<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Times New Roman",serif;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Times New Roman",serif;
font-weight:bold;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Times New Roman",serif;
font-weight:bold;}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.table-of-contents-heading, li.table-of-contents-heading, div.table-of-contents-heading
{mso-style-name:table-of-contents-heading;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.line891, li.line891, div.line891
{mso-style-name:line891;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.info, li.info, div.info
{mso-style-name:info;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.z-TopofFormChar
{mso-style-name:"z-Top of Form Char";
mso-style-priority:99;
mso-style-link:"z-Top of Form";
font-family:"Arial",sans-serif;
display:none;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.z-BottomofFormChar
{mso-style-name:"z-Bottom of Form Char";
mso-style-priority:99;
mso-style-link:"z-Bottom of Form";
font-family:"Arial",sans-serif;
display:none;}
span.anchor
{mso-style-name:anchor;}
span.EmailStyle33
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:13581991;
mso-list-template-ids:-2105929208;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:82068751;
mso-list-template-ids:385626412;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:121576473;
mso-list-template-ids:1303822354;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:146090688;
mso-list-template-ids:1961627150;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4
{mso-list-id:288317243;
mso-list-template-ids:914666332;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5
{mso-list-id:459345554;
mso-list-template-ids:859709046;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6
{mso-list-id:511647130;
mso-list-template-ids:-1265890944;}
@list l6:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l6:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7
{mso-list-id:865095380;
mso-list-template-ids:-1108423720;}
@list l7:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l7:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8
{mso-list-id:974068287;
mso-list-template-ids:963789174;}
@list l8:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l8:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l8:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9
{mso-list-id:1024594106;
mso-list-template-ids:-908978492;}
@list l9:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l9:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l9:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10
{mso-list-id:1077171457;
mso-list-template-ids:-2023688606;}
@list l10:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l10:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l10:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11
{mso-list-id:1113288535;
mso-list-template-ids:1265903902;}
@list l11:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l11:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l11:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12
{mso-list-id:1279607818;
mso-list-template-ids:-716256510;}
@list l12:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l12:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l12:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13
{mso-list-id:1293287966;
mso-list-template-ids:-320174654;}
@list l13:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l13:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l13:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14
{mso-list-id:1431006113;
mso-list-template-ids:-2137779940;}
@list l14:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l14:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l14:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15
{mso-list-id:1487428376;
mso-list-template-ids:-95144358;}
@list l15:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l15:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l15:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16
{mso-list-id:1602957136;
mso-list-template-ids:-1157350358;}
@list l16:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l16:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l16:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17
{mso-list-id:1706561348;
mso-list-template-ids:-1801128792;}
@list l17:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l17:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l17:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18
{mso-list-id:1715080181;
mso-list-template-ids:-1034491196;}
@list l18:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l18:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l18:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19
{mso-list-id:1749186938;
mso-list-template-ids:2948056;}
@list l19:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l19:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l19:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20
{mso-list-id:1784113093;
mso-list-template-ids:1522831950;}
@list l20:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l20:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l20:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21
{mso-list-id:1859736964;
mso-list-template-ids:79099760;}
@list l21:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l21:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l21:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22
{mso-list-id:1891114304;
mso-list-template-ids:-1758664372;}
@list l22:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l22:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l22:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23
{mso-list-id:1938826140;
mso-list-template-ids:-1359962806;}
@list l23:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l23:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l23:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><b>Minutes from CA/Browser Forum Face-to-Face meeting March 22-23, 2017<o:p></o:p></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Day 1 - Wednesday, March 22<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Attendees: NOTE: The following list is of attendees that were there during at least one of the three days: Rick Andrews, Symantec; Ryan Sleevi, Google; Steve Medin, Symantec; Alex Wight, Cisco; JP Hamilton, Cisco; Jos Purvis,
Cisco; Bruce Morton, Entrust Datacard; Tim Hollebeek, Trustwave; Eric Mill, FPKI (GSA); Deb Cooley, FPKI (DOD); </span><a href="https://www.cabforum.org/wiki/LaChelle"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">LaChelle</span></a><span lang="EN" style="color:black"> Levan,
FPKI (GSA); Geoff Keating, Apple; Kirk Hall, Entrust Datacard; Chris Bailey, Entrust Datacard; Dean Coclin, Symantec; Gervase Markham, Mozilla; Tyler Myers, </span><a href="https://www.cabforum.org/wiki/GoDaddy"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">GoDaddy</span></a><span lang="EN" style="color:black">;
Wayne Thayer, </span><a href="https://www.cabforum.org/wiki/GoDaddy"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">GoDaddy</span></a><span lang="EN" style="color:black">; Curt Spann, Apple; Chi Hickey, FPKI (GSA); Zhang Yi, CFCA;
Franck Leroy, Certinomis (Docapost); Jeff Ward, BDO / </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> Chair; Don Sheehy,
CPA Canada / </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black">; Frank Corday, Trustwave; Moudrick Dadashov, SSC; Atsushi
Inaba, </span><a href="https://www.cabforum.org/wiki/GlobalSign"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">GlobalSign</span></a><span lang="EN" style="color:black">; Arno Fiedler, D-TRUST GmbH; Cornelia Enke, </span><a href="https://www.cabforum.org/wiki/SwissSign"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">SwissSign</span></a><span lang="EN" style="color:black"> AG;
Doug Beattie, </span><a href="https://www.cabforum.org/wiki/GlobalSign"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">GlobalSign</span></a><span lang="EN" style="color:black">; Li-Chun Chen, Chunghwa Telecom Co. Ltd.; Ben Wilson, </span><a href="https://www.cabforum.org/wiki/DigiCert"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">DigiCert</span></a><span lang="EN" style="color:black">;
Richard Wang, </span><a href="https://www.cabforum.org/wiki/WoSign"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">WoSign</span></a><span lang="EN" style="color:black">; Wei Yicai, GDCA; Ou Jingan, GDCA; Masakazu Asano, </span><a href="https://www.cabforum.org/wiki/GlobalSign"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">GlobalSign</span></a><span lang="EN" style="color:black">;
Tarah Wheeler, Symantec; J.C. Jones, Mozilla; Feng Lin, CFCA; Jeremy Rowley, </span><a href="https://www.cabforum.org/wiki/DigiCert"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">DigiCert</span></a><span lang="EN" style="color:black">;
Robin Alden, Comodo; Peter Bowen, Amazon; Xiaosheng Tan, Qihoo 360; Zhihui Liang, Qihoo 360; Fotis Loukos, SSL.com; Leo Grove, SSL.com; Chris Kemmerer, SSL.com; Jody Cloutier, Microsoft; Andrew Whalley, Google; Phillip Hallam-Baker, Comodo (portions by telephone);
Ryan Hurst, Google.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Working Group Reports<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Policy Review Working Group<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Ben Wilson</span></i><span lang="EN" style="color:black"> The Policy Review Working Group was formed to advise the Forum on comparisons and consistency between the CA/B Forum guidelines and industry technical
standards such as RFC 3647 and the NISTIR 7924.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Yesterday, the Policy Review WG reviewed Li Chun’s proposal to modify section 7.1.4.2.2 of the Baseline Requirements. In Taiwan, there is a pre-existing naming scheme operated by the government that does not include localityName
or stateOrProvinceName. The current Baseline Requirements say that for OV certificates you have to have one of these fields. A possible solution proposed during the meeting of the Working Group was to provide a carve out for Taiwan provided that the entity
that is the subject of the certificate is registered in the government database, the official name of that to be provided in the ballot.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">The Working Group has also reviewed the use of the term “CA” in the Baseline Requirements. There are instances where it is used inconsistently and ambiguously in the BRs, and the group has been working on trying to clarify
that, with a more recent focus on the term “Root CA”. One approach may be to reduce the number of times we use the term “Root CA” and put the focus more on CA key pairs. Following the meeting yesterday, there has been continued discussion on the WG list about
trying to be more consistent with RFC 5280 and other requirements and some of us are now reviewing those documents.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Other topics discussed yesterday included: “who or what signs?”, is it the CA, private key, certificate, or what?; delegated third parties; affiliates; and subject identity information, a discussion of adding descriptors
and the question of when you can use the organizationalUnit (OU) field, in other words, is it mis-issuance if a CA shoves words like “Domain Control Validation” in the OU field without other subject information in the DN?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Governance Change Working Group<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Dean Coclin</span></i><span lang="EN" style="color:black"> The working group reviewed the final version of the charter which had been posted for public input here: </span><a href="https://cabforum.org/current-work/governance-working-group/"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">https://cabforum.org/current-work/governance-working-group/</span></a><span lang="EN" style="color:black"> We
also reviewed the draft charter of working groups document that Virginia and Andrew had drafted. The next step is to take these and draft new bylaws. The group will endeavor to have something ready for the Berlin meeting.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Validation Working Group<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Kirk</span></i><span lang="EN" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Jeremy noted that the Validation Working Group had held teleconferences every two weeks, and were working on a number of proposed changes to the Baseline Requirements and the EV Guidelines. He discussed several of the recent
draft ballots, and said they would be introduced as ballots over the coming weeks.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Browser News<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Apple<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Chris</span></i><span lang="EN" style="color:black"> csk<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Presented by Curt Spann (CS)<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l5 level1 lfo1;background:white">
<b><span lang="EN">CA-issued SHA-1 certificates</span></b><span lang="EN"> (Safari/WebKit) shall be <b>disallowed</b> via a security update "fairly soon" (see also: </span><a href="https://support.apple.com/en-us/HT207459"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">https://support.apple.com/en-us/HT207459</span></a><span lang="EN">)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l5 level1 lfo1;background:white">
<b><span lang="EN">A reminder:</span></b><span lang="EN"> Apple will depreciate <b>ALL</b> SHA-1 signed certs later in 2017 (though enterprise roots can still be SHA-1 - see link above).<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l5 level1 lfo1;background:white">
<b><span lang="EN">A project for later this year:</span></b><span lang="EN"> Apple shall be attempting to <b>reduce the number of roots per CA provider</b> held in the store.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Q from Rick Andrews:</span></b><span lang="EN" style="color:black"> How will this removal/reduction of roots be implemented?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">A (CS):</span></b><span lang="EN" style="color:black"> Definitely will be reviewed first.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Q from (Dean Coclin?):</span></b><span lang="EN" style="color:black"> Why is Apple taking this step?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">A (CS):</span></b><span lang="EN" style="color:black"> As a general management and security issue, to get a sense of *why* these are in the store.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Observation by Jos Purvis:</span></b><span lang="EN" style="color:black"> Sounds like there is no set goal or specific number of roots to remove per CA?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Response (CS):</span></b><span lang="EN" style="color:black"> More getting a 'lay of the land' for why these roots are in the store.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Contribution by Gerv Markham:</span></b><span lang="EN" style="color:black"> Gerv made an offer of the CCADB to help manage Apple's root store, to general mirth.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Q from Dean Cochlin:</span></b><span lang="EN" style="color:black"> Are there dates for this root pruning process?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">A (CS):</span></b><span lang="EN" style="color:black"> No firm date for this - look for more information in late 2017<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Later followup Qs from Peter Bowen (after other browser presentations):</span></b><span lang="EN" style="color:black"> What are Apple's thoughts regarding 1) reduced certificate lifespan and 2) certificate transparency?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">A (CS):</span></b><span lang="EN" style="color:black"> 1) We're in favor of Mozilla's drive toward future reduced lifespan, no announcements or timeline at present. 2) CT: looking into the matter, also no announcements
