. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Opera migrates away from SHA1, and will simply drop the security status to "web" (as for http). Opera will add CT-support for EV, same as for Chrome. EV green bar is shown on desktop only, not in mobile. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Dean said that the EV indicator is not so easy to see, at least not for colorblind people. A suggest for improvement for Opera. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Mozilla</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> Firefox release schedule: <a href="https://wiki.mozilla.org/RapidRelease/Calendar"><span style='color:#0044B3;border:none windowtext 1.0pt;padding:0in'>https://wiki.mozilla.org/RapidRelease/Calendar</span></a> <o:p></o:p></span></p><ol start=1 type=1><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>1024-bit root removal - nearly complete, but had to re-enable the “Equifax Secure Certificate Authority”. Barring a new security threat, plan is to turn off the Websites and Code Signing trust bits for this root certificate in the September batch of root changes, which is expected to go into Firefox 44, due for release on 26th January 2016 <o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l8 level2 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Bug: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1156844"><span style='color:#0044B3;border:none windowtext 1.0pt;padding:0in'>https://bugzilla.mozilla.org/show_bug.cgi?id=1156844</span></a> <o:p></o:p></span></li></ul><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Developer console warnings for SHA-1 and RC4 released in Firefox 37(released Mar 31) for top level page loads (doesn’t work in private browsing mode) Examples for testing can be found in bug 1138101 <o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l8 level2 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Developer console SHA1: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1068949"><span style='color:#0044B3;border:none windowtext 1.0pt;padding:0in'>https://bugzilla.mozilla.org/show_bug.cgi?id=1068949</span></a> <o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l8 level2 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Developer console RC4/SSL3: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1092835"><span style='color:#0044B3;border:none windowtext 1.0pt;padding:0in'>https://bugzilla.mozilla.org/show_bug.cgi?id=1092835</span></a> <o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l8 level2 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Subresource load warnings: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1159152"><span style='color:#0044B3;border:none windowtext 1.0pt;padding:0in'>https://bugzilla.mozilla.org/show_bug.cgi?id=1159152</span></a> <o:p></o:p></span></li></ul><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Short-lived certificates - implemented code to bypass revocation, but not yet turned on because “short-lived” hasn’t yet been defined. Contact Richard Barnes if you’re a CA interested in working with Mozilla to trial this. <o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l8 level2 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Bug: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1141189"><span style='color:#0044B3;border:none windowtext 1.0pt;padding:0in'>https://bugzilla.mozilla.org/show_bug.cgi?id=1141189</span></a> <o:p></o:p></span></li></ul><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>HTTP secure by default - published blog post about deprecating non-secure HTTP. Received some push back but planning to press ahead <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>must staple - have a patch, making some progress on implementing <o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l8 level2 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Bug: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=901698"><span style='color:#0044B3;border:none windowtext 1.0pt;padding:0in'>https://bugzilla.mozilla.org/show_bug.cgi?id=901698</span></a> <o:p></o:p></span></li></ul><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Name constraints - currently discussing name constraints for government CAs. This discussion has proved interesting enough that Mozilla received a letter from the Commerce Committee of the US House of Representatives. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>OneCRL - is the plan for publishing revocation info directly. Now implemented with blocking either by certificate or by subject / pubkey. Not yet bypassing OCSP/CRL checks pending confidence in ability to update the blacklist quickly. Will then enable for intermediate CAs. <o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l8 level1 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>SSL telemetry - HPKP violations account for about 0.26% of SSL warnings - appears to come from captive portals. Reports are available at <a href="http://people.mozilla.org/~mgoodwin/tlser/tlser.html"><span style='color:#0044B3;border:none windowtext 1.0pt;padding:0in'>http://people.mozilla.org/~mgoodwin/tlser/tlser.html</span></a> <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Salesforce CRM - used to send May CA communications. Will issue Salesforce license to primary contact of each CA. Kathleen looking for Guinea pigs for using salesforce - if you want to volunteer, please email Kathleen <o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l8 level1 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Raw responses to CA survey available at <a href="https://mozillacaprogram.secure.force.com/Communications/CommunicationSummaryReport?CommunicationId=a04o000000M89RCAAZ"><span style='color:#0044B3;border:none windowtext 1.0pt;padding:0in'>https://mozillacaprogram.secure.force.com/Communications/CommunicationSummaryReport?CommunicationId=a04o000000M89RCAAZ</span></a>. Have received responses from all but 3 CAs <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Copyrights - still deciding if every CP/CPS is required to be freely redistributable. Feedback received from Symantec and would welcome feedback from others. Currently planning to require the Creative Commons license with or without restriction on derivative works. