<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Cambria">SSC votes: "Yes".<br>
      <br>
      Thanks,<br>
      M.D.<br>
    </font><br>
    <div class="moz-cite-prefix">On 4/12/2017 7:33 PM, Arno Fiedler via
      Public wrote:<br>
    </div>
    <blockquote
      cite="mid:fa9663aa-0841-a13f-c914-b2871b06c946@nimbus-berlin.com"
      type="cite">
      <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
      <a moz-do-not-send="true" name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"
          lang="EN-US"><o:p><br>
            <font size="+1">D-TRUST votes "yes"<br>
              Arno<br>
               </font></o:p></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"
          lang="EN-US"></span></a>
      <blockquote
        cite="mid:000f01d2b3a5$9ed7bc40$dc8734c0$@turktrust.com.tr"
        type="cite">
        <div class="WordSection1">
          <div>
            <div style="border:none;border-top:solid #E1E1E1
              1.0pt;padding:3.0pt 0cm 0cm 0cm">
              <p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"
                    lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"
                  lang="EN-US"> Public [<a moz-do-not-send="true"
                    href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
                  <b>On Behalf Of </b>Dimitris Zacharopoulos via Public<br>
                  <b>Sent:</b> Wednesday, April 5, 2017 1:47 AM<br>
                  <b>To:</b> <a moz-do-not-send="true"
                    href="mailto:public@cabforum.org">public@cabforum.org</a><br>
                  <b>Cc:</b> Dimitris Zacharopoulos <<a
                    moz-do-not-send="true"
                    href="mailto:jimmy@it.auth.gr">jimmy@it.auth.gr</a>><br>
                  <b>Subject:</b> [cabfpub] Ballot 189 (revised) - Amend
                  Section 6.1.7 of Baseline Requirements<o:p></o:p></span></p>
            </div>
          </div>
          <p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
          <p class="MsoNormal" style="margin-bottom:12.0pt"><span
              lang="EN-US"><br>
              After the recent discussion, the ballot is now updated
              with simpler language. Voting starts tomorrow April 6th.<br>
              <br>
              Dimitris.<o:p></o:p></span></p>
          <div>
            <p class="MsoNormal"><strong><span lang="EN-US">Ballot 189 -
                  Amend Section 6.1.7 of Baseline Requirements</span></strong><span
                lang="EN-US"> <o:p></o:p></span></p>
            <p class="line874"><span lang="EN-US">The following motion
                has been proposed by Dimitris Zacharopoulos of HARICA
                and endorsed by Bruce Morton of Entrust and Jeremy
                Rowley of Digicert <o:p></o:p></span></p>
            <p class="line867"><strong><span lang="EN-US">Background</span></strong><span
                lang="EN-US">: <o:p></o:p></span></p>
            <p class="line874"><span lang="EN-US">Section 6.1.7 of the
                Baseline Requirements states that the Root CA Private
                Keys MUST NOT be used to sign end-entity certificates,
                with some exceptions. It is unclear if this exception
                list includes end-entity certificates with EKU
                id-kp-timeStamping. This ballot attempts to clarify two
                things: <o:p></o:p></span></p>
            <ol start="1" type="1">
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
                level1 lfo3"><span lang="EN-US">that it affects Root
                  Keys in a hierarchy that issues SSL Certificates and <o:p></o:p></span></li>
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
                level1 lfo3"><span lang="EN-US">that it does not include
                  time stamping certificates in the exception list. <o:p></o:p></span></li>
            </ol>
            <p class="line874"><span lang="EN-US">It also clears the
                exception language for 1024-bit RSA Subscriber
                Certificates and testing products with Certificates
                issued by a Root. <o:p></o:p></span></p>
            <p class="line867"><strong><span lang="EN-US">-- MOTION
                  BEGINS --</span></strong><span lang="EN-US"> <o:p></o:p></span></p>
            <p class="line867"><em><span lang="EN-US">Current section
                  6.1.7</span></em><span lang="EN-US"> <o:p></o:p></span></p>
            <p class="line874"><span lang="EN-US">Root CA Private Keys
                MUST NOT be used to sign Certificates except in the
                following cases: <o:p></o:p></span></p>
            <ol start="1" type="1">
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4
                level1 lfo6"><span lang="EN-US">Self-signed Certificates
                  to represent the Root Certificate itself; <o:p></o:p></span></li>
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4
                level1 lfo6"><span lang="EN-US">Certificates for
                  Subordinate CAs and Cross Certificates; <o:p></o:p></span></li>
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4
                level1 lfo6"><span lang="EN-US">Certificates for
                  infrastructure purposes (e.g. administrative role
                  certificates, internal CA operational device
                  certificates, and OCSP Response verification
                  Certificates); <o:p></o:p></span></li>
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4
                level1 lfo6"><span lang="EN-US">Certificates issued
                  solely for the purpose of testing products with
                  Certificates issued by a Root CA; and <o:p></o:p></span></li>
