<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <br>
    <div class="moz-cite-prefix">On 30/3/2017 9:20 μμ, Ryan Sleevi
      wrote:<br>
    </div>
    <blockquote
cite="mid:CACvaWvaGz-4EeFvo_eZQLOj73mr-cXrytzazenPa8uGHUrf-Ww@mail.gmail.com"
      type="cite">
      <div dir="ltr"><br>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Thu, Mar 30, 2017 at 1:03 PM,
            Dimitris Zacharopoulos <span dir="ltr"><<a
                moz-do-not-send="true" href="mailto:jimmy@it.auth.gr"
                target="_blank">jimmy@it.auth.gr</a>></span> wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">
              <div bgcolor="#FFFFFF"><span class="gmail-"><br>
                </span> The intention is that it MUST NOT be permitted
                to directly sign a id-kp-timeStamping certificate from
                such a Root. The reason behind this is that only Roots
                that participate in a hierarchy that eventually issues
                publicly trusted SSL certificates should have this rule.
                Roots that participate in a hierarchy that does not
                issue SSL end-entity certificates should not need to
                follow this rule. Could you please offer some
                improvement language to make this clearer?<br>
              </div>
            </blockquote>
            <div><br>
            </div>
            <div>Thanks for clarifying the intent.</div>
            <div><br>
            </div>
            <div>I'm unsure what the issue is with the original wording,
              which I think made that clear:</div>
            <div><br>
            </div>
            <div>"Root CA Private Keys MUST NOT be used to sign
              Certificates except in the following cases:"</div>
            <div><br>
            </div>
            <div>Why doesn't that sufficiently address it? As I
              understand it, your concern was related to whether
              id-kp-timeStamping relates to "infrastructure"
              certificates, but that doesn't seem to have been
              addressed/clarified in a way that would move closer to
              that goal, right?</div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    It removes the "e.g" that was causing the confusion. At least that
    was the outcome from the previous discussion. it-kp-timeStamping is
    not included in the specific exceptions (administrative role
    certificates, Internal CA operational device certificates)<br>
    <br>
    Dimitris.<br>
  </body>
</html>