or timeline.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Followup response from Apple's Geoff Keating:</span></b><span lang="EN" style="color:black"> Regarding cert lifespan, one year may be 'the WORST of all possible worlds' - too short for comfortable manual implementation,
too long for efficient automation, best number may be shorter or longer.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Google<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: </span></i><span lang="EN" style="color:black">Peter Bowen<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2;background:white">
<span lang="EN">Started experimenting with AIA fetching on Chrome on Android<o:p></o:p></span>
<ul style="margin-top:0in" type="circle">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l2 level2 lfo2;background:white">
<span lang="EN">Does not include </span><a href="https://www.cabforum.org/wiki/WebView"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebView</span></a><span lang="EN"><o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2;background:white">
<span lang="EN">Stop looking at common name in Chrome 58<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2;background:white">
<span lang="EN">Enterprise policy can enable for non-public certs<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2;background:white">
<span lang="EN">TLS 1.3 is in testing<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l2 level1 lfo2;background:white">
<span lang="EN">Phasing out trust of </span><a href="https://www.cabforum.org/wiki/WoSign"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">WoSign</span></a><span lang="EN"> and Startcom certificates across the board<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2;background:white">
<span lang="EN">Chrome 56 was dated based check<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2;background:white">
<span lang="EN">Chrome 57 has whitelist, with full distrust by mid-2017<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2;background:white">
<span lang="EN">Certificate viewer UI moved to the developer tools<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2;background:white">
<span lang="EN">Chrome knows this is more difficult and is looking at ways to make it more accessible<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2;background:white">
<span lang="EN">Chrome 57 includes basic support for Roughtime<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2;background:white">
<span lang="EN">Used to improve SSL interstitials to help indicate to users that device clock might be wrong<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2;background:white">
<span lang="EN">Chrome 57 rolled out "form not secure"<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2;background:white">
<span lang="EN">Password or credit card on HTTP (not HTTPS) highlights that "this is not secure form"<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2;background:white">
<span lang="EN">Chrome 57 marks data: scheme URLs as not secure<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2;background:white">
<span lang="EN">Google recently held CT policy days in Mountain View to discuss log operation and inclusion policy<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level2 lfo2;background:white">
<span lang="EN">Ryan will be sending update<o:p></o:p></span></li></ul>
</li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">Q from Dean<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">When is Chrome going to start marking non-HTTPS sites as "non secure"?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">A from Andrew Whalley<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">That is intended end state, but date is based on when %age of insecure page loads is low enough to mark affirmatively insecure<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">Q from Wayne<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Updates on CT for all certificates policy?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">A from Ryan Sleevi<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">No updates at this time.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">Q from Peter Bowen<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Root program policy status?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">A from Andrew Whalley<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">"We're hiring"<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Microsoft<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Doug Beattie</span></i><span lang="EN" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">1. EIDAS best practices document is being developed:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3;background:white">
<span lang="EN">State of the art document for technical best practices. EDAS will reference this within their documents.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3;background:white">
<span lang="EN">Joint document by all root programs (Google, Apple, Mozilla) and will include rules, aspiration’s, etc.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3;background:white">
<span lang="EN">Target April release<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">2. Disable trust for Wosign and </span><a href="https://www.cabforum.org/wiki/StartCom"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">StartCom</span></a><span lang="EN" style="color:black"> (for
new certs, not old SSL certs) on April 25.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l22 level1 lfo4;background:white">
<span lang="EN">Will get more aggressive to enforce audits for all CAs because we can turnoff TLS till CA resolve the problem.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">3. SHA-1: Edge and IE will stop trust on May 9th. Backed off the February date.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">4. June Program Requirements Updates. Will send out for review before. Nothing major planned<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">5. Common CA database<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo5;background:white">
<span lang="EN">MS and Mozilla both using it<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo5;background:white">
<span lang="EN">Reduce overhead for processing audit records.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo5;background:white">
<span lang="EN">Submit documents, validate and then update the database. People not needed to review each audit. Needs to standardize on the format.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo5;background:white">
<span lang="EN">Upload and parse audit attestation letters and validate content (in Azure)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo5;background:white">
<span lang="EN">Want to standardize the audit letter<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo5;background:white">
<span lang="EN">Beta test in May/June.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo5;background:white">
<span lang="EN">Webtrust is putting new standards in process for the content of these letters which will help reduce failures.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">6. Cert viewer in Edge: There is a task to do this, but no schedule<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">7. No plan to deploy a MS CT log server.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Mozilla<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Rick Andrews</span></i><span lang="EN" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">1. Policy 2.4 Shipped We shipped Mozilla Root Store Policy 2.4, which makes our documented practice conform much more closely with reality. This update, which came after a long period of little change, was confined to “urgent”
or “uncontroversial” changes. So it is not the end of the improvements in the policy.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Version 2.4.1 will be a reorganization of the document. This is released as a separate version to make the diffs of changes for later versions simpler. There is no intent to make any normative requirements changes in this
update. We are currently discussing this version in the mozilla.dev.security.policy forum. Please help review the document to make sure that is the case. You have this week and next week to do this; I intend to ship at the end of the month.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">2.5 will then start to tackle some of the bigger issues. These might include:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l14 level1 lfo6;background:white">
<span lang="EN">Which parts of the policy apply to certificates issued under Technically Constrained Sub CAs;<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l14 level1 lfo6;background:white">
<span lang="EN">Which parts of the policy apply to S/MIME;<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l14 level1 lfo6;background:white">
<span lang="EN">SHA-1 deprecation timeline for S/MIME;<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l14 level1 lfo6;background:white">
<span lang="EN">Tighten up requirements around audit declarations and their scope and clarity.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">It’s difficult to have S/MIME-related conversations in the CAB Forum at the moment so we are using our CA Communication, about which more later, to try and begin a dialogue with CAs on that topic.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">2. SHA-1 Support Recently, coincidentally in the same week that the SHAttered result was published, we disabled SHA-1 support for all our users for public roots in Firefox 52 and later, including Firefox 52ESR. “Disabled”
means showing an overridable “Untrusted Connection” dialog. For now, it can still be re-enabled by setting the preference security.pki.sha1_enforcement_level to the value 4 (to allow SHA-1 certificates issued before 2016) or 1 (to allow all SHA-1 certificates).
You can also set it to 0 in order to block all SHA-1 certificates (including those from non-public roots). We do not have any current plans to remove this preference, but we may at some point in the future.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">3. Security UI We have been working on displaying negative indicators when HTTPS is not in use, starting with high-risk situations. As of Firefox 51, Firefox shows a struck-through lock icon in the URL bar when the user visits
a page containing a password element over HTTP. And as of Firefox 52, they also get an in-context drop-down warning. We have a bug open to add the ability to show a negative indicator for all non-HTTPS sites. At first, it will be disabled by default; we expect
to enable it once the measured HTTPS percentage is high enough that the risk of warning fatigue is acceptable.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">4: Queue for Public Discussion The discussions are taking even longer than usual, because there are currently no resources to do the detailed review of the CP/CPS/audit statements that Ryan and Andrew were kindly doing previously.
We are trying to figure out how to get the discussion process moving forward again, and apologize for the delay.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">5. Revoked Intermediate Certs We have everything in place to start an automated sync from CCADB to OneCRL; our engineer expects to be turning that on very soon. After that, certs marked as revoked in CCADB should be on the
list very quickly, without the need for manual intervention.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">6. CA Communication Will be out shortly. The questions to be asked include these topics:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo7;background:white">
<span lang="EN">Domain validation according to the ten approved methods (from Ballot 169)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo7;background:white">
<span lang="EN">Yearly CP/CPS updates including version number revision<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo7;background:white">
<span lang="EN">Audit statement requirements<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo7;background:white">
<span lang="EN">Information about RAs who do domain validation<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo7;background:white">
<span lang="EN">Problem reporting mechanism<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo7;background:white">
<span lang="EN">CAA identifier list (concern about that getting out of symc)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo7;background:white">
<span lang="EN">SHA-1 and S/MIME input sought<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Look in your inbox by the beginning of April.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">7. Root Store Community We are attempting to get the “Mozilla CA Community” rebranded as the “Common CA Database”, as other root stores come on board. We are working out how we can use data from crt.sh to add flags to the
Common CA Database that will indicate if we need to check a record. Based on those flags (and double-checking the record) the Common CA Database will send email to the CA's primary POC and CC their email alias to let them know which of their records they need
to update. This will flag:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo8;background:white">
<span lang="EN">Disclosure Incomplete<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo8;background:white">
<span lang="EN">Unconstrained id-kp-serverAuth Trust<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo8;background:white">
<span lang="EN">Disclosed, but with Errors<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo8;background:white">
<span lang="EN">Disclosed (as Not Revoked), but Revoked via CRL<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo8;background:white">
<span lang="EN">Unknown to crt.sh or Incorrectly Encoded<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">This month, we are rolling out the new process for providing annual updates. Mozilla's next audit reminder emails (sent by CCADB on the 3rd Tuesday of each month) will point CAs to this new process for providing their updates.
