<html>

  <head>

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <br>

    <br>

    <div class="moz-cite-prefix">On 30/3/2017 9:20 μμ, Ryan Sleevi

      wrote:<br>

    </div>

    <blockquote

cite="mid:CACvaWvaGz-4EeFvo_eZQLOj73mr-cXrytzazenPa8uGHUrf-Ww@mail.gmail.com"

      type="cite">

      <div dir="ltr"><br>

        <div class="gmail_extra"><br>

          <div class="gmail_quote">On Thu, Mar 30, 2017 at 1:03 PM,

            Dimitris Zacharopoulos <span dir="ltr"><<a

                moz-do-not-send="true" href="mailto:jimmy@it.auth.gr"

                target="_blank">jimmy@it.auth.gr</a>></span> wrote:<br>

            <blockquote class="gmail_quote" style="margin:0px 0px 0px

              0.8ex;border-left:1px solid

              rgb(204,204,204);padding-left:1ex">

              <div bgcolor="#FFFFFF"><span class="gmail-"><br>

                </span> The intention is that it MUST NOT be permitted

                to directly sign a id-kp-timeStamping certificate from

                such a Root. The reason behind this is that only Roots

                that participate in a hierarchy that eventually issues

                publicly trusted SSL certificates should have this rule.

                Roots that participate in a hierarchy that does not

                issue SSL end-entity certificates should not need to

                follow this rule. Could you please offer some

                improvement language to make this clearer?<br>

              </div>

            </blockquote>

            <div><br>

            </div>

            <div>Thanks for clarifying the intent.</div>

            <div><br>

            </div>

            <div>I'm unsure what the issue is with the original wording,

              which I think made that clear:</div>

            <div><br>

            </div>

            <div>"Root CA Private Keys MUST NOT be used to sign

              Certificates except in the following cases:"</div>

            <div><br>

            </div>

            <div>Why doesn't that sufficiently address it? As I

              understand it, your concern was related to whether

              id-kp-timeStamping relates to "infrastructure"

              certificates, but that doesn't seem to have been

              addressed/clarified in a way that would move closer to

              that goal, right?</div>

          </div>

        </div>

      </div>

    </blockquote>

    <br>

    It removes the "e.g" that was causing the confusion. At least that

    was the outcome from the previous discussion. it-kp-timeStamping is

    not included in the specific exceptions (administrative role

    certificates, Internal CA operational device certificates)<br>

    <br>

    Dimitris.<br>

  </body>

</html>