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Discussion of next Mozilla policy coming in August and will take place on mozilla.dev.security.policy forum. <o:p></o:p></span></li><ul style='margin-top:0in' type=circle><li class=MsoNormal style='color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l8 level2 lfo12'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Proposed updates: <a href="https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3"><span style='color:#0044B3;border:none windowtext 1.0pt;padding:0in'>https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3</span></a> <o:p></o:p></span></li></ul></ol><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Add more info to EV Green bar</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Richard presented a proposal for added information in the EV green bar. There are a lot of fake sites in China - Richard proposes we add a "true site" term to the EV bar. Richard to send out information for comments in the main mailing list - add a note to say we discussed and would like more feedback <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Day 2</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Thursday, 25 June 2015</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>EV Wildcard (EVWC)</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> Dean: Not allowed today. It is the most authenticated so in that sense seems more logical than DVWC. What does cert represent? Most think business owner, but Jeremy thought it was the owner of the private key (on a prior call). From the Netcraft conference, it was shown user generated webpage that can be loaded into something like fbsbx.com. However any cert could be used, so this isn’t a EVWC specific issue. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Cloudflare is having issues with phishing DVWC? <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan for EVWC. What is the authorization domain, what are the security limits? If you can get EVWC, you can get it for any of the subdomains anyway. The example with appspot.com. foo.appspot.com Google can get an EV for any of these, but not the other way around. Foo can’t get it because appspot.com is what is validated. In validation, EV removes the “any other validation” method so can’t show control. Apple pares the URL down to the domain. So Netcraft worries about this covering joe.azure.microsoft.com to just azure.microsoft.com. Again, only Microsoft can get this EV for the domain. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Bruce said store.com could be bruce.store.com or dean.store.com If Bruce does fraud, all the info is to store.com Could this be in the subscriber agreement that only the owner can get the EV? Fraud subscriber will click OK. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Robin thinks the argument gets weaker. Why should ryan.store.com get the same level of trust as store.com? Ryan said he would agree if there was a mechanism to differentiate ryan.store.com and dean.store.com, but there isn’t right now. Facebook wants to do sharding. Mostly for performance reasons, but it also allows certs on each subdomain. Today they can get an EV for each one, but if they have 30 shards it is very expensive to do. EVWC would allow easier issuance. Wayne asked if multi-domain would cover this? May not be better in the pure security perspective, but showing each user domain explicitly provides more transparency. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Kirk feels EV is for strong identity, so ryan.store.com would be shown as store.com is not ideal. Ryan said often the payment is through store.com so you have to call them anyway. Bruce asked why wouldn’t Google want an EV for appspot.com. Ryan said that is a branding decision, not a security decision, but they could. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Robin. Don’t need just one cert. Could mix and match certs and sites. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>EV is only 4% of the market, so something is holding it back. Don’t know if it is price or difficulty getting it or value. Why continue DVWC then if we do EVWC? Ryan wants to push SSL and afraid no DVWC would prevent people from doing it. Bruce said Amazon has tons of retailers, but all on Amazon. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Richard felt EVWC good, DVWC bad. For the reason of more validation. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Kirk proposed an EV (NOT WC) that somehow allows a cert/validation procedure for multiple levels. Ryan feared more confusion. Site says one name and transaction on CC statement is different. Can’t prevent that. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Inigo fine with EVWC. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Moudrick said EVWC infers “anything” so agrees with Wayne that multi-domain would be better. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Turktrust thinks EV should be highest level validation and should not allow WC. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Eddy said what about facebook.store.com? Ryan said, you can still get an EV for this subdomain, It might flag due to the Facebook part showing up high-risk, but the CA can justify it and issue. So again, no further security risk. Eddy for it, just was thinking through. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Opera thought it sounded like a bad idea at first, but when you go through the arguments, doesn’t see how it hurts anything. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Tim H mentioned the private key protection issue for all WC where if you have the key you can open any domain. Is it worse if this happened on EV than DV? <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Dean called time. Told everybody to go consider it with their people. <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Certificate Transparency Update: Current log status, Future plans, etc. </span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan reviewed the current status of Certificate Transparency: <o:p></o:p></span></p><ol start=1 type=1><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>7 organizations have logs now, check the web site for the latest. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Chrome 43 and 44 follow the Relaxation requirements <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>The new CT policy has been released. The minimum number of SCTs has not changed, but you need one SCT from a Google log and one from a non-Google log (prior policy allowed all SCTs to be issued from Google logs). The enforcement of this new logic will be in Chrome 46. Ryan will let us know how Chrome will know if certificates fall under the prior policy or the new one (the date of the SCT, and/or the certificate "not-before" date must be prior to a tbs date). This "date" has not been finalized. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>How to receive Green bar treatment as it applies to SCTs: <o:p></o:p></span></li><ol start=1 type=a><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level2 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Certificates on the 2014 Whitelist <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level2 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Certs with SCTs and/or a not-before date up until a tbs date with SCTs with no log independence requirement (One or all SCTs can be from Google Logs) <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level2 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Certs with SCTs and/or a not-before date after a tbs date with at least one Google and one Non-Google log <o:p></o:p></span></li></ol><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Relaxation of the independence requirement is not a permanent decision. The goal is to return to the original requirement eventually. The long term goal is also to log all types of certs, not just EV. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>The goal of CT logs is that they take Certificates from any CA and that they can contain any Domains. Google encourages log providers to take certificates from all Roots and for all domains <o:p></o:p></span></li><ol start=1 type=a><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level2 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>If you are a log monitor you need to look at all logs <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level2 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>CAs should not expect to have 100% availability of the Logs and they should be prepared for failure, the internet does not have 100% availability. <o:p></o:p></span></li></ol><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Google is building out more CT related auditing and consistency checks to verify things like was the SCT really added to the log. An SCT is only a promise to add it to the log. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Sometimes you cannot get enough SCTs and you need to cancel and start over later. <o:p></o:p></span></li><ol start=1 type=a><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level2 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Any precerts you posted should be compliant with the BRs (don't post precerts then verify compliance). From a policy perspective people watch logs for certs they intend to issue <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level2 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>If you log the same precert you are supposed to get the same SCT, so re-posting should not result in more entries. 6962 says the log can give you the same SCT, or a new one. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level2 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>If you re-post a precert that is not binary the same, you will get a different SCT. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level2 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>If you're first issuance attempt failed and you are doing it again for the same cert, but it has different not-before/after dates, then you will get a new SCT. <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level2 lfo13'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>If you first issuance attempt failed and you update the not-before/after dates and keep the same serial number, log monitors will see what appears to be 2 different certs with the same serial number. Even though the first attempt did not result in the issuance of a certificate, it indicates the intent to issue the certificate. Different pre-certs with the same serial number may trigger some concerns. <o:p></o:p></span></li></ol></ol><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>ETSI Presentation</span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Iñigo Barreira from IZENPE made an ETSI Presentation. Initially he explained the current sistuation of ETSI deliverables. And then he gave information about the ETSI deliverables to be published in 2015. According to this deliverables to be published as TS in June 2105 and starting the procedure to became EN in 2016 <o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l14 level1 lfo14'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>319 401 General Policy Requirements for Trust Service Providers <o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>EN 319 411 Policy and security requirements for Trust Service Providers issuing certificates <o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo15'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>319 411-1: General requirements <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo15'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>319 411-2: Requirements for trust service providers issuing EU qualified certificates <o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>EN 319 412 Certificate Profiles <o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo16'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>319 412-1: Overview and common data structures <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo16'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>319 412-2: Certificate profile for certificates issued to natural persons <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo16'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>319 412-3: Certificate profile for certificates issued to legal persons <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo16'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>319 412-4: Certificate profile for web site certificates issued to organizations <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo16'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>319 412-5: QC Statements <o:p></o:p></span></li><li class=MsoNormal style='color:black;margin-top:6.0pt;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo16'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>319 421 Policy and Security Requirements for Trust Service Providers issuing Electronic Time-Stamps <o:p></o:p></span></li><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo16'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'>319 422 Time-stamping protocol and electronic time-stamp profiles <o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>319 411-1 and 319 411-2 are the general requirements according to EIDAS regulations. 