Note that in addition to audit statements, test websites (valid, expired, revoked) will also be required/collected/tested (as per the BRs). We’ve added Audit Archiving to CCADB -- so audits will be loaded into CCADB for permanent storage as audit archive records.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">URLs related to the above:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l18 level1 lfo9;background:white">
<span lang="EN">HTTP Password UI Demo: </span><a href="http://http-password.badssl.com/"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">http://http-password.badssl.com/</span></a><span lang="EN"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l18 level1 lfo9;background:white">
<span lang="EN">Negative indicator for all HTTP sites bug: </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1310447"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">https://bugzilla.mozilla.org/show_bug.cgi?id=1310447</span></a><span lang="EN"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l18 level1 lfo9;background:white">
<span lang="EN">Firefox release schedule: </span><a href="https://wiki.mozilla.org/RapidRelease/Calendar"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">https://wiki.mozilla.org/RapidRelease/Calendar</span></a><span lang="EN"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l18 level1 lfo9;background:white">
<span lang="EN">Expect Staple: </span><a href="https://docs.google.com/document/d/1aISglJIIwglcOAhqNfK-2vtQl-_dWAapc-VLDh-9-BE/edit"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">https://docs.google.com/document/d/1aISglJIIwglcOAhqNfK-2vtQl-_dWAapc-VLDh-9-BE/edit</span></a><span lang="EN"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l18 level1 lfo9;background:white">
<span lang="EN">Annual Update process: </span><a href="https://wiki.mozilla.org/CA:CommonCADatabase#How_To_Provide_Annual_Updates"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">https://wiki.mozilla.org/CA:CommonCADatabase#How_To_Provide_Annual_Updates</span></a><span lang="EN"><o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">WebPKI Futures There will be a session on how each participant would like to see the WebPKI evolve in the next three to five years. This is a chance to give CAs a heads-up about our future thinking, and was suggested in response
to the perceived out-of-the-blueness of Ryan’s certificate lifetime ballot, where he claimed “we’ve been talking about this for 3 years”.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">In the next 3-5 years, Mozilla would like to see the following in the WebPKI:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo10;background:white">
<span lang="EN">95%+ of websites available over HTTPS with PFS ciphersuites<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo10;background:white">
<span lang="EN">HTTPS being the default mode of browsers; HTTP connections specifically marked as untrusted<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo10;background:white">
<span lang="EN">Full publication for all issued publicly-trusted certificates, whether that’s via CT, a related mechanism, or something else entirely<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo10;background:white">
<span lang="EN">Certificate lifetimes reduced to 13 months within 3 years, and 3-6 months in 5 years<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo10;background:white">
<span lang="EN">Much greater use of automation for certificate replacement, using standard protocols<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo10;background:white">
<span lang="EN">CAA fully deployed and implemented<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo10;background:white">
<span lang="EN">Multiple hash functions widely supported<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo10;background:white">
<span lang="EN">Better elliptic curves widely supported<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo10;background:white">
<span lang="EN">Initial support for post-quantum crypto algorithms<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo10;background:white">
<span lang="EN">No more reliance on live OCSP checks -- basically all certificates have MUST_STAPLE or are short-lived<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Questions: What about CT? Mozilla is somewhat late in the process of engaging in CT discussions. While that process is working its way through, we're not advancing the client policy discussions. We're not coming up with independent
CT policy at this moment.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: The feedback that was provided by Mozilla wasn't related to scalability.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Gerv: It was my understanding that it was.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: it was related to how quickly you can go from detection to enforcement. A 24-hour MMD allows a cert to go unlogged for that long.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Gerv: We commented on what's needed to take CT beyond countersignatures into not needing to trust the logs at all.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan H: Mozilla has presented an alternate view of the near-term plan that has browsers doing audits of logs. Discussions are ongoing about how to get to the point of not needing to trust logs. In the near-term, what we have
is still viable, but we're discussing how to get to not needing to trust logs.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: More discussion will be held at IETF next week.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Gerv: By the way, Richard Barnes is leaving Mozilla, so that may lead to some hiccups in Mozilla's continued pursuit of this topic.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Peter: Mozilla has spoken up about reducing cert lifetimes. Can you say more about that?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Gerv: We haven't yet had a discussion about follow-up to Ballot 193. My own opinion is that it's unfortunate that we didn't complete a proper discussion of whether the CABF agrees to further reduction. People don't seem keen
to have that discussion. I'd like to see further reductions, and if the CABF agrees, we need to signal that well in advance to give folks time to prepare. I don't think 13-month certs require automation, but they are helped by it. I think 13 months should
be the next step.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: As another proponent of reduced cert lifetimes, we're having a careful evaluation of the trust practices. For example, SHA-1 exceptions were allowed but not trusted. Independent of the forum discussions on issuance,
we're trying to determine what's the appropriate level of trust?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Peter: Curt (Apple) what's your opinion on cert lifetimes?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Curt: I think we have similar thoughts. We'd like to reduce it, but we don't want to reduce it too fast and cause heartburn. As far as CT, I can't comment. We've mentioned before that we're looking into it. No announcements
on timelines.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Geoff: We think that reduction to a year might be the worst of all possible worlds. That doesn't give you flexibility, and it's too short to be comfortable for those who are updating manually. It could be that the right number
is much smaller or larger.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Qihoo 360<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Zhihui Liang</span></i><span lang="EN" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">1. Company introduction :<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l16 level1 lfo11;background:white">
<span lang="EN">three layer rocket model, top player in antivirus and browser market, many internet entry related tools, gaming, startup page, search engine.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l16 level1 lfo11;background:white">
<span lang="EN">security research about OS and browser.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l16 level1 lfo11;background:white">
<span lang="EN">master of pawn.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">2. Exclusive finding of self-signed certificates on China website<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level1 lfo12;background:white">
<span lang="EN">18.3% of top 10,000 websites are self-signed.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level1 lfo12;background:white">
<span lang="EN">127 of the top 417 .gov websites are self-signed.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level1 lfo12;background:white">
<span lang="EN">some of the biggest state-owned banking organizations in China are self signed.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">3. 360 browser root program<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l21 level1 lfo13;background:white">
<span lang="EN">Both beta version and stable version was released in March, 2017.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l21 level1 lfo13;background:white">
<span lang="EN">Our users will get a security update by April, 2017.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l21 level1 lfo13;background:white">
<span lang="EN">Intercept any certificate error by default, traffic will redirect to red stop page.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l21 level1 lfo13;background:white">
<span lang="EN">Some website with great traffic will be verified by us, like 12306.cn, these sites will be authenticated strictly with host name and digital signature, and there will be no warning or stop page .<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l21 level1 lfo13;background:white">
<span lang="EN">top gov / edu websites are authenticated by us, when a user visits these sites the browser will show a yellow warning bar on top of the page .<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l21 level1 lfo13;background:white">
<span lang="EN">360 browser will show z\adifferent padlock for EV/UV/IV/DV certificates.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">4. Remediation Plan for </span><a href="https://www.cabforum.org/wiki/WoSign"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">WoSign</span></a><span lang="EN" style="color:black"> & </span><a href="https://www.cabforum.org/wiki/StartCom"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">StartCom</span></a><span lang="EN" style="color:black">,
update<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo14;background:white">
<span lang="EN">Separation of Management and legal structure was done by Nov 29th 2016, now 100% owned by Qihoo 360.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo14;background:white">
<span lang="EN">Separation of operations was done by Dec 1st 2016<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l4 level1 lfo14;background:white">
<span lang="EN">Separation of systems, work in progress, </span><a href="https://www.cabforum.org/wiki/StartCom"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">StartCom</span></a><span lang="EN"> will have a key ceremony under witnessed
by PWC.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">5. Q&A session<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Is that any need for CAs to apply to be included in the 360 root program?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">We reserved the right to stop trusting the CA. If we find the CA has done a bad thing, its roots will be revoked.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">How is the five star safety level calculated?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">EV/UV/IV/DV certs have been verified by the CA, we also have a website security department, they have an algorithm to calculate it. Self-signed certificates will
not get five stars in the browser.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Why is a self-signed certificate website common in China?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">In China, state-owned websites think they has the right to sign certificates, and everybody should trust them.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Is a website is on the white list, does that mean you never show an error for s self-signed certificate?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Yes, but we will check the fingerprint, if the fingerprint changes, we will block it as well.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Is any way to contact 360 to change the fingerprint?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">For small websites, they can contact us by email, For the big ones, we don't think they will do it.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Is the white list tied to your root program?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">White listing is a way to minimize impact on self-signed websites with great traffic.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">This plan is for future versions or the current version?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">White listing and the red stop page have already gone online in versions 8.1 and 8.2. A different UI for the padlock will go online in May.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Is there any security standard for whitelisting? Will 1024 bit and SHA-1 certificates be white listed?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">For content, we have a net shell security department monitoring the website for those sites. For weak cryptography certificates, we will look into it in the next
quarter.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Any plans for supporting CT logging?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">We have no plans for supporting CT logs yet.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Are the self-signed certificates white listing only for China?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Yes, its only for Chinese websites.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Which version of Chromium is the 360 browser based on? A::Wwe have two versions, one based on Chrome 45, the other on Chrome 55.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Do you have confidence about the audit for the new infrastructure?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-top:6.0pt;background:white"><b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">We have chosen PWC as our auditor, we will try our best to do the implementation.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Cisco Root Program<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Peter Bowen</span></i><span lang="EN" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Jos Purivs, Chief Worry Officer<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black"><slides available><o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l10 level1 lfo15;background:white">
<a href="http://www.cisco.com/security/pki/trs/ios.p7b"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">http://www.cisco.com/security/pki/trs/ios.p7b</span></a><span lang="EN"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l10 level1 lfo15;background:white">
<a href="http://www.cisco.com/security/pki/trs/ios_union.p7b"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">http://www.cisco.com/security/pki/trs/ios_union.p7b</span></a><span lang="EN"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l10 level1 lfo15;background:white">
