<div dir="ltr">How so? The Ballot only applies to the profile of the issuance of roots/sub-CAs, not from.<div><br></div><div>If it applied to from, the existing BRs would already rule out a number of members' roots and intermediates :)<br><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 4, 2017 at 4:04 PM, Geoff Keating <span dir="ltr"><<a href="mailto:geoffk@apple.com" target="_blank">geoffk@apple.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><br><div><span class=""><blockquote type="cite"><div>On 4 May 2017, at 12:30 pm, Ryan Sleevi via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:</div><br class="m_7516727140871036370Apple-interchange-newline"><div><div dir="ltr">Kirk raised that, but it does not seem to be a founded concern.<br><div><br></div><div>1) That requirement applies to all certificates issued against the current BRs</div><div>2) The BRs do not retroactively invalidate - or, especially in the case of Ballot 197 - approve - certificate issuance.</div><div><br></div><div>A CA has always and only been obligated to state compliance with the in-force BRs with respect to issuance and its activities.</div></div></div></blockquote><div><br></div></span><div>In this context, saying the BRs apply to ‘all certificates issued’ might mean that you could no longer issue a certificate against a root without a common name, and so cannot renew any sub-CAs.</div><span class=""><br><blockquote type="cite"><div class="gmail_extra"><div class="gmail_quote">On Thu, May 4, 2017 at 3:27 PM, Steve Medin via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="m_7516727140871036370m_-6447053817377038652WordSection1"><p class="MsoNormal"><span style="color:#1f497d">Gerv, could we also request explicit forward-looking language? Kirk raised the concern about whether this applies to existing roots and intermediates. We have a root issued in 1997 that does not have a common
name. Some interpretations have been discussed, but we would strongly prefer that this be written into this change for clear future interpretations.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">If I may:<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">7.1.4.3. Subject Information – Root Certificates and Subordinate CA Certificates<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">When issuing a Root Certificate or Subordinate CA Certificate, the CA represents that it followed the procedure set forth in its Certificate Policy and/or Certification Practice Statement to verify that, as of
the Certificate’s issuance date, all of the Subject Information was accurate and included the content required by this section.</span></p></div></div></blockquote></div></div></blockquote></span></div></div></blockquote></div><br></div>