319 412-4 and 319 412-5 are the most important parts for CAB Forum and CAs should follow these two standards. Iñigo stated that the implementing dates of these standards have not been decided yet. During this presentation Iñigo also informed participants about the eIDAS Audit Requirement. The most significant requirement is Article 20.1 as follows; <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>"Qualified trust service providers shall be audited at their own expense at least every 24 months by a conformity assessment body. The purpose of the audit shall be to confirm that the qualified trust service providers and the qualified trust services provided by them fulfil the requirements laid down in this Regulation. The qualified trust service providers shall submit the resulting conformity assessment report to the supervisory body within the period of three working days after receiving it." <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>ETSI audits will be carried out only by auditing bodies accredited in accordance with Annex E of TS 102 042. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Jody Cloutier from Microsoft asked how does a browser know if an auditor is qualified or not. Iñigo stated that any auditor who is able to perform ISO 27001 audits can also perform ETSI audits and the accreditation can be checked from a website of the ETSI so an organization should understand that if the auditor is qualified to perform such audits and added that Microsoft Agreement's clause about qualified auditors is correct from this angle. Browsers can also check if a specific auditor is able to perform audit. Currently three auditing bodies (KPMG, TUVIT and LSTI) are accredited. <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Bylaw Updates </span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Discussion around Kirk's proposed ballot 149 took place. A note taker was not assigned for this segment but in summary, members felt that additional requirements around browser root programs were not warranted so Kirk agreed to modify the language to specify the proper name of the <a href="https://www.cabforum.org/wiki/WebTrust"><span style='color:gray;border:none windowtext 1.0pt;padding:0in'>WebTrust</span></a> audit and submit to the forum. <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Domain Validation </span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Robin: there are different ways to control issuance of certificates sufficient that we can issue a certificate for it. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Robin: The aim of the game is to get rid of the catch-all provision for domain validation. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>The supposition is that if we do away with the catch-all and replace it with the actual methods that CAs are using. We're not particularly trying to block anything done today, but we are trying to make it transparent, clarifying by setting it out in the BRs that each method in use is enumerated in the BRs. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>It removes the reliance on the CAs estimation that any new method is 'equivalent' to any of the documented methods. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Bruce. The purpose is not to remove what people are doing. Is that right? <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Robin: If a CA said that they always turned around 3 times and spat before issuing a certificate and had persuaded their auditor that was OK then the benefit of this process was that a light would be shone on the process and the forum could decide whether it was acceptable. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan. There is a risk of having the catch-all. We have seen CAs using methods which do not meet an acceptable standard. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Bruce. We want to make a list. The purpose is to have a list so we can clean it up. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Robin. Many things could had been done, but need to have it documented. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Robin. On Tuesday, in the working group, We were discussing the definitions. I suggest we skip over the definitions for this presentation since, although they are important, we need to discuss the list of acceptable methods of domain validation as set out in this proposed revision. What are we authorizing?- What are we proving control of? - those will be left to the working group. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>The list is: <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>1. Confirming applicant directly with Registrar - unchanged. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>2. Email to the registrant, technical, or Administrative contact from WHOIS - unchanged. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>3. the list of 5 email prefixes. The email addresses will be held by people who do control the domain. - unchanged. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>4. Domain authorization document - validation can be carried forward for a period of time. - unchanged. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Kirk: 4 now talks about including any private, anonymous, or proxy registration service. Ryan: That language has been brought up from the paragraph following #7 in the current BRs, but the meaning is unchanged. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>5. This is a new method. Some CAs say if you could demonstrate control of the web-content of the domain - we'll accept it. Kirk: This is actually a re-write of the current #6. It is not a new method, but a re-write of the current #6 limiting the option of where the content can be posted. The explanation we've been given for this limitation is that some hosts the decision to allow their users to control the entirety of the content of a website, but do not intend to give the applicant authority to order certs, and that the intention is that site owners *will* lock down access to the 'well-known' URI. We don't agree for 2 reasons: a) If they're foolish enough to give people access to their entire site then that is their decision. Many web pages don't allow random people to make arbitrary changes to their sites so this is turning the world on its head by saying that people who have less security are limiting options for people with more security. b) Hosting companies and other site owners won't know about this well-known path so the protection is not effective. It