<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:24.0pt;
margin-bottom:.0001pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:0in;
mso-para-margin-left:2.0gd;
mso-para-margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
p.a, li.a, div.a
{mso-style-name:純文字;
mso-style-link:"純文字 字元";
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
span.a0
{mso-style-name:"純文字 字元";
mso-style-priority:99;
mso-style-link:純文字;
font-family:"Calibri",sans-serif;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:728309952;
mso-list-type:hybrid;
mso-list-template-ids:43276296 559294892 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:33.0pt;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:ideograph-traditional;
mso-level-text:%2、;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:63.0pt;
text-indent:-24.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:87.0pt;
text-indent:-24.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:111.0pt;
text-indent:-24.0pt;}
@list l0:level5
{mso-level-number-format:ideograph-traditional;
mso-level-text:%5、;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:135.0pt;
text-indent:-24.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:159.0pt;
text-indent:-24.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:183.0pt;
text-indent:-24.0pt;}
@list l0:level8
{mso-level-number-format:ideograph-traditional;
mso-level-text:%8、;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:207.0pt;
text-indent:-24.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:231.0pt;
text-indent:-24.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='text-justify-trim:punctuation'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>Jody,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Li-Chun Chen would like to ask about implementation of the requirement for three intermediate CAs for server, code signing, and client certificates -- after the break.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Ben<o:p></o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt'><o:p> </o:p></span></a></p><span style='mso-bookmark:_MailEndCompose'></span><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>???<br><b>Sent:</b> Wednesday, May 11, 2016 4:28 AM<br><b>To:</b> Jody Cloutier <jodycl@microsoft.com>; 'CABFPub' <public@cabforum.org><br><b>Subject:</b> [cabfpub] Questions about 2016 Microsoft Root Program Changes<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoPlainText><span style='color:#1F497D;mso-fareast-language:ZH-TW'>Dear Jody,<o:p></o:p></span></p><p class=MsoPlainText><span style='color:black;mso-fareast-language:ZH-TW'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black;mso-fareast-language:ZH-TW'> </span><span style='color:#1F497D;mso-fareast-language:ZH-TW'>Each CA in Microsoft Trusted Root Certificate Program should receive below Root Program Changes effective June 7, 2016. Would you mind discussing in the mailing list or in the Browser News section of the Bilbao F2F Meeting ?<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D;mso-fareast-language:ZH-TW'><o:p> </o:p></span></p><p class=MsoListParagraph style='margin-left:33.0pt;mso-para-margin-left:0gd;text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='color:#1F497D;mso-fareast-language:ZH-TW'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:#1F497D;mso-fareast-language:ZH-TW'>We suggest Microsoft clarify No. 7 as below sentences (we add “new issues “ in red color).<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D;mso-fareast-language:ZH-TW'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;color:black;mso-fareast-language:ZH-TW'>Add a new technical requirement (4)(A)(14) to read</span><span style='font-family:"Times New Roman",serif;mso-fareast-language:ZH-TW'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;color:black;mso-fareast-language:ZH-TW'> </span><span style='mso-fareast-language:ZH-TW'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;color:black;mso-fareast-language:ZH-TW'>Effective February 1, 2017, all </span><span style='font-size:9.0pt;color:red;mso-fareast-language:ZH-TW'>new issued </span><span style='font-size:9.0pt;color:black;mso-fareast-language:ZH-TW'>end-entity certificates must contain the EKU for the purpose that the CA issued the certificate to the customer, and the end-entity certificate may not use “any EKU.”</span><span style='color:#1F497D;mso-fareast-language:ZH-TW'><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D;mso-fareast-language:ZH-TW'><o:p> </o:p></span></p><p class=MsoListParagraph style='margin-left:33.0pt;mso-para-margin-left:0gd;text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='color:#1F497D;mso-fareast-language:ZH-TW'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:#1F497D;mso-fareast-language:ZH-TW'>We suggest to delete No.5. As all the end-entity certificates contain the EKUs for one or more purposes for which the certified public key may be used in No.7 . <o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:33.0pt;mso-para-margin-left:0gd'><span style='color:#1F497D;mso-fareast-language:ZH-TW'>There will be extra cost for an exist intermediate CA to separate to different intermediate CAs. (For example, Originally we outsource WebTrust series auditing for ePKI for three years in March. I don’t know if the auditor asked for additional audit report and Seal fee. As we have to separate the CA originally issues TLS/SSL certificates to organizations’ s servers and S/MIME certificates to organizations. ) . Also if an intermediate CA can issue different end-entity certificates and following No. 7 and other rules without material risks, why does Microsoft add the rule of No.5 ?