<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:.5in .75in 49.5pt .75in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:192696505;
mso-list-template-ids:1053053382;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:250553620;
mso-list-template-ids:1208238330;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:608852468;
mso-list-template-ids:1741459424;}
@list l2:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">The Notice of Review Period sent yesterday included the text of Ballot 189 as it existed during the discussion period. The ballot was modified just before the start of the voting period. As a result, here is a REVISED Notice of Review
Period for Ballot 189 including the final ballot language as revised.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" align="center" style="text-align:center"><b><span style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></b></p>
<p class="MsoNormal" align="center" style="text-align:center"><b><u>REVISED</u></b><b> NOTICE OF REVIEW PERIOD – BALLOT 189<o:p></o:p></b></p>
<p class="MsoNormal" align="center" style="text-align:center"><b><o:p> </o:p></b></p>
<p class="MsoNormal" style="text-autospace:none">This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1.2). This Review Period is for Final Maintenance Guidelines (30 day Review Period). A complete
draft of the Draft Guideline that is the subject of this Review Notice is attached.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.25in">Date Review Notice Sent: April 15 2017<u><o:p></o:p></u></p>
<p class="MsoNormal" style="margin-left:.25in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.25in">Ballot for Review: Ballot 189<u><o:p></o:p></u></p>
<p class="MsoNormal" style="margin-left:.25in"><u><o:p><span style="text-decoration:none"> </span></o:p></u></p>
<p class="MsoNormal" style="margin-left:.25in">Start of Review Period: April 15, 2017 at 22:00 UTC<u><o:p></o:p></u></p>
<p class="MsoNormal" style="margin-left:.25in"><u><o:p><span style="text-decoration:none"> </span></o:p></u></p>
<p class="MsoNormal" style="margin-left:.25in">End of Review Period: May 15, 2017 at 22:00 UTC<u><o:p></o:p></u></p>
<p class="MsoNormal" style="margin-left:.25in"><u><o:p><span style="text-decoration:none"> </span></o:p></u></p>
<p class="MsoNormal" style="text-autospace:none">Please forward any Exclusion Notice relating to Essential Claims to the Chair by email to
<a href="mailto:kirk.hall@entrustdatacard.com">kirk.hall@entrustdatacard.com</a> before the end of the Review Period. See current version of CA/Browser Forum Intellectual Property Rights Policy for details.<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><i>(Optional form of Exclusion Notice is attached)<o:p></o:p></i></p>
<p class="MsoNormal" style="text-autospace:none"><i><o:p> </o:p></i></p>
<p class="MsoNormal"><strong><span style="font-family:"Calibri",sans-serif">Ballot 189 - Amend Section 6.1.7 of Baseline Requirements</span></strong>
<o:p></o:p></p>
<p class="line874"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The following motion has been proposed by Dimitris Zacharopoulos of HARICA and endorsed by Bruce Morton of Entrust and Jeremy Rowley of Digicert
<o:p></o:p></span></p>
<p class="line867"><strong><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Background</span></strong><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">:
<o:p></o:p></span></p>
<p class="line874"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Section 6.1.7 of the Baseline Requirements states that the Root CA Private Keys MUST NOT be used to sign end-entity certificates, with some exceptions. It is unclear if this
exception list includes end-entity certificates with EKU id-kp-timeStamping. This ballot attempts to clarify two things:
<o:p></o:p></span></p>
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1">
that it affects Root Keys in a hierarchy that issues SSL Certificates and <o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1">
that it does not include time stamping certificates in the exception list. <o:p></o:p></li></ol>
<p class="line874"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">It also clears the exception language for 1024-bit RSA Subscriber Certificates and testing products with Certificates issued by a Root.
<o:p></o:p></span></p>
<p class="line867"><strong><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">-- MOTION BEGINS --</span></strong><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">
<o:p></o:p></span></p>
<p class="line867"><em><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Current section 6.1.7</span></em><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">
<o:p></o:p></span></p>
<p class="line874"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Root CA Private Keys MUST NOT be used to sign Certificates except in the following cases:
<o:p></o:p></span></p>
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2">
Self-signed Certificates to represent the Root Certificate itself; <o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2">
Certificates for Subordinate CAs and Cross Certificates; <o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2">
Certificates for infrastructure purposes (e.g. administrative role certificates, internal CA operational device certificates, and OCSP Response verification Certificates);
<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2">
Certificates issued solely for the purpose of testing products with Certificates issued by a Root CA; and
<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2">
Subscriber Certificates, provided that: <o:p></o:p>
<ol start="1" type="a">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2">
The Root CA uses a 1024-bit RSA signing key that was created prior to the Effective Date;
<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2">
The Applicant’s application was deployed prior to the Effective Date; <o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2">
The Applicant’s application is in active use by the Applicant or the CA uses a documented process to establish that the Certificate’s use is required by a substantial number of Relying Parties;
<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2">
The CA follows a documented process to determine that the Applicant’s application poses no known security risks to Relying Parties;
<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2">
The CA documents that the Applicant’s application cannot be patched or replaced without substantial economic outlay.
<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2">
The CA signs the Subscriber Certificate on or before June 30, 2016; and <o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2">
The notBefore field in the Subscriber Certificate has a date on or before June 30, 2016
<o:p></o:p></li></ol>
</li></ol>
<p class="line867"><em><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Proposed section 6.1.7</span></em><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">
<o:p></o:p></span></p>
<p class="line874"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Private Keys corresponding to Root Certificates MUST NOT be used to sign Certificates except in the following cases:
<o:p></o:p></span></p>
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3">
Self-signed Certificates to represent the Root CA itself; <o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3">
Certificates for Subordinate CAs and Cross Certificates; <o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3">
Certificates for infrastructure purposes (administrative role certificates, internal CA operational device certificates)
<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3">
Certificates for OCSP Response verification; <o:p></o:p></li></ol>
<p class="line867"><strong><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">These changes become Effective 30 days after the ballot passes.</span></strong><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">
<o:p></o:p></span></b></p>
<p class="line867"><strong><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">-- MOTION ENDS --</span></strong><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">
<o:p></o:p></span></p>
</div>
</body>
</html>