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4
                level1 lfo6"><span lang="EN-US">Subscriber Certificates,
                  provided that: <o:p></o:p></span></li>
            </ol>
            <ol start="5" type="1">
              <ol start="1" type="a">
                <li class="MsoNormal"
                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4
                  level2 lfo6"><span lang="EN-US">The Root CA uses a
                    1024-bit RSA signing key that was created prior to
                    the Effective Date; <o:p></o:p></span></li>
                <li class="MsoNormal"
                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4
                  level2 lfo6"><span lang="EN-US">The Applicant’s
                    application was deployed prior to the Effective
                    Date; <o:p></o:p></span></li>
                <li class="MsoNormal"
                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4
                  level2 lfo6"><span lang="EN-US">The Applicant’s
                    application is in active use by the Applicant or the
                    CA uses a documented process to establish that the
                    Certificate’s use is required by a substantial
                    number of Relying Parties; <o:p></o:p></span></li>
                <li class="MsoNormal"
                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4
                  level2 lfo6"><span lang="EN-US">The CA follows a
                    documented process to determine that the Applicant’s
                    application poses no known security risks to Relying
                    Parties; <o:p></o:p></span></li>
                <li class="MsoNormal"
                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4
                  level2 lfo6"><span lang="EN-US">The CA documents that
                    the Applicant’s application cannot be patched or
                    replaced without substantial economic outlay. <o:p></o:p></span></li>
                <li class="MsoNormal"
                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4
                  level2 lfo6"><span lang="EN-US">The CA signs the
                    Subscriber Certificate on or before June 30, 2016;
                    and <o:p></o:p></span></li>
                <li class="MsoNormal"
                  style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4
                  level2 lfo6"><span lang="EN-US">The notBefore field in
                    the Subscriber Certificate has a date on or before
                    June 30, 2016 <o:p></o:p></span></li>
              </ol>
            </ol>
            <p class="line867"><em><span lang="EN-US">Proposed section
                  6.1.7</span></em><span lang="EN-US"> <o:p></o:p></span></p>
            <p class="line874"><span lang="EN-US">Private Keys
                corresponding to Root Certificates MUST NOT be used to
                sign Certificates except in the following cases: <o:p></o:p></span></p>
            <ol start="1" type="1">
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3
                level1 lfo10"><span lang="EN-US">Self-signed
                  Certificates to represent the Root CA itself; <o:p></o:p></span></li>
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3
                level1 lfo10"><span lang="EN-US">Certificates for
                  Subordinate CAs and Cross Certificates; <o:p></o:p></span></li>
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3
                level1 lfo10"><span lang="EN-US">Certificates for
                  infrastructure purposes (administrative role
                  certificates, internal CA operational device
                  certificates) <o:p></o:p></span></li>
              <li class="MsoNormal"
                style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3
                level1 lfo10"><span lang="EN-US">Certificates for OCSP
                  Response verification; <o:p></o:p></span></li>
            </ol>
            <p class="line867"><strong><span lang="EN-US">These changes
                  become Effective 30 days after the ballot passes.</span></strong><span
                lang="EN-US"> <o:p></o:p></span></p>
            <p class="line867"><strong><span lang="EN-US">-- MOTION ENDS
                  --</span></strong><span lang="EN-US"> <o:p></o:p></span></p>
            <p class="line874"><span lang="EN-US">The procedure for this
                ballot is as follows (exact start and end times may be
                adjusted to comply with applicable Bylaws and IPR
                Agreement): <o:p></o:p></span></p>
            <div>
              <table class="MsoNormalTable" border="0" cellpadding="0"
                cellspacing="5">
                <tbody>
                  <tr>
                    <td style="background:#E0E0FF;padding:.75pt .75pt
                      .75pt .75pt">
                      <p class="line862">BALLOT 189 Status: Amend BR
                        6.1.7 <o:p></o:p></p>
                    </td>
                    <td style="background:#E0E0FF;padding:.75pt .75pt
                      .75pt .75pt">
                      <p class="line862" style="text-align:center"
                        align="center">Start time (22:00 UTC) <o:p></o:p></p>
                    </td>
                    <td style="background:#E0E0FF;padding:.75pt .75pt
                      .75pt .75pt">
                      <p class="line862" style="text-align:center"
                        align="center">End time (22:00 UTC) <o:p></o:p></p>
                    </td>