<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D;mso-fareast-language:ZH-TW'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D;mso-fareast-language:ZH-TW'> 3. Also, please tell us how Microsoft will block those end-entity certificates without following with No.5 and No.7 rules in 2017. <o:p></o:p></span></p><p><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;mso-fareast-language:ZH-TW'>Microsoft is making the following changes to our root program policies and audit requirements. Unless otherwise stated, these requirements will be effective June 7, 2016. If you have any questions, please email <a href="mailto:rootcert@microsoft.com">rootcert@microsoft.com</a>.</span><span style='mso-fareast-language:ZH-TW'><o:p></o:p></span></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 style='border-collapse:collapse'><tr><td width=42 valign=top style='width:31.5pt;border:solid #BDD6EE 1.0pt;border-bottom:solid #9CC2E5 1.5pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><b><span style='font-size:9.0pt;color:black'>No.</span></b><o:p></o:p></p></td><td width=102 valign=top style='width:76.25pt;border-top:solid #BDD6EE 1.0pt;border-left:none;border-bottom:solid #9CC2E5 1.5pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><b><span style='font-size:9.0pt;color:black'>Applies To</span></b><o:p></o:p></p></td><td width=335 valign=top style='width:251.2pt;border-top:solid #BDD6EE 1.0pt;border-left:none;border-bottom:solid #9CC2E5 1.5pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><b><span style='font-size:9.0pt;color:black'>Proposed Change</span></b><o:p></o:p></p></td></tr><tr><td width=42 valign=top style='width:31.5pt;border:solid #BDD6EE 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><b><span style='font-size:9.0pt;color:black'>1</span></b><o:p></o:p></p></td><td width=102 valign=top style='width:76.25pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='color:black'><a href="http://aka.ms/rootcert"><span style='font-size:9.0pt;color:black'>Prog. Rules</span></a></span><o:p></o:p></p></td><td width=335 valign=top style='width:251.2pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Add a new continuing program requirement 3.12 with the following language:</span><span style='font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'>If Microsoft, in its sole discretion, identifies an Authenticode certificate as either containing a deceptive name or as being used to promote malware or unwanted software, Microsoft will contact the responsible CA and request that is revoke the certificate. The CA must either revoke the certificate within a commercially-reasonable timeframe, or it must request an exception from Microsoft within two (2) business days of receiving Microsoft’s request. Microsoft may either grant or deny the exception at its sole discretion. In the event that Microsoft does not grant the exception, the CA must revoke the certificate within a commercially-reasonable timeframe not to exceed two (2) business days.</span><o:p></o:p></p></td></tr><tr><td width=42 valign=top style='width:31.5pt;border:solid #BDD6EE 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><b><span style='font-size:9.0pt;color:black'>2</span></b><o:p></o:p></p></td><td width=102 valign=top style='width:76.25pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Prog. Rules</span><o:p></o:p></p></td><td width=335 valign=top style='width:251.2pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Add a new continuing program requirement 3.13 with the following language:</span><span style='font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'>If Microsoft, it its sole discretion, identifies a DV Server Authentication certificate is being used to promote malware or unwanted software, Microsoft will contact the responsible CA and request that it revoke the certificate. The CA must either revoke the certificate within a commercially-reasonable timeframe, or it must request an exception from Microsoft within two (2) business days of receiving Microsoft’s request. Microsoft may either grant or deny the exception at its sole discretion. In the event that Microsoft does not grant the exception, the CA must revoke the certificate within a commercially-reasonable timeframe not to exceed two (2) business days.</span><o:p></o:p></p></td></tr><tr><td width=42 valign=top style='width:31.5pt;border:solid #BDD6EE 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><b><span style='font-size:9.0pt;color:black'>3</span></b><o:p></o:p></p></td><td width=102 valign=top style='width:76.25pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Prog. Rules</span><o:p></o:p></p></td><td width=335 valign=top style='width:251.2pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Add a new continuing program requirement 3.14 with the following language:</span><span style='font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Effective February 1, 2017, any CA enrolled in the program that issues certificates capable of being used for code signing must adopt the CAB Forum Code Signing Baseline Requirements published by the CAB Forum Code Signing Working Group (available at </span><span style='color:black'><a href="http://aka.ms/csbr"><span style='font-size:9.0pt;color:black'>http://aka.ms/csbr</span></a></span><span style='font-size:9.0pt;color:black'>). Each CA must make the necessary changes to its CP/CPS documents and provide evidence to Microsoft that it has made the change and implemented the required process updates. </span><o:p></o:p></p></td></tr><tr><td width=42 valign=top style='width:31.5pt;border:solid #BDD6EE 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><b><span style='font-size:9.0pt;color:black'>4</span></b><o:p></o:p></p></td><td width=102 valign=top style='width:76.25pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Prog. Rules</span><o:p></o:p></p></td><td width=335 valign=top style='width:251.2pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Add a new technical requirement 4(A)(14) to read</span><span style='font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'>A CA must either technically constrain an OCSP responder such that the only EKU allowed is OCSP Signing or it must not use SHA-1 to sign OCSP responses.