<a href="http://www.cisco.com/security/pki/trs/ios_core.p7b"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">http://www.cisco.com/security/pki/trs/ios_core.p7b</span></a><span lang="EN"><o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Why move away from trusting others trust?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Not a browser, use for other non-HTTP purposes. For example trust store used for SMTP and SSL VPN.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Does using CCADB mean automatic trust for CCADB CAs?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Not going to pull CAs out<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Plans to make use of revocation info in CCADB?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Not at present<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Requirement for specific protocols? (SCEP, etc)<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">We want SCEP to die with fire<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Are you continuing to update intersection/union store?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Yes<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">What about IPsec products? EST?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">No default trust store. iOS 15 can pull bundle.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">Q<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">Mozilla has a public process for root program. Would you consider running as publicly as Mozilla?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;background:white">
<b><span lang="EN" style="color:black">A<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-left:.5in;background:white"><span lang="EN" style="color:black">We like transparency, but need to work with counsel to define our policy.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">WebTrust Update<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: </span></i><span lang="EN" style="color:black">Kirk<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> for CA Update<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Jeff Ward and Don Sheehy provided an update on </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> for
CA issues.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">1. Current Status of Completed Projects – Changes since last Forum Face-to-Face meeting:<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">* </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> Principles and Criteria for Certification
Authorities – Extended Validation SSL – Version 1.6 is effective for audit periods commencing on or after January 1, 2017. For audit periods commencing prior to January 1, 2017, auditors will use version 1.4.5.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">* </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> Principles and Criteria for Certification
Authorities – SSL Baseline with Network Security. Version 2.2 is effective for audit periods commencing on or after December 1, 2016.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">* </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> Principles and Criteria for Certification
Authorities – Extended Validation Code Signing. Version 1.4 is effective for audit periods commencing on or after January 1, 2017. For audit periods commencing prior to January 1, 2017, auditors will use version 1.1.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">* </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> for Certification Authorities -
Publicly Trusted Code Signing Certificates - Version 1.0 . (New as of February 2017). Version 1.0 is effective for audit periods commencing on or after February 1, 2017.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">2. Current Status of Ongoing Projects<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">* </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> for CA (Principles and Criteria
for Certification Authorities) 2.1 - current version 2.0 is being updated with some minor changes. These include:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l12 level1 lfo16;background:white">
<span lang="EN">- Introduction section getting updated to reflect digital certificates, CAs, Browsers, etc., not so e-commerce centric<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;background:white">
<span lang="EN" style="color:black">- Disclosures no longer refer to </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> Version
1 – ideally browsers want conformance to RFC 3647 but have not yet mandated it. Some major CAs still have not moved from RFC 2527. - Updating for technological advances. - Will adopt CABF’s view of Sub CAs, Intermediate CSs, and Issuing CAs.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">* Practitioner Audit Reports – working with AICPA to release post-May 2017 reporting under SSAE 18. Canada and international reports undergoing minor updates to approved versions under CSAE 3000 * </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> –
RA – revised drafting underway, will need CABF comments (got a good start in the working group meeting) * Practitioner guidance for auditors under development covering public and private CAs. Draft expected later this year.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">3. Some new and old issues<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">* Issues in Network Security leading to qualifications * Cloud questions continuing to surface as well as other third-party involvement, creating confusion and inconsistency on audit scope * The attest/assurance standards
are changing in US and Canada<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">4. Audit reporting issues<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">* Consistency in reporting could be an issue * As part of the reporting templates developed, </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> will
provide a sample report that discusses each section of the audit report to provide guidance to the browsers [what they should be looking for etc.] * Possible creation of a transmittal letter? * Publicly available qualified reports<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">5. Audit reporting issues – questions posed<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">SSAE No. 18 was released earlier this year. What impact will this have on </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> audits
in 2017? New standard should not impact the </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> examinations/audits. The
reports themselves may look different or new words will be used but the content will be more or less the same. There will be some additional requirements for the auditor, such obtaining an understanding of internal audit or compliance groups as well as reviewing
any audit reports issued. For the </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> examination/audit you should not need
to do anything different or create any new documents. The standard change will have the biggest impact on Service Organization Type 1 reports.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">6. Changes at CPA Canada (current information) * CPA Canada staff members<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l13 level1 lfo17;background:white">
<span lang="EN">- Gord Beal - Bryan Walker - Kaylynn Pippo - Lori Anastacio<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">* Consultant to CPA Canada: Don Sheehy (Vice –Chair)<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">* Task Force Members and Technical Support Volunteers:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo18;background:white">
<span lang="EN">- Jeff Ward (BDO) – Chair - Daniel Adam (Deloitte) - Chris Czajczyc (Deloitte) - Tim Crawford (BDO) - Reema Anand (KPMG) - Zain Shabbir (KPMG) - David Roque (EY) - Donoghue Clarke (EY)<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">* Reporting Structure/Roles<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l6 level1 lfo19;background:white">
<span lang="EN">- Gord Beal – </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN"> coordinates Guidance and Support activities of CPA Canada -
Bryan Walker – seal system responsibility, licensing advisor - Don Sheehy - Task Force and CABF - Jeff Ward is Chair of the </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN"> Task
Force and serves as primary contact - All Task Force members provide </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN"> services to clients -
Volunteers are supported by additional technical associates and CPA Canada liaison but report to CPA Canada<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">ETSI and eIDAS Update:<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: </span></i><span lang="EN" style="color:black">Connie<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo20;background:white">
<span lang="EN">Slides confirmed by ETSI Members last week<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo20;background:white">
<span lang="EN">Audit scheme is based on ISO 17065 for Conformity assessment, Audit Bodies must be accredited in Framework of EA or IA<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo20;background:white">
<span lang="EN">ETSI provides precise audit criterias<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo20;background:white">
<span lang="EN">for the full range of detailed norms and legal requirements refer to Arnos presentation<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l19 level1 lfo20;background:white">
<span lang="EN">latest standards released last week to find under </span><a href="http://www.etsi.org/standards-search"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">http://www.etsi.org/standards-search</span></a><span lang="EN"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo20;background:white">
<span lang="EN">New ESI activities<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level2 lfo20;background:white">
<span lang="EN">AdES Signature Validations Services<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level2 lfo20;background:white">
<span lang="EN">Signature creation Services<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level2 lfo20;background:white">
<span lang="EN">Registered E-Delivery Services Formats an CPs<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level2 lfo20;background:white">
<span lang="EN">Long Term (signature ) preservation<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level2 lfo20;background:white">
<span lang="EN">Workshops in Washington and Tokio<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;margin-top:6.0pt;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo20;background:white">
<span lang="EN">Discussion about trustworthiness of audit reports, Jody says there are CAs issuing SHA-1 certificates with a clean audit report,<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level2 lfo20;background:white">
<span lang="EN">Arno answers that Algorithm defined by ETSI TS 119 312 are mandatory<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo20;background:white">
<span lang="EN">ACABC will have a presentation on next CAB F2F in Berlin<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo20;background:white">
<span lang="EN">Discussion about key transparency for Certificates and EU Dataprotection requirements<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Guest Speaker: Eric Mill, GSA 18F<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Eric Mill</span></i><span lang="EN" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Eric Mill from the General Services Administration gave an invited talk titled "Security and the enterprise, as seen from inside the U.S. Government". Eric introduced GSA's Technology Transformation Service and its 18F team
and some of its work.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Eric discussed the U.S. government's work on making HTTPS and HSTS the default for publicly accessible services, including the White House's formal HTTPS policy for the executive branch, GSA's and DHS' collaboration in scanning
government services to support this policy, and the progress seen so far from these efforts. Eric described a new recent supporting initiative from GSA, where the .gov domain registry (a program of GSA) will begin submitting newly registered executive branch
domains to supporting web browsers to be preloaded as HSTS-only.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Eric shared a series of issues in the U.S. government that inhibit strong enterprise security, which include a resistance to information sharing between agencies and with the public, and an overwhelming emphasis on compliance
without an equivalently strong grasp of engineering fundamentals. Eric described the government as theoretically intending to use compliance as a starting point for security, but in practice overlaying such intense layers of compliance that it effectively
becomes a stopping point.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Eric concluded by stating that the biggest issues facing enterprise security, as observed in his work in the U.S. government, were a lack of automation of operational processes, as well as a lack of technical expertise (particularly
software engineering) in places of authority and key operational/policy positions. Eric encouraged the audience to favor automation in their own systems and in those of their customers, to elevate technical expertise within their organizations, and to take
advantage of the Forum to achieve these goals.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Process for Adoption of Post-SHA-2 Algorithms<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Gerv</span></i><span lang="EN" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Speaker: Phil Hallam-Baker<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">We need to be a bit more agile than we were with the SHA-1/SHA-2 transition<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">The old system didn't really work:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo21;background:white">
<span lang="EN">SHA-2 proposed by NIST in 2001<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo21;background:white">
<span lang="EN">SHA-1 known to be shaky even at this time<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo21;background:white">
<span lang="EN">Only implemented in browsers in 2005<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo21;background:white">
<span lang="EN">Transition completed in 2017<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo21;background:white">
<span lang="EN">CAs and browsers were waiting for each other<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">And now NIST is no longer an authoritative source; USG not seeking to lead, Snowden, Dual EC<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">There needs to be someone who holds the speaking stick and drives the process, and CAB Forum is the best choice<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">What do we need?<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo22;background:white">
<span lang="EN">One default algorithm for each required function (signature, digest)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo22;background:white">
<span lang="EN">One backup algorithm deployed as "hot standby"<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">IoT means we need a 10-year planning horizon<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Proposes CAB Forum takes on an endorsement role - not develop or write standards, but endorses those of NIST or IRTF<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Current priority: SHA-3, because we only have one hash algorithm (SHA-2), and it's based on the same design as SHA-1 and MD5<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Gerv</span></i><span lang="EN" style="color:black">: need 2 actively-used algorithms, not one in use and one "hot spare". (Ryan H endorsed this view.)<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Ryan H</span></i><span lang="EN" style="color:black">: are we really the right people to be doing the picking? We aren't cryptographers.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">PHB</span></i><span lang="EN" style="color:black">: Yes, if we consult the right cryptographers.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Ryan H</span></i><span lang="EN" style="color:black">: Post-quantum crypto is not yet advanced enough for us to pick an algorithm.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">PHB</span></i><span lang="EN" style="color:black">: Yes, we can't do anything useful here at the moment.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Tim H</span></i><span lang="EN" style="color:black">: We do have some info and opinions about who the experts are. But there is fanboyism. CAB Forum _could_ identify what our specific needs are, and communicate those better.