                  </tr>
                  <tr>
                    <td style="padding:.75pt .75pt .75pt .75pt">
                      <p class="line862">Discussion (7 days) <o:p></o:p></p>
                    </td>
                    <td style="padding:.75pt .75pt .75pt .75pt">
                      <p class="line862" style="text-align:center"
                        align="center">30 March 2017 <o:p></o:p></p>
                    </td>
                    <td style="padding:.75pt .75pt .75pt .75pt">
                      <p class="line862" style="text-align:center"
                        align="center">6 April 2017 <o:p></o:p></p>
                    </td>
                  </tr>
                  <tr>
                    <td style="padding:.75pt .75pt .75pt .75pt">
                      <p class="line862">Vote for approval (7 days) <o:p></o:p></p>
                    </td>
                    <td style="padding:.75pt .75pt .75pt .75pt">
                      <p class="line862" style="text-align:center"
                        align="center">6 April 2017 <o:p></o:p></p>
                    </td>
                    <td style="padding:.75pt .75pt .75pt .75pt">
                      <p class="line862" style="text-align:center"
                        align="center">13 April 2017 <o:p></o:p></p>
                    </td>
                  </tr>
                  <tr>
                    <td style="padding:.75pt .75pt .75pt .75pt">
                      <p class="line862">If vote approves ballot: Review
                        Period (Chair to send Review Notice) (30 days)<br>
                        If Exclusion Notice(s) filed, ballot approval is
                        rescinded and PAG to be created.<br>
                        If no Exclusion Notices filed, ballot becomes
                        effective at end of Review Period.<br>
                        Votes must be cast by posting an on-list reply
                        to this thread on the Public Mail List.<o:p></o:p></p>
                    </td>
                    <td style="padding:.75pt .75pt .75pt .75pt">
                      <p class="line862" style="text-align:center"
                        align="center">Upon filing of Review Notice by
                        Chair<o:p></o:p></p>
                    </td>
                    <td style="padding:.75pt .75pt .75pt .75pt">
                      <p class="line862" style="text-align:center"
                        align="center">30 days after filing of Review
                        Notice by Chair<o:p></o:p></p>
                    </td>
                  </tr>
                </tbody>
              </table>
            </div>
            <p class="line874"><span lang="EN-US">From Bylaw 2.3: If the
                Draft Guideline Ballot is proposing a Final Maintenance
                Guideline, such ballot will include a redline or
                comparison showing the set of changes from the Final
                Guideline section(s) intended to become a Final
                Maintenance Guideline, and need not include a copy of
                the full set of guidelines. Such redline or comparison
                shall be made against the Final Guideline section(s) as
                they exist at the time a ballot is proposed, and need
                not take into consideration other ballots that may be
                proposed subsequently, except as provided in Bylaw
                Section 2.3(j). <o:p></o:p></span></p>
            <p class="line862"><span lang="EN-US">Votes must be cast by
                posting an on-list reply to this thread on the Public
                list. A vote in favor of the motion must indicate a
                clear 'yes' in the response. A vote against must
                indicate a clear 'no' in the response. A vote to abstain
                must indicate a clear 'abstain' in the response. Unclear
                responses will not be counted. The latest vote received
                from any representative of a voting member before the
                close of the voting period will be counted. Voting
                members are listed here: <a moz-do-not-send="true"
                  href="https://cabforum.org/members/">https://cabforum.org/members/</a>
                <o:p></o:p></span></p>
            <p class="MsoNormal"><span lang="EN-US">In order for the
                motion to be adopted, two thirds or more of the votes
                cast by members in the CA category and greater than 50%
                of the votes cast by members in the browser category
                must be in favor. Quorum is shown on CA/Browser Forum
                wiki. Under Bylaw 2.2(g), at least the required quorum
                number must participate in the ballot for the ballot to
                be valid, either by voting in favor, voting against, or
                abstaining. <o:p></o:p></span></p>
          </div>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
Public mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
      </blockquote>
      <br>
      <pre class="moz-signature" cols="72">-- 
Arno Fiedler
Nimbus Technologieberatung GmbH
Reichensteiner Weg 17
14195 Berlin
Mobil:      0049-(0)172-3053272
Fax:        0049-(0)30-89745-777
E-Mail:     <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:arno.fiedler@nimbus-berlin.com">arno.fiedler@nimbus-berlin.com</a>
Web:        <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.nimbus-berlin.com">www.nimbus-berlin.com</a>
Geschäftsführer:  Arno Fiedler
USt-IdNr. :       DE 203 269 920
D-U-N-S® Nr.      50-730-8117
HandelsregisterNr:HRB 109409 B</pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>