</span><o:p></o:p></p></td></tr><tr><td width=42 valign=top style='width:31.5pt;border:solid #BDD6EE 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><b><span style='font-size:9.0pt;color:black'>5</span></b><o:p></o:p></p></td><td width=102 valign=top style='width:76.25pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Prog. Rules</span><o:p></o:p></p></td><td width=335 valign=top style='width:251.2pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Amend 4(A)(11) to read</span><span style='font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'>New intermediate CA certificates under root certificates submitted for distribution by the Program must separate Server Authentication, <u>S/MIME</u>, Code Signing and Time Stamping uses. This means that a single <u>intermediate</u> <s>issuing CA</s> must not be used to issue <s>both</s> server authentication<u>, S/MIME</u>, and code signing certificates. A separate CA must be used for each use case. Please note that this requirement does not apply to roots enrolled in the Program prior to July 1, 2015. <u>Any root enrolled in the program before this date must comply with this requirement by January 1, 2017.</u> </span><o:p></o:p></p></td></tr><tr><td width=42 valign=top style='width:31.5pt;border:solid #BDD6EE 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><b><span style='font-size:9.0pt;color:black'>6</span></b><o:p></o:p></p></td><td width=102 valign=top style='width:76.25pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='color:black'><a href="http://aka.ms/auditreqs"><span style='font-size:9.0pt;color:black'>Audit Reqs</span></a></span><span style='font-size:9.0pt;color:black'>.</span><o:p></o:p></p></td><td width=335 valign=top style='width:251.2pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Add a note under 2(B) that reads</span><span style='font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Microsoft will only accept ETSI-based audits from CAs that are located in the European Union. All other CAs must use the appropriate WebTrust audits.</span><o:p></o:p></p></td></tr><tr><td width=42 valign=top style='width:31.5pt;border:solid #BDD6EE 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><b><span style='font-size:9.0pt;color:black'>7</span></b><o:p></o:p></p></td><td width=102 valign=top style='width:76.25pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='color:black'>Prog. Rules</span><o:p></o:p></p></td><td width=335 valign=top style='width:251.2pt;border-top:none;border-left:none;border-bottom:solid #BDD6EE 1.0pt;border-right:solid #BDD6EE 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Add a new technical requirement (4)(A)(14) to read</span><span style='font-family:"Times New Roman",serif'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:9.0pt;color:black'>Effective February 1, 2017, all end-entity certificates must contain the EKU for the purpose that the CA issued the certificate to the customer, and the end-entity certificate may not use “any EKU.”</span><o:p></o:p></p></td></tr></table><p class=MsoPlainText><span style='color:black;mso-fareast-language:ZH-TW'><o:p> </o:p></span></p><p class=MsoPlainText><span style='color:black;mso-fareast-language:ZH-TW'>Sincerely Yours,<o:p></o:p></span></p><p class=MsoPlainText><span style='color:black;mso-fareast-language:ZH-TW'><o:p> </o:p></span></p><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D;mso-fareast-language:ZH-TW'> Li-Chun CHEN<o:p></o:p></span></p><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D;mso-fareast-language:ZH-TW'> Senior Engineer<o:p></o:p></span></p><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D;mso-fareast-language:ZH-TW'> CISSP, CISA, CISM, PMP,<o:p></o:p></span></p><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D;mso-fareast-language:ZH-TW'> Information & Communication Security Dept.<o:p></o:p></span></p><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D;mso-fareast-language:ZH-TW'> Data Communication Business Group<o:p></o:p></span></p><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D;mso-fareast-language:ZH-TW'> Chunghwa Telecom Co. Ltd.<o:p></o:p></span></p><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D;mso-fareast-language:ZH-TW'> <a href="mailto:realsky@cht.com.tw">realsky@cht.com.tw</a><o:p></o:p></span></p><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D;mso-fareast-language:ZH-TW'> +886-2-2344-4820#4025<o:p></o:p></span></p><p class=MsoPlainText><span style='color:black;mso-fareast-language:ZH-TW'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Times New Roman",serif'><o:p> </o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"MS Gothic"'>本信件可能包含中華電信股份有限公司機密資訊</span><span style='font-family:"Times New Roman",serif'>,</span><span style='font-family:"MS Gothic"'>非指定之收件者</span><span style='font-family:"Times New Roman",serif'>,</span><span style='font-family:"MS Gothic"'>請勿蒐集、處理或利用本信件</span><span style='font-family:SimSun'>內容</span><span style='font-family:"Times New Roman",serif'>,</span><span style='font-family:"MS Gothic"'>並請銷毀此信件</span><span style='font-family:"Times New Roman",serif'>. </span><span style='font-family:"MS Gothic"'>如為指定收件者</span><span style='font-family:"Times New Roman",serif'>,</span><span style='font-family:"MS Gothic"'>應確實保護郵件中本公司之營業機密及個人資料</span><span style='font-family:"Times New Roman",serif'>,</span><span style='font-family:"MS Gothic"'>不得任意傳佈或揭露</span><span style='font-family:"Times New Roman",serif'>,</span><span style='font-family:"MS Gothic"'>並應自行確認本郵件之附檔與超連結之安全性</span><span style='font-family:"Times New Roman",serif'>,</span><span style='font-family:"MS Gothic"'>以共同善盡資訊安全與個資保護責任</span><span style='font-family:"Times New Roman",serif'>. <o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Times New Roman",serif'>Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.<o:p></o:p></span></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div></div></body></html>