Both NIST and </span><a href="https://www.cabforum.org/wiki/X9F1"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">X9F1</span></a><span lang="EN" style="color:black"> have open processes for this.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Ryan S</span></i><span lang="EN" style="color:black">: Don't agree with the premise that we need to consider IoT. We need to consider what the set of acceptable algorithms is for issuance. What will browsers implement?
We need to determine what algorithms meet the minimum security goals of the forum. Allow the normal compatibility cycle to push convergence. Also not sure who the market is, as WebPKI serves many constituencies.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Gerv</span></i><span lang="EN" style="color:black">: Are we actually amplifiers rather than endorsers? We amplify noises made by groups of cryptographers.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">pzb</span></i><span lang="EN" style="color:black">: We shouldn't get ahead of "running code", in the IETF sense. Need to hear from TLS implementers - browsers, Cisco, Amazon...<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Andrew W</span></i><span lang="EN" style="color:black">: Implementation gap is not just browsers and CAs, it's HSMs, FIPS, CA software, etc. So practically, if we are talking to vendors of these products, ask them what
their plans are for this.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Ryan H</span></i><span lang="EN" style="color:black">: We are a huge voting bloc for HSM vendors. HSM vendors would do something if everyone in this room jumped up and down. More is not better, though. Group have a philosophy
and principles to say that you need something that works for embedded devices, something that's post-quantum, but not necessarily make any choices but rely on CFRG or similar.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Chris B</span></i><span lang="EN" style="color:black">: It would help, when talking to HSM vendors, to be able to point back to something as official.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Kirk</span></i><span lang="EN" style="color:black">: Suggest emailing a group 3x a year asking for things we need to know, recommendations, etc. A formal enquiry process.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">PHB</span></i><span lang="EN" style="color:black">: Some of the things like OIDs need to be cut, and only in one place. But when PHB asks for them to be cut, the question is "who wants to use them"?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Future of Web PKI (Part 1)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">No Minutes.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Day 2 - Thursday, March 23<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Attendees: See list for Day 1.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">SHA-1 Deprecation and Exception Process – Lessons Learned<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan Sleevi presenting. <i>Note Taker: Robin Alden</i><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">It's 2017. We have deprecated SHA-1. Everything was OK, and it was a successful transition which should be the model for all future transitions! (not!)<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">It could have been worse.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Who thinks it went too fast?<br>
Jeremy Rowley: Lack of communication early on in the timeline.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Who thinks it went too slow? (several hands)<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Bruce Morton: Started too late.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Who thinks it was the wrong way to handle these deprecations? This is probably not a model we should use for every deprecation.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Chris Bailey: A lot was right. I agree about timing issues.<br>
A lot of CAs send out communications and customers don't read them.<br>
Google UI change? - The pain of the lower validity period made customers start to take notice.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: I think we'll come around to that.<br>
Getting a sense of the room. We know there's pain.<br>
We (browsers) are not entirely pleased with how it went.<br>
Apple - will drop SHA1 soon. </span><a href="https://www.cabforum.org/wiki/MicroSoft"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">MicroSoft</span></a><span lang="EN" style="color:black"> - nearly there.<br>
CAs - SHA-1 exception process was painful.<br>
OCSP / SHA1 - not sorted out in time.<br>
Site operators and users were unhappy because of the issues getting SHA-1 certs, and the user experience.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">We should take a look at what went wrong, what went well , what we got lucky on, what shold we do differently.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Yes this was an algorithm shift, but it could be a changed certificate profile next time - the transition process is the same. This is not just about Algorithms, it is more a forum process question.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">We are familiar with post-mortems. No blame, just analysis.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">What should we do differently?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Bruce: we did 1024 to 2048 and that was successful. Ryan: Browsers didn't turn off 1024<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Peter Bowen: as a consumer of certs, one thing thats different with SHA-2 from the 1024/2048 change - it turned out that a lot of devices just didn't support SHA2.<br>
(Peter gave an Amazon-internal example)<br>
Let's say that RSA gets factorable , we might have the same problem going to ECDSA certs because some things don't support it (although many do). We didn't notice things broke until we started testing them.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: Agreed, noone knew all the things that would break.<br>
Peter: We got lucky because we were running a private CA (for his internal example). The more devices that use the same trust store, the bigger the problem gets. eg Payment terminals. Alex: They lacked agility. Peter: Some devices need 25 year certs with an
unchangable protocol. OK, but they can't also use the same trusted public roots.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: A number of CAs pulled roots to support legacy certs. A fairly nasty option. E.g. Cloudflare. Tara Wheeler: E.g. medical devices. Longevity of device usage is often tied to the lowest tech capability of the organizations
that support them. These same places also get burdened with the education into operating / updating them. If it's a question of money, you CAN'T get them to do it. That is the actual long tail of how its hard to get some devices updated. The people that are
least able to understand the security are the ones who need it the most.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: We didn't know what the edge cases where. On MS Windows, when Chrome tried to turn off SHA1 we hit edge cases.<br>
E.g. google.com. Used a certificate from the Symantec </span><a href="https://www.cabforum.org/wiki/GeoRoot"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">GeoRoot</span></a><span lang="EN" style="color:black"> (CA) which had been
cross-signed by the Equifax root. A SHA-1 cross-signature from a root with a 1024 bit RSA key. The Equifax root was not actively used. The </span><a href="https://www.cabforum.org/wiki/GeoRoot"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">GeoRoot</span></a><span lang="EN" style="color:black"> is
not shipped with windows 7 RTM, it is downloaded on demand through the </span><a href="https://www.cabforum.org/wiki/AuthRoot"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">AuthRoot</span></a><span lang="EN" style="color:black"> update.<br>
Because it was not part of the baked-in binary, when we turned off SHA-1 users get a message that there's a SHA-1 cert for google.com when on a client with Win7r1 with no auto-updates applied. We only saw this problem well after the product launched. This example
speaks to a lack of knowledge to what the PKI looks like and what the edge cases are.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Rick Andrews: There was a perception that CAs weren't pushing customers to deploy SHA2 certs. As long as there are browsers that don't support SHA2 - the choice for the customer is "Would you like a modern certificate that
doesn't work everywhere, or a SHA-1 certificate that works everywhere but may be weak." It is a no-brainer for most customers. They want the certificate that works. When almost all clients support both, it is easy to offer the new algorithm. The choice is
seen as forward looking and strongest vs legacy.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: Using that as an example of what went wrong, is the problem that you know it's not going to work?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Rick: The problem is that there is empirical evidence that there a few pockets where it won't work.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: For the SHA1/2 transition we had a SHOULD in the BRs. We don't know where its not going to work. Millions of devices?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Rick: It is true of browsers and of other devices.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Peter: Why would you want to break any customer if you don't have to? We knew SHA-1 was weak for a long time. There is a cost-benefit tradeoff. We knew we were cutting a long tail off. We knew there was a tail of SHA-1 only
kit out there. The economic reality is that for customers with an e-commerce platform that sells goods, you have to do that balancing. TLS is not for long term protection. I need to understand how long I am protecting data for. 50 yrs, or to 2030, or a few
hours. There are different trade-offs to make in each case.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Gerv: It strikes me that the best way to avoid the long tail is to get the core libraries to implement new algorithms 15 years before it becomes essential.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: Lets keep looking at what went wrong (first).<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Gerv: Something that went wrong: Crypto library providers were not sufficiently proactive in implementing new algorithms. A system that deals with non-updating devices is better than one that doesn't. SHA-2 came with WinXP
SP2. SHA-1 was defined in 2001(?). Windows XP SP2 was 2009(?). It would have been nice to have it earlier.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: Summary: Devices did not support SHA2. Chrome was 'lucky' because they could backport SHA-2 to Windows XP because it was pluggable.<br>
More examples of edge cases. Startcom had an intermediate </span><a href="https://www.cabforum.org/wiki/StartCom"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">StartCom</span></a><span lang="EN" style="color:black"> G2. Eddy prepared
two versions, one SHA-1, one SHA-2. to give customers the choice. The issue was an edge case related to every platforms chain building library didn't know what it was going to path.<br>
Digicert had a similar problem on MAC OS.<br>
Summary: We don't know what the products are going to build (chain). Tough to rely on undefined behaviour.<br>
Another E.g. when it came to legacy root removals. You don't know what the path is, so you don't know the effect of a legacy root removal. Redhat, Ubuntu, etc, are still shipping 1024 bit roots because openssl up to 1.02, still prefers the longest chain possible.