creates a new vulnerability. We think that people should still be able to post on their home-page or document root. Ryan: The way it works today is that a CA can do whatever they want today. Some CAs may make poor decisions - such as allowing the applicant to specify the location for the file to be changed. This opens the door for certificates to be issued incorrectly for many sites that host user content, including Facebook. Rick: What about the document root? Kirk: Yes, what about keep the .well-known URI and add the option of the document root. Ryan: That would limit the options which hosting sites offer to their customers and prevent them from allowing their customers to upload to the document root. The 5 prefixes for email address validation are also weak. Some are from RFCs, but admin@? ... FQDN vs. part of the domain for authorization. Consider that today anyone who can demonstrate control of foo.bar.random.com or bar.random.com or random.com can get a certificate for foo.bar.random.com. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>6. Changes in DNS record. E.g. a TEXT record - or could be a CNAME or a different DNS record. Ryan: There are types of DNS records which are necessarily amendable by service users (for some protocols) and those would not be suitable for this purpose. Robin: So that would be an argument for drilling down and specifying the type of DNS records acceptable for this method. We use one variation of this today (CNAME). People are happier to trust a change made to the DNS for a domain rather than a change to a page on the site. Its a useful method. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>7. You can indirect the domain ownership through a DNS CNAME. Ryan: A CNAME is like a forwarding phone number. In use you are forwarded through it without being aware of the forward. Robin: If you're interested in how this work then there will be two steps to the validation. e.g. assets.example.com The people who control assets.example.com have setup a CNAME so that any query for assets.example.com forwards to assets.example.com.cdnservice.com and then undertakes the domain control check on assets.example.com.cdnservice.com. They could then demonstrate control of assets.example.com.cdnservice.com using any of the 9 methods in this section/ A CNAME can be setup at any level in the DNS, so for a FQDN or a 2nd level domain or even (in theory) a TLD. The person controlling the domain you are validating has elected to forward the DNS lookup (and thereby the address resolution and the destination of the traffic) to the destination of the CNAME. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Rick: it seems odd that this #7 is at the same level of everything else when it requires one of the other numbers to be used also. Ryan: That's the implementation - that when you follow this step you have to restart the process. Doug: We could also treat this as a step in the whole process - like for wildcards we say #1 strip off the '*.' we could say here, optionally follow a CNAME and validate ownership / control of that domain instead of the original. Tim: We should that put #7 as the last in the list and say 'following the CNAME method use any of the above methods to verify control on the new domain' Robin: Yes, maybe so. Dean - will you make a note of that for Jeremy, please. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>8. Confirm the applicant controls an IP address. Some discussion over the quality of the check - but it was pointed out that the check of IP control must be carried out according to the language in section 11.1.2. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>9. The final one is of putting a certificate on the site - so a 'test' certificate issued by the CA. If the CA creates a certificate as a unique 'thing' which they give to the applicant and if the applicant can make that certificate live over https then they have demonstrated practical control of the domain. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan. This is similar to number 5. It problematic for a couple of reasons. Different ports are used by different protocols. e.g. IMAP A university student found a CA who allowed you to specify the site name (mapping to IP) *and* the port number. Google will hand out ports on their turn relay (and other service providers allow this for many reasons, too). This means that anyone can have apparent control of an (almost) arbitrary port number. Port number requires privilege. I can open a port and get a certificate for port number 15000. Running a SSL is not necessarily a privileged operation. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>It matters which port you're using. There are a whole set of security concerns around port use. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Port number under 1024 being privileged is an example and a rule of thumb, but is not a standard. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Your email administrator may not be authorized to order a certificate. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Dean: Is that something we've added in? <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan: Yes, this was from Gerv. It's the 'Let's Encrypt' model. Doug: It's a <a href="https://www.cabforum.org/wiki/GlobalSign"><span style='color:gray;border:none windowtext 1.0pt;padding:0in'>GlobalSign</span></a> model, too. We do something similar. If we need to specify the list of ports in section #9 to make it robust then that's OK. Gerv had a more general one (#10?) and we boiled it down to these two. <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Cert Validity Periods </span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Dean introduced the topic: There have been discussions on 2 years vs. 3 years certificate validity periods. Some people want to reduce the maximum validity period for OV and DV certs to 2 years to reduce security risk to those products. Other people want to increase the period to 3 years for all certs because they are all uniform. Customers are asking for 3 years EV certs and we are not able to issue those, so why can’t we extend to 3 year. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Kirk said that EV started out as something really special with high authentication and therefore we must revalidate every year. However, we are finding that nothing changes much and it is complex and a lot of work and I am unsure of the value of annual revetting. We support the idea of aligning the validity period of all certs to 2 years – with respect to revetting (not certificate validity period). I.e. increase EV revetting periods to 2 years and decrease OV/DV to two years vetting period. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Dean wants to keep the revetting period a different topic from certificate validity period (certificate lifetime). Eddy said that if we issue every 2 years, we should validate each second years. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Tim said he had no problem with validity periods compared to the pain of revalidating/revetting EV. If we have a customer with 5 different EV certificates issued at different times during the period, we have to revalidate the information every year for EV, and as Kirk was saying nothing changes every year. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Eddy said that they revalidate after a year. A DV is doing a very small assertion. An EV is doing a higher assertion. A CA has more information on an EV customer than the DV customer. Increase the validity period for EV and decrease the validity period for OV/DV because the vetting process for EV is more complex and therefore more secure. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Doug said it is not ideal to have 3 year certificates and doing validating annually, i.e. increase certificate validity period for EV from 2 year to 3 year and still doing annual validation. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan proposed annual revetting for domain and every second year for organization. Do domain revalidation every year in case the domain has ceased. If something changes, you have to revoke that certificate. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>If I want to be evil and shady, I can block revocation information for users accessing the site. Revocation checking that doesn’t work makes a longer certificate validity period a higher risk. 2 years lifetime constrains the upper bounds. Pushing out to 3 year potentially means that the certificate no longer properly warrants who the domain holder is. Decreased validity periods or requirement for OCSP stapling could fix that (or we could fix the revocation problem). <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan is concerned with domain revalidation when change of domain ownership takes place. If I sell you sleevie.com I can still get certificates for it the next 39 months. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>This goes back to what we are trying to do with CT – if we buy sleevie.com we would like to know what certificates are out there lurking. CT is talking about what happened in the past. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>The CAs in this room to pretty interesting experiments on how to do domain control validation. It could be a trade off, do the identity validation for longer periods and then the domain control validation for a much shorter period. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Different proposals for certificate validity periods came up based on different arguments: <o:p></o:p></span></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 style='margin-left:6.0pt;border-collapse:collapse'><tr><td style='border:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Type<o:p></o:p></span></p></td><td style='border:solid #ADB9CC 1.0pt;border-left:none;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Today<o:p></o:p></span></p></td><td style='border:solid #ADB9CC 1.0pt;border-left:none;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Tim<o:p></o:p></span></p></td><td style='border:solid #ADB9CC 1.0pt;border-left:none;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Wayne<o:p></o:p></span></p></td><td style='border:solid #ADB9CC 1.0pt;border-left:none;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Ryan<o:p></o:p></span></p></td><td style='border:solid #ADB9CC 1.0pt;border-left:none;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Eddy<o:p></o:p></span></p></td><td style='border:solid #ADB9CC 1.0pt;border-left:none;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>NN<o:p></o:p></span></p></td></tr><tr><td style='border:solid #ADB9CC 1.0pt;border-top:none;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><b><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>DV</span></b><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>3<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>1<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>3<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>2<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>1<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>2<o:p></o:p></span></p></td></tr><tr><td style='border:solid #ADB9CC 1.0pt;border-top:none;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><b><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>OV</span></b><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>3<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>2<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>3<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>2<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>2<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>3<o:p></o:p></span></p></td></tr><tr><td style='border:solid #ADB9CC 1.0pt;border-top:none;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><b><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>EV</span></b><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>2<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>3<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>3<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>2<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>3<o:p></o:p></span></p></td><td style='border-top:none;border-left:none;border-bottom:solid #ADB9CC 1.0pt;border-right:solid #ADB9CC 1.0pt;padding:3.0pt 6.0pt 3.0pt 6.0pt'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>3<o:p></o:p></span></p></td></tr></table><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>The alternatives will be further discussed in the next meeting. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>There was a discussion regarding requiring the possibility of enforcing OCSP stapling as a way of solving the revocation checking problem. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan said that pushing OCSP stapling alone will not work. This will make the SSL harder, because the experience for the customers is awful. This is not a browser or a server problem, but an ecosystem problem which must be solved by all participants. