<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:TimesNewRomanPSMT;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:225268407;
mso-list-template-ids:-335275990;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:227767309;
mso-list-template-ids:-709468212;}
@list l2
{mso-list-id:1112096121;
mso-list-template-ids:982281166;}
@list l2:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3
{mso-list-id:2103143252;
mso-list-template-ids:1999688710;}
@list l3:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif">NOTICE OF REVIEW PERIOD – BALLOT 189<o:p></o:p></span></b></p>
<p class="MsoNormal" align="center" style="margin-bottom:0in;margin-bottom:.0001pt;text-align:center;line-height:normal">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></b></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1.2). This Review Period is for Final Maintenance Guidelines (30 day Review Period).
</span><span style="font-size:12.0pt;font-family:TimesNewRomanPSMT">A complete draft of the Draft Guideline that is the subject of this Review Notice is attached.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Date Review Notice Sent: April 14, 2017<u><o:p></o:p></u></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Ballot for Review: Ballot 189<u><o:p></o:p></u></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;line-height:normal">
<u><span style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p><span style="text-decoration:none"> </span></o:p></span></u></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Start of Review Period: April 14, 2017 at 22:00 UTC<u><o:p></o:p></u></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;line-height:normal">
<u><span style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p><span style="text-decoration:none"> </span></o:p></span></u></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;line-height:normal">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">End of Review Period: May 14, 2017 at 22:00 UTC<u><o:p></o:p></u></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;line-height:normal">
<u><span style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p><span style="text-decoration:none"> </span></o:p></span></u></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Note: Assuming no Exclusion Notices are filed, we will substitute the date “August 14, 2017” for the words “<strong><span style="font-family:"Arial",sans-serif;font-weight:normal">3 months after
the ballot passes</span></strong>” in the updated Baseline Requirements as follows:
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none">
<strong><span style="font-size:12.0pt;font-family:"Arial",sans-serif">“Effective <s>
<span style="background:yellow;mso-highlight:yellow">3 months after the ballot passes</span></s>
<u>August 14, 2017</u></span></strong><span style="font-size:12.0pt;font-family:"Arial",sans-serif">, Certificates for Time Stamping end-entity Certificates SHALL NOT be directly issued from these Root Certificates.”<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Please forward any Exclusion Notice relating to Essential Claims to the Chair by email to
</span><a href="mailto:kirk.hall@entrustdatacard.com"><span style="font-size:12.0pt;font-family:"Arial",sans-serif">kirk.hall@entrustdatacard.com</span></a><span style="font-size:12.0pt;font-family:"Arial",sans-serif"> before the end of the Review Period.
See current version of CA/Browser Forum Intellectual Property Rights Policy for details.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none">
<span style="font-size:12.0pt;font-family:TimesNewRomanPSMT"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none">
<i><span style="font-family:"Arial",sans-serif">(Optional form of Exclusion Notice is attached)<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none">
<i><span style="font-family:"Arial",sans-serif"><o:p> </o:p></span></i></p>
<p class="line867"><strong><span style="font-family:"Arial",sans-serif">Ballot 189 - Amend Section 6.1.7 of Baseline Requirements
</span><o:p></o:p></strong></p>
<p class="line867"><strong><span style="font-family:"Arial",sans-serif">-- MOTION BEGINS --</span></strong><span style="font-family:"Arial",sans-serif">
</span><o:p></o:p></p>
<p class="line867"><em><span style="font-family:"Arial",sans-serif">Current section 6.1.7</span></em><span style="font-family:"Arial",sans-serif">
<o:p></o:p></span></p>
<p class="line874"><span style="font-family:"Arial",sans-serif">Root CA Private Keys MUST NOT be used to sign Certificates except in the following cases:
<o:p></o:p></span></p>
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo3">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Self-signed Certificates to represent the Root Certificate itself;
<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo3">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Certificates for Subordinate CAs and Cross Certificates;
<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo3">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Certificates for infrastructure purposes (e.g. administrative role certificates, internal CA operational device certificates, and OCSP Response verification Certificates);
<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo3">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Certificates issued solely for the purpose of testing products with Certificates issued by a Root CA; and
<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo3">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Subscriber Certificates, provided that:
<o:p></o:p></span>
<ol start="1" type="a">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo3">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The Root CA uses a 1024-bit RSA signing key that was created prior to the Effective Date;
<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo3">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The Applicant’s application was deployed prior to the Effective Date;
<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo3">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The Applicant’s application is in active use by the Applicant or the CA uses a documented process to establish that the Certificate’s use is required by a substantial number of Relying Parties;
<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo3">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The CA follows a documented process to determine that the Applicant’s application poses no known security risks to Relying Parties;
<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo3">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The CA documents that the Applicant’s application cannot be patched or replaced without substantial economic outlay.
<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo3">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The CA signs the Subscriber Certificate on or before June 30, 2016; and
<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo3">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The notBefore field in the Subscriber Certificate has a date on or before June 30, 2016
<o:p></o:p></span></li></ol>
</li></ol>
<p class="line867"><em><span style="font-family:"Arial",sans-serif">Proposed section 6.1.7</span></em><span style="font-family:"Arial",sans-serif">
<o:p></o:p></span></p>
<p class="line874"><span style="font-family:"Arial",sans-serif">Private Keys corresponding to Root Certificates that participate in a hierarchy that issues Certificates with an extKeyUsage extension that includes the value id-kp-serverAuth [RFC5280] MUST NOT
be used to sign Certificates except in the following cases: <o:p></o:p></span></p>
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo6">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Self-signed Certificates to represent the Root CA itself;
<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo6">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Certificates for Subordinate CAs and Cross Certificates;
<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo6">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Certificates for infrastructure purposes (administrative role certificates, internal CA operational device certificates)
<o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo6">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Certificates for OCSP Response verification;
<o:p></o:p></span></li></ol>
<p class="line867"><strong><span style="font-family:"Arial",sans-serif">Effective
<span style="background:yellow;mso-highlight:yellow">3 months after the ballot passes</span></span></strong><span style="font-family:"Arial",sans-serif">, Certificates for Time Stamping end-entity Certificates SHALL NOT be directly issued from these Root Certificates.
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<strong><span style="font-size:12.0pt;font-family:"Arial",sans-serif">-- MOTION ENDS --</span></strong><i><span style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none">
<i><span style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></i></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>