This is a problem for future deprecation.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: trying to figure out all the ways.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">PZB: What went wrong and why, and what do we do in the future. We need to be looking at what we want to change. Great that Phil spoke yesterday about Hash algos. EDDSA - nothing supports it yet! How do we mitigate this going
forward?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: Equally applicable to introduction of shortlived certs, or for a change in the profile of OCSP or CRL.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Deb: We deprecated SHA1 in March 2006. In the late 90's, SHA to SHA-1 was an easy transition. SHA-1 to SHA-2 has been horrendous. Someone comes and says 'people are dying' - we say 'OK'. We have teeth, but not many. We can
advertise when things should be deprecated. Have a hard time making it happen.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Gerv: This is what we were discussing yesterday. We can amplify other signals. If NIST are making noises, we can amplify them.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: I don't think amplification went well. We laid out the plan in 2013. Some CAs had reseller Apis that could not issue SHA-2. For a number of CAs the hierarchy was not in place, the APIs didn't offer the option. There
were hoops that subscribers had to jump through. e.g. get SHA-1 first, generate a SHA-2 CSR (which was apparently hard). Examples on Eric's SHAAAAAAAAA site. Amplification started 2012-14. Maybe that's how long it takes, or maybe we should be doing more.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Gerv: Maybe we should have requirements for 'required' algorithms - not just 'permitted'.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: What are we going to do different? Where are the most pain poaints, where are the levers to lean on.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Wayne: What 3 things that went worst?<br>
Ryan: 1 of biggest is that the ability to find out what is not going to work was incredibly difficult. If you want SHA2 you cant get SHA-2. If you deploy it how do you get feedback How do we explain WHY and what we are trying to do. Can we sign SHA1 OCSP responses.
Can we sign SHA1 CRLs? Another big problem is that there's a lack of info and education as to why things are changing.<br>
3. (biased to browser) One of the biggest challenges is that understanding path-building is a black art. Many CAs probably don't know the paths that are going to be built. Payment gateway vs Browser with updates vs browsers without updates. Concern with the
proposal to put EKUs into intermediates - what will it break.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Jeremy: Some CAs didn't have APIs (eg). - Would it help to make a list of the causes?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: Yes. Overrunning, but love to figure out (eg) issuing SHA-2 by default. Because it will break things. Increases support costs, increases user frustration. Is there a world where CAs issue the new by default? How do
we push the ecosystem forward?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Jeremy: we turned it on by default in 2013. Partners and resellers kept pushing SHA1 by default through their APIs. Pushed the deadline to get them to change their code.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: So you were pushing SHA-2 - but resellers etc hard coded to SHA-1. Jeremy: Yes. We emailed them - noone reads the emails.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: Not something we'd put in the URL bar. We have the amazing crawling engine. We can motivate people through their advertising.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Kirk: Path building - Do we need to go back to the standard to shore that up?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Alex: Shortening cert lifetimes will do nothing but help. The shorter the lifetime the quicker people discover what breaks. Theres a lot CAs could do to push new tech to their customers. Push the new. Pain points in different
platforms points to algo agility. Is there an approach or framwework we can think about to have lib writers build in agility SHA-2 was a first big transition. Learn from it. Algo agility - Library agility.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Deb: Did you ever consider giving both a SHA-1 and SHA-2 cert? Ryan: Some CAs charged more (or again) for the SHA-2. Some CAs required manual contact orr a support call to get the new. Deb: So if we required both.. Ryan:
Look at </span><a href="https://www.cabforum.org/wiki/CloudFlare"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">CloudFlare</span></a><span lang="EN" style="color:black"> - SHA1/SHA2 cert switching to serve a cert the client could
do.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Gerv: Alex said libraries like concrete. Independant of the idea of a transition from SHA2 to 3, </span><a href="https://www.cabforum.org/wiki/HeartBleed"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">HeartBleed</span></a><span lang="EN" style="color:black"> shows
that concrete libraries won't work. Nice to tell people they can't deploy OpenSSL in a device that has to work for 5 years without updates.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">PZB: We basically have one kind of cert. Server auth, pretty much usable anywhere. Cisco - yesterdays prez about their root program interesting. They found some trust list and shipped it. Then they say to CAs - we need a
cert because its the only thing a Furbie supports. Is there wa way we can separate off people who like updating and those who wont. How isolate the risk from this stuff? Common Names - There will be customers who can't take that. How do we continue to support
them.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: Fully sensitive to the reality of 'can't issue' because of this. So many devices have baked-in root stores. Developers may be 3 person teams, may be medical device with limited resource to develop. May be a mom-pop
shop that can't take the cost. Don't issue vs don't trust. Trajectory of modern crypto is that stuff will change. I can't tell you what to do with your product (although I can shame you on twitter). How do we allow terrible nasty things to be issued where
needed - while protecting the web.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Deb: talking about shortening cert times, CA and root CA cert lifetimes are also too long.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Gerv: The fact that this forum was instrumental in pushing the payment industry to better crypto was an upside.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: What we did cost lot of time and forced people towards less optimum solutions.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Gerv: I wonder if we can use the SHA-1 experience to build a dependency graph. If fulfill all these tasks then we can switch. The fewer things we address, the more pain there will be. Means we can analyze progress and push
the right levers.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: I would push back - one of the big things is the unknowns and the lack of involvement of some parties. You can call them fools for not updating, but they're not here.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Geoff: Talking about incomplete knowedge. MD5-SHA1 didnt go so badly. Before MS made their announcement, SHA1 was strictly better than SHA2 in every way (as a cert owner). MD5-SHA1 - Probably wanted MD5 unless talking to
gov or other edge cases when you needed SHA-1. So some SHA-1 certs out there all the time. Helped flush out ecosystem problems.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: I challenge. MD5 transition was terrible. We know it was broken 2006, but didn't turn it off until 2016. Broke every school in America. <br>
</span><a href="https://www.cabforum.org/wiki/BlueCoat"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">BlueCoat</span></a><span lang="EN" style="color:black"> - if you wanted to get the SHA-1 version, you had to update your support
contract (and pay the back support costs). We thought - surely turning off MD5 will be easy, softeware supports SHA2, but everything was really painful.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Geoff: Apple has not yet announced when it will turn off SHA-1 in everything - because its scary down in the details.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ryan: OpenSSL will still accept MD5 as 'secure'!<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Should we have a workgroup? I don't know what the best medium is going to be, but we need to figure out something.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Chris Kammerer: Organizationally, the CABF has working groups - this sounds like a WG task.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">The Role and Relationship of the Forum<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: </span></i><span lang="EN" style="color:black">Andrew<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Are the documents we produce legal documents or technical standards, and how does that influence how we do participation, how we managment.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Do we provide feedback or guidance to these documents? If they are legal documents then it's up to the courts to interpret, we just provide the framework and the words, and it's up to auditors to work out what we meant.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Or should we have a process more like a technical standard where you file errata to say "I don't know what this means"<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Are we slightly different from the world at large because we assume that people here have good intentions?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Most of the organisations assume good intent. Is there a consistency of technical skill and knowledge to define specific phrases, and interperate them in an appropriate context. E.g. "a certificate signs a certificate", what
does that actually mean, who does that signing?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Also a question, when talking about a document like the BRs, we're talking about trusting issuance. The BRs set prohibitions on what you can issue. You should not issue anything that looks like this. Are we trying to say
this is the best, or the minimum? How do we gain feedback? Is the discussion about what root programs are going to require something that should be discussed in the forum? Or is that something that root programs announce in the forum.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Question of the future of the web PKI, what are we trying to do here? Is this meant for browsers to declare proclamations and to deconflict those things with other browsers? Is it for CAs to say we don't think this should
be issued, this should not be trusted. In the past year there have been a variety of conflicts in approach and information shared and how we should use that information, so what are we trying to do?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">The original intent behind the forum was to stop things getting worse.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Ok, we stopped it getting worse, should we try to make it better? Is this the venue for that?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Deconflicting browsers is one of the top values of the forum. There are a growing number of root stores. Seen root programs that are out there be more formalised, e.g. Microsoft doing their contracts a while ago. Also work
with the PCI Security council, and although it's a very different industry it has a similar dynamic, as it's a whole load of brand who all want to be able to use the same payment terminal, so they are trying to create standards that all the payment brands
will accept. The brands are the only voting members, but there's a second tier made up of acquirers, merchants etc who do a first round of "is this the direction we should go" and then send to the brands for approval. Slightly different model, but there as
here the value is coordination.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">PCI is a great example of a different power dynamic or a different relationship and it gets to the point of what is the PCI council trying to do and what is the forum trying to do. Trying to decide on the "thou shalt not
issue" points, stop doing this terrible thing, and then there's the question of "is this thing not good enough any more", and how do we have that discussion. It's separate from not allowed to, just that it's not good enough. SHA1 was a good example of communicating
intent and then we implemented the UI change. That wasn't a forum vote on the UI, we just saw it as the right direction for our product.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Earlier in the presentation, there was a question of if we could provide guidance, if it's hard for people to understand the requirements or they need clarification. Perhaps other have a position of not interpreting things
because they want to stay out of trouble. But that shouldn't stop us proposing ballots to clarify things, and maybe provide guidance of how things should be interpreted. That could be done on the public list so people could search for it there, rather than
having to create a new section of the website dedicated to supplemental advice etc which would create a lot of overhead.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">I heard a director at NIST say the CA/B forum was a model of how industry industry collaboration could work and it was a spectacular example of how things could be done the right way. And I love that because it says we can
be flexible, and can set our own standards and govern ourselves. There are regulatory questions to if we're a technical or a legal body. And keeping things free form can help us to maintain a lot of the purpose. Collaboration and cooperation is a great way
to go.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">On the idea of the role, when somebody says there's a bad thing - do we all agree it's a bad thing? Is the role to assess the risk and agree what's bad? Or is the idea to come up standards that address risks that are defined
elsewhere? At the moment I think we do a bit of both. Does that cause slowness?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Not sure if it causes slowness but it definitely causes friction. The BRs are a big list of "thou shalt nots", and to get a thou shalt not there has to be some agreement. Is a consensus ballot on the forum a sign that "this
is good" or just "this isn't that bad"? I think that touches on ballot 193. Should we put out ballots to see how many people hate it or should we send out a mail to the list to give people a heads up that something is going to be a program requirement in three
months? How should we approach those discussions? And then there's the specter of things like eIDAS.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">One of the reasons the forum was found was to encourage collaboration between browsers' root program. Even if something is definitely going to be a root program requirement then it's good to see if it's something the forum
wants to adopt and take a first shot at. But it's nice to get all the browsers to give their input so we don't get inconsistent policies. And putting things forum as ballot first isn't something that the forum has traditionally done.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Though a ballot that's put out with the assumption that not all of it is realistic is a good way to shake out what parts are unrealistic and why. E.g. x months vs y months. With many proposals there are lots of knobs and
dials. Like doing CAA with walking or not.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">There's the way that Mozilla has done it, using their own public list to propose something and give an FYI to the forum, is that a good approach? Should it go to the forum first and then to mozilla's list? Mozilla likes to
do things publicly, and with the form the most important list is the questions list that can't be searched publicly. And that's why one of my first replies to a question is "can I post this question or reply over to the public list so it can be made searchable?"