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan said that he would love to see OCSP stapling working and could consider requiring OCSP stapling for EV certificates. <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>UI Indicators in browsers </span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Rick Andrews: <br></span><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";border:none windowtext 1.0pt;padding:0in'>Firefox</span><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif"'> <span style='color:black'>had previously announced they were going to degrade security user interface (e.g. removing the green bar, changing the color/appearance of the padlock) if any part of a site uses RC4.<br>Rick had asked that there be a way to identify when this happens and why. <o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>They've made some changes already.<br>(Rick demonstrated FF visiting a site which gave an exclamation mark over the padlock) <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>The certificate information screen gives a general message.<br>'more info..' says 'broken encryption - RC4' - which is pretty helpful. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>The browser could have contacted 1000 sites to build a page. How to identify which caused the problem? <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>If you need to dive deeper, you can look in the<br>"developer web console"->Network<br>shows every connection being made to render the site plus, beneath it, a list of errors/warnings, including the use of RC4. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Show request info->Security <br>shows the details negotiation for each connection.<br>The detail you need is here - suitable for a tech support team to go at. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Ryan says similar functionality is pre-release in Chrome.<br>Ryan demoed a pre-release version of Chrome.<br>using the publicly available test site badssl.com.<br>The page security state in the developer console shows errors.<br>Chrome will display the absence (or presence) of CT logs in all certs, including DV and OV.<br>Digicert is (optionally) including CT log proofs in OV certs. <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>DV/OV/EV Certificates, Appropriate use and OIDs </span></b><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Dean: Microsoft has described OIDs for DV/OV/EV to be used. DV/OV come from the BRs, EV isn’t defined in the EVG. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Dean: Microsoft has required that these policy OIDs in the intermediates, so does that mean CAs need to cut new intermediates? Eddy: Depends, but not necessarily. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Inigo and Arno raised that ETSI defined OIDs for each of these five years ago, and multiple CAs are already using this. Ryan: Except the Microsoft program requirements don’t use those. They’re free to define their own policies, and they have. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>A discussion ensued about how OID Arcs are allocated. Ryan explained to Dean about how OID arc allocations are made - 2.23.140 is the CABForums’, and we can do whatever we want without telling anyone. That said, we’ve set up a framework for how we do that - Jeremy makes sure we don’t duplicate OIDs. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Dean asked about searching for the OIDs, he can find info about DV/OV, but not EV, so does that mean registration is needed. Ryan explained that’s just an informational process (Harald Alvestrand or Orange SA’s site), and that’s what it’s for, but it’s not required by any process. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Eddy pointed out that Microsoft trumped that procedure in putting out the policy document. Jody made it clear that they’re not tied to the number itself, just that there’s a process to distinguish each of these certificates with a common identifier. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Bruce raised the point that back years ago, a hierarchy of OIDs was setup, so we should just follow that. Ryan pointed out that Ben’s email (about the tor OID) was related to this. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Wayne went and explained each of the OIDs - the OIDs used for the documents, and how they’re assigned. Dean made a proposal for an EV OID, and checked if Jody would be fine with it. Jody reiterated that it’s less about the specific number, as long as there is a common OID. Applause. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Jody explained Microsoft’s position, that they’ve begun discussing the feedback from yesterday’s meeting, and are working on providing clarifying changes. These aren’t minuted because Microsoft will wait to formally announce those. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Bruce asked for clarification with the policy OIDs - in particular, whether or not that policy OID needs to appear within the intermediate itself, or if it’s OK just to appear within the end-entity itself. There was some discussion about the anyPolicy OID and how that works, but Jody clarified that the end goal is to ensure it appears within the end-entity certificate, and he’ll clarify how that works. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Kirk raised that the informational explanation of the OIDs was incorrect for OV and could be confusing. Jeremy will work to resolve this. <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Discuss <b>F2F Meeting 36</b> in Istanbul Oct 5 and Future <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Istanbul October the 6th 2015 <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>A discussion about hotel rates for Istanbul ensued. Some suggested it should not be above $225. Dean suggested to E-Tugra to get rates for several hotels for different budgets. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Hosts 2016 <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Middle of February Go Daddy (Phoenix) <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Middle of June Izenpe (Bilbao) <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>September or October Microsoft (Seattle) <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Host 2017 <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:12.0pt;font-family:"Arial","sans-serif";color:black'>Chunghwa Telecom February or October (Taiwan) <o:p></o:p></span></p><p class=MsoNormal><span lang=EN><o:p> </o:p></span></p></div></body></html>