Should we make the questions list public?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Yes, we should probably make the questions list public. And I do think we are responsible for providing guidance, it's not like this is a legislative session where we can't. And there's a designated responder.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">One example recent example on questions about CSRs. What is the process we use to find the answer? The correct process, at least in the bylaws, is that somebody sends a question to the questions list, there's a proposed response,
and the designated responder sends the response after some period. If we say that's a legal document that's not consistent. But if it's a technical document then we should be tracking errata and do what other bodies do which is maintain an archive of ambiguity:answer,
and we'll fix that after we've banged out the details.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Yes, we should maintain that archive.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Thank you for telling us that things are confusing, and good luck!<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">So what are the next steps? Should there be a bylaw change?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Before moving on to that, one point to make - might be shared by several CAs. When you see a question, and the CSR is a good example, where we look at the question and think "I have an opinion on this, but if I'm wrong, I
could be toast". So I'm not going to say anything at all and see what the answers turns out to be and then I can assess the impact to me. When something comes up where there's a big area of ambiguity nobody wants to put their foot in it and admit that what
they are not doing might not be compliant. So many something like, when there is an area of ambiguity identified and it has been resolved, there's some period, maybe 90 days, where everybody has a chance to fix the problem if they are doing things differently.
Can do that through the balloting process, but that seems painful. Could do it through the errata process, as part of declaring an errata.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">This is a mozilla type thing. e.g. we found a policy violation X. Nobody but one party interpreted as X, so that interpretation goes against the common understanding. Assuming good intent, but how did you come to that conclusion
when everybody else reached another. That's an open challenge, since we're talking about compliance, on how to figure this out. When the areas of uncertainty are with auditing, can auditors talk about? It's one thing when they are unsure and they can bring
it up with the task force.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Can we solve the technical document vs. legal document issue?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Why are we discussing legal vs technical documents when the topic is the role of the forum?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Let's back up for a second. Is the forum a standards defining organisation? Standards defining organisations do things like provide guidance on the documents they produce, and they process errata. Or are we just a group of
people and the stands defining bodies are ETSI and CPA Canada, so what we say doesn't matter, but we just produce guidance to those bodies. Or we we creating things that become part of contract law, such as appending the BRs as part of a legal document. If
so, then our respective legal teams would have an opinion if we could have an opinion on e.g. should FIPS be turned on. Are we going down the standards or the legal path?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">All technical standards documents end up being a legal document to somebody somewhere. There's a contract saying you need to bridge a bridge according to some ISO standard, and eventually somebody will end up in court arguing
they can do this or that according to the standards, and it's for the court to decide. Another interpretation of the forum is just the root stores telling CA what to do with a unified voice. And if you look at it that way things become even more strange because
different browsers have very different ways of telling CAs. The concept of the CA Browser forum was always to provide a way for browsers to create requirements and a way for CAs to say that's impossible. So it's not really a legal or technical, but it's much
closer to technical. Did that help?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Wrapping up: There's some consensus that there should be a way to collect feedback on confusion, can provide amnesty. Maybe CAs could launer questions through their auditor who could pass it to CPA Canada who could raise
it to the forum to provide a degree of anonymity. Can we define a process to collect, publish this, and a process when only on CA says no, this is totally OK and 99 CAs say yes. Open question is if we need to formalise any of that consensus, and question of
if the forum adopts X should it be that anything less than X is terrible or that X is the best we can be doing.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Mozilla Proposal: Forbidding Delegation of Validation to Third Parties<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: </span></i><span lang="EN" style="color:black">Jos<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Gerv offered that Mozilla is considering a new program requirement that 3.2.2.4 and 3.2.2.5 validations must be done by a CA or by an RA who is an affiliate of the CA, and would like to know if this would be a problem for
CAs. He clarified that this means 3.2.2.4 (domain validation) and 3.2.2.5 (IP ownership validation) using one of the ten—or later seven—'blessèd methods of validation', and using the Baseline Requirements definition of an "affiliate", including the definition
of "common control". It would cover every end-entity certificate issued by an issuing CA that is controlled by a particular authority in the Mozilla store: that is, the controller of that immediately-issuing CA, or one of its affiliates, would be required
to do the validation. Gerv was asked about creating this as a ballot, and responded that he'd like to, as other root store programs seem to think this might be a wise idea, and asked if there would be objection to doing this at the forum level as opposed to
the Mozilla program level. Later discussion settled firmly on the idea of doing this as a ballot, which Gerv, Peter Bowen, and others will collaborate to put before the forum in the near future.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Kirk asked what problem was being solved with this change. Gerv replied that CAs are outsourcing domain validation to companies that were doing a bad job. Peter raised the objection that there are frequent cases where an
organization owns a base domain (e.g. 'example.com') and then has an agreement with the CA to designate someone internal to do validation below that level. After some discussion, the consensus seemed to land on the CA or its affiliate being required to validate
that "example.com" is an entity in 3.2.2.4 terms, and then what happens below that tree is part of the relationship between a CA and its customer, with the need for that "example.com" validation to be re-done every 825 days as per ballot 193. [Considerable
discussion about this 825-day change occurred, which led to the creation of ballots 194 and 197...]<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Kirk asked how this would play into the rules around RAs, and asked about how audits of RAs would apply here and whether those would be considered sufficient to cover this activity without the need to stop it. Gerv pointed
out that the length of time it took to establish 3.2.2.4 (two years) was an indicator that this function is hard, and that given the number of edge cases identified in that work, getting domain validation right is extremely difficult and a core CA competency:
domain validation is the sine qua non of a CA. Ryan added that while disclosure and audit are crucial, the review of audits and recent events have clearly shown a gap where third parties are performing these functions but for which no disclosure exists or
their technical competency is in question, and for which either the audit letter does not disclose issues or is insufficient to reveal whether issues exist or not.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Robin asked whether the fact that this is coming up indicates a larger problem with our reliance on audits across a service contract between organizations. Ryan and Gerv both agreed with this, and both felt that this was
a systemic issue that needed fixing, but was too large a problem to tackle completely at the moment. Forbidding third-party domain validation was, Ryan felt, the low-hanging fruit that could be dealt with now, as it is not acceptable to wait three years while
domain validation slipped in under the door.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Peter made a counter-proposal of requiring that any time a CA delegated this particular function, they had to issue an RA certificate of sorts that defined the entity and the scope the entity was permitted to validate. Ryan
felt that while this met the goal of transparency, it created a lot more work for root store operators in reviewing yet more audit reports, versus simply forbidding it as a simpler and more immediate approach.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Gerv added here that his goal beyond transparency was reducing the number of things doing domain validation in the world, without constraining the number of CAs. If CAs aren't generally delegating out their domain validation
(as judged by the lack of any concrete objections from the floor), forbidding it made sense by defining domain validation as part of the expected core responsibilities of a CA. He clarified that this did NOT mean constraining competition, but instead just
the number of validation implementations: that is, the ideal solution would be if CAs came together and created a limited number of well-audited methods or libraries for performing this function that they could then choose from, much like crypto libraries.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Robin asked what would happen with a CA that outsourced all of its functions to a third party like a service provider, such as a "white-label CA service", so the CA only wrote the management assertion letter but let a service
provider do everything else. The general agreement was that the wording of the ballot should account for this but not prevent it, but there was no agreement on a specific solution to it.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Chris asked the </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> auditors whether
auditing validation practices of RAs would fall under the scope of the </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> for
RA standard being developed. Jeffrey clarified that the </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> for RA standard
would be based on the standards criteria developed by the Forum, and that if an RA were doing validation work, that work would be covered by the </span><a href="https://www.cabforum.org/wiki/WebTrust"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a><span lang="EN" style="color:black"> for
RA audit.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Code of Conduct<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: </span></i><span lang="EN" style="color:black">Wayne<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Current code of conduct displayed - </span><a href="https://cabforum.org/wiki/ProfessionalConduct"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">https://cabforum.org/wiki/ProfessionalConduct</span></a><span lang="EN"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Tarah asked if it should be called “Code of Conduct” or “Civil Discourse” as it is on the wiki<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Show of hands for “Code of Conduct” – many hands<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Gerv said the current doc isn’t really a COC. Tarah agreed, we don’t really have one<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Tarah asked of any objections to establishing a COC – no objections<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Tarah suggested that someone needs to go away and draft one<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Peter suggested there are many existing ones<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Tarah clarified that she’s take an existing one<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Peter suggested we review one<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Gerv said there are two buckets – some driven by a political agenda which include a set of values. Others just describe what we will do – Gerv recommends the latter<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Tarah says the Ubuntu COC is often adopted by other orgs and it’s a good one<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Gerv said Ubuntu’s COC does contain value statement<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Peter displayed the WHATWG COC - </span><a href="https://wiki.whatwg.org/wiki/Code_of_Conduct"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">https://wiki.whatwg.org/wiki/Code_of_Conduct</span></a><span lang="EN"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Peter – what happens if COC is violated?<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Tarah – We’d have a discussion of consequences on mailing list<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Tarah – should we review and pick one?<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Virginia – we should use it as a template, but modify to our own needs<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo23;background:white">
<span lang="EN">Tarah – anyone in favor? Many hands raised<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Patent Advisory Group update<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Kirk Hall</span></i><span lang="EN" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Kirk presented the following summary of the progress of the Patent Advisory Group (“PAG”) that was created in response to the Exclusion Noticed filed for Ballot 182 (domain validation methods).<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">By way of background, Kirk noted that the Forum operates subject to an Intellectual Property Rights Policy (“IPRP”) that is similar to the intellectual property rights policy of other self-regulatory organizations (SROs)
such as W3C. The current IPRP version is Version 1.2. One goal of the Forum is to seek to issue Guidelines that can be implemented on a Royalty-Free (RF) basis subject to the conditions of the IPRP.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Under IPRP Sec. 7, Forum members may file Exclusion Notices concerning defined Essential Claims arising from patents and patent applications that are necessarily infringed by implementation of any Normative Requirement in
a Final Guideline or Final Maintenance Guideline. Members may file Exclusion Notices during a 30- or 60-day Review Period following a Forum ballot. If Exclusion Notices are filed during a Review Period (as well as under other circumstances stated in the IPRP),
a PAG may be formed to “resolve the conflict” between the Exclusion Notices and the Forum’s goal of issuing Guidelines that can be implemented on a RF basis. See IPRP for more information.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">The Forum’s Ballot 182 proposed certain domain validation methods be added to Baseline Requirements (BR) Section 3.2.2.4, and generated three Exclusion Notices (including amendments) during the Review Period as shown in the
table below. In response, this Ballot 182 PAG was formed, and has been meeting from time to time since January 2017.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Next, Kirk summarized the progress of the PAG meetings that have occurred. During the course of these PAG meetings, it was noted that other SROs such as W3C pass many guidelines, but exclusion notices are rarely filed, even
though W3C members hold many patents relevant to the guidelines. They uniformly intend to grant RF licenses “RFLs”), so they take no action and allow a RFL to be granted automatically under the terms of the W3C IPR Agreement, on which the Forum’s IPRP was
modelled.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">By March 2017 there was consensus in the PAG that members who intend to grant a RFL for Essential Claims patents and patent applications (“IP”) they hold encompassed in a Forum Final Guideline or Final Maintenance probably
should not file Exclusion Notices indicating a willingness to grant a RFL. Under the IPRP, Exclusion Notices are limited to cases when a member does not want to grant an IPRP Section 5.1 RFL. Instead, under IPRP Sec. 4.2 Exclusion Notices should only be used
when the member has IP for an Essential Claim and the member is not willing to license the IP at all, or is willing to license the IP but wants to charge a royalty. The three members who filed Exclusion Notices for Ballot 182 each wanted to grant a RFL and
did not want to charge a royalty. Accordingly, the PAG concluded it was probably appropriate for the three members to withdraw the Exclusion Notices they previously filed.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">The PAG noted that intellectual property rights agreements for SROs are generally intended to work this way – members are encouraged to grant RFLs for their IP, and the assumption is that they will do so in accordance with
the requirements stated for a RFL in the applicable IPR Agreement. The PAG recognized that IPR Agreements such as the Forum’s IPRP allow a RFL to include certain terms of the IP holder’s choosing (see Sec. IPRP 5.1 for examples), but there is generally no
need to reduce a member’s intended RFL to writing at the time the Forum creates a new Final Guideline or Final Maintenance Guideline, and there is not even a need for the member to disclose its IP at that time if the member intends to grant a RFL. Instead,
the member can wait until an issue arises where the exact terms of the RFL that has been granted by the member need to be known (for example, in the event of litigation between two members over some matter), at which time the member holding the IP may reduce
the RFL it has already granted to writing in any form desired, so long as the RFL complies with all the provisions of IPRA Sec. 5.1.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">The PAG also discussed whether there was value at the present time in deciding whether a member who filed an Exclusion Notice should not have done so under IPRA Sec. 4.2 because the member’s “Contribution” prevented the member
from claiming exclusion for its IP. The consensus was that there was no need or value in making that determination at the present time if the member intended to grant a RFL that complies with IPRA Sec. 5.1.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">By March, 2017, the three members who had filed Exclusion Notices during the Ballot 182 Review Period all decided to withdraw their Exclusion Notices. See the Withdrawals for their specific terms. The dates of the Withdrawal
of Exclusion Notices are shown below.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Symantec: Date Exclusion Notice filed: 23 December 2016 Date Exclusion Notice withdrawn: 15 March 2017<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<a href="https://www.cabforum.org/wiki/GoDaddy"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">GoDaddy</span></a><span lang="EN" style="color:black">: Date Exclusion Notice filed: 23 December 2016, revised 13 February 2017 Date
Exclusion Notice withdrawn: 21 March 2017<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<a href="https://www.cabforum.org/wiki/GlobalSign"><span lang="EN" style="color:gray;border:none windowtext 1.0pt;padding:0in">GlobalSign</span></a><span lang="EN" style="color:black">: Date Exclusion Notice filed: 16 December 2016, revised 25 January 2017
and 23 February 2017 Date Exclusion Notice withdrawn: 17 March 2017<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Finally, Kirk noted the PAG will be meeting again next week, and summarized the likely PAG conclusion. Based on the narrative above, and because there are no longer any Exclusion Notices pending in connection with the Forum’s
Ballot 182, there is no longer any “conflict” for the PAG to resolve and no other action for the PAG to take. Accordingly, the PAG will likely dissolve without reaching any Conclusion. However, it is likely the PAG will attach the Exclusion Notices and Withdrawals
to a short PAG Conclusion announcing the PAG has dissolved and post these to the Public list and to the Forum public website, along with bundled PAG Minutes covering the discussions. In this way, the public and also other CAs who are not members of the Forum
will have access to the information.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Future of Revocation<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Ben Wilson</span></i><span lang="EN" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">This was a presentation by Robin Alden of Comodo.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">The presentation is available on </span><a href="https://docs.google.com/presentation/d/1PtO3EyxaRhyA8YJnkcQ2VI4AmUdzphi3iZy3PgxxAUY/edit?usp=sharing"><span lang="EN" style="border:none windowtext 1.0pt;padding:0in">Google
Docs</span></a><span lang="EN" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Revocation today is generally a binary status – valid or revoked. Revocation policy is set by the CA within the confines of the Baseline Requirements. The information is also published, as required by RFC 5280. However, as
a practical matter, it isn’t binary because it’s not provided within the control of a single party. There are several conditions that are relevant to a determination of the final determination of whether a certificate is good or bad. One example is whether
the site is a phishing/malicious site. Other examples are shown on Slide 5: systemic vulnerability (e.g. heartbleed), browser request, site owner/subscriber request, etc.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">A CA may revoke a certificate, yet a browser chooses not display the updated certificate status. A browser is at the end of this chain, so it may be considered a relying party. Once a CA has revoked a certificate, it has
had its chance to say what it has to say about a certificate. Perhaps there should be a central clearinghouse for this sort of information and mechanisms for publishing this information to relying parties and browsers. A Certificate Status Clearing House could
be established with policies that disclose/require certain response times and other metrics/standards. These would be auditable criteria. Economies of scale would dictate that there aren’t 60 clearing houses. The Certificate Status Clearing House could be
a “split” in the revocation mechanisms and provide non-binary information about certificate status.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Discussion: This could be seen to be similar to certificate transparency in reverse. This discussion helps review the purpose of revocation. Microsoft has a contract with CAs that gives it more leverage to demand revocation.
Google likes OCSP staple because it allows sites to control how revocation is handled. Revocation is not the same as Smart Screen (Microsoft) or safe browsing (Google).<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Robin is interested in identifying mechanisms that push forward this information to relying parties so that they can make choices based on better information. A technological challenge is providing this information in a format
that can be transmitted and processed efficiently. Reason codes might be a mechanism, but they don’t line up with reality. For instance, it may have been issued by mistake, and “cessation of operation” may/may not be the right revocation reason. The CRL reason
code can be changed on a subsequent CRL, but the “hold” reason code isn’t allowed. Better use of reason codes could be an answer, but the reason codes may not be robust enough for the situations presented.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">With reliable, smaller sizes of CRLs they could be hosted on CDNs and could be incorporated into Safe Browsing. Also, the Clearing House model presents a denial-of-service / scalability issue.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Future of Web PKI (Part 2)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Network Security Document</span></b><span lang="EN" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Bruce Morton</span></i><span lang="EN" style="color:black"><o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo24;background:white">
<span lang="EN">Network security document has issues<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo24;background:white">
<span lang="EN">CAB Forum members do not have expertise in this area; as such it was recommended not to fix the Network Security document, but to replace<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo24;background:white">
<span lang="EN">One suggested replacement document was “The CIS Critical Security Controls for Effective Cyber Defense”. The focus on this document were the 20 principles and the descriptions, but not the control descriptions.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo24;background:white">
<span lang="EN">Other documents in this area should be researched and recommended as options<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo24;background:white">
<span lang="EN">A working group would be created to address fixing or replacing the Network Security document<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Future of Web PKI (Part 3)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">No Minutes<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<b><span lang="EN" style="color:black">Discuss F2F Meeting 41 in Berlin, Germany and future meeting volunteers<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<i><span lang="EN" style="color:black">Note Taker: Dean Coclin</span></i><span lang="EN" style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span lang="EN" style="color:black">Outlined plan for future meetings. Arno noted that he will post plans for Berlin meeting with hotel recommendations to wiki. Li-Chun will also post info for Fall meeting in Tapei. Amazon volunteered to host a 2018 meeting.
Dean will coordinate schedules for 2018 and report on a future call.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>