<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:7603585;
mso-list-template-ids:-1467721604;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:14623453;
mso-list-template-ids:1388459930;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:70591286;
mso-list-template-ids:565088662;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:163857972;
mso-list-template-ids:424157208;}
@list l3:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4
{mso-list-id:360130986;
mso-list-template-ids:441120018;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5
{mso-list-id:456604395;
mso-list-template-ids:343593884;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6
{mso-list-id:600376705;
mso-list-template-ids:-1483455204;}
@list l6:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l6:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7
{mso-list-id:676226333;
mso-list-template-ids:-1688036840;}
@list l7:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l7:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8
{mso-list-id:707216564;
mso-list-template-ids:-512978432;}
@list l8:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l8:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l8:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9
{mso-list-id:758015894;
mso-list-template-ids:-1978502034;}
@list l9:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l9:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l9:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10
{mso-list-id:776948387;
mso-list-template-ids:247243696;}
@list l10:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l10:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l10:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11
{mso-list-id:819618292;
mso-list-template-ids:239769894;}
@list l11:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l11:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l11:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12
{mso-list-id:850680637;
mso-list-template-ids:-700300436;}
@list l12:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l12:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l12:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13
{mso-list-id:876165840;
mso-list-template-ids:-568021314;}
@list l13:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l13:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l13:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14
{mso-list-id:1005716561;
mso-list-template-ids:-1578719546;}
@list l14:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l14:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l14:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15
{mso-list-id:1083264411;
mso-list-template-ids:-338377192;}
@list l15:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l15:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l15:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16
{mso-list-id:1106846550;
mso-list-template-ids:-1109646822;}
@list l16:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l16:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l16:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17
{mso-list-id:1120733138;
mso-list-template-ids:1645638584;}
@list l17:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l17:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l17:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l17:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l17:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l17:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l17:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l17:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l17:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l18
{mso-list-id:1142767155;
mso-list-template-ids:-729129178;}
@list l18:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l18:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l18:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19
{mso-list-id:1155607490;
mso-list-template-ids:-705155494;}
@list l19:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l19:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l19:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20
{mso-list-id:1259602356;
mso-list-template-ids:-57387268;}
@list l20:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l20:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l20:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21
{mso-list-id:1619599459;
mso-list-template-ids:1198439768;}
@list l21:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l21:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l21:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22
{mso-list-id:1645697887;
mso-list-template-ids:1175387782;}
@list l22:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l22:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l22:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23
{mso-list-id:1655180638;
mso-list-template-ids:-83974276;}
@list l23:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l23:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l23:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l23:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l23:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l23:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l23:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l23:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l23:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l24
{mso-list-id:1665232598;
mso-list-template-ids:-1720037506;}
@list l24:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l24:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l24:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l24:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l24:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l24:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l24:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l24:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l24:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l25
{mso-list-id:1675113050;
mso-list-template-ids:-347559824;}
@list l25:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l25:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l25:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l25:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l25:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l25:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l25:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l25:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l25:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l26
{mso-list-id:1678581806;
mso-list-template-ids:2109475744;}
@list l26:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l26:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l26:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l26:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l26:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l26:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l26:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l26:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l26:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l27
{mso-list-id:1746567165;
mso-list-template-ids:-1067007244;}
@list l27:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l27:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l27:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l27:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l27:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l27:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l27:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l27:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l27:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l28
{mso-list-id:1874612678;
mso-list-template-ids:-668854184;}
@list l28:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l28:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l28:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l28:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l28:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l28:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l28:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l28:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l28:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l29
{mso-list-id:1990673807;
mso-list-template-ids:1998470976;}
@list l29:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l29:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l29:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l29:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l29:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l29:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l29:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l29:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l29:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l30
{mso-list-id:2119713646;
mso-list-template-ids:714010568;}
@list l30:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l30:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l30:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l30:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l30:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l30:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l30:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l30:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l30:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1027" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Face to Face CA/Browser Forum - Meeting 41 – Minutes (approved July 20, 2017)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Day 1 - Wednesday, 21 June 2017<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Attendees:<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Adriano Santoni (Actalis), Andrew Whalley (Google), Arkadiusz Ławniczak (Certum), Arno Fiedler (D-Trust), Atsushi Inaba (GlobalSign), Ben Wilson (DigiCert), Benjamin Chiang (ChungHwa
Telecom), Bruce Morton (Entrust), Chris Bailey (Entrust), Coenelia Enke (SwissSign), Curt Spann (Apple), Dean Coclin (Symantec), Devon O’Brien (Google), Dimitris Zacharopoulos (Harica), Don Sheehy (WebTrust), Doug Beattie (GlobalSign), Enrico Entschew (D-Trust),
Fotis Loukos (SSL.com), Frank Corday (Trustwave), Franck LeRoy (Certinomis), Geoff Keating, (Apple), Gervase Markham (Mozilla), Iñigo Barreira (StartCom), JP Hamilton (Cisco), Janet Treasure (CPA Canada), Jens Bender (BSI), Jeff Ward (WebTrust), Jos Purvis
(Cisco), Karolina Ruszczyńska (Certum), Kim Nyugen (D-Trust), Kirk Hall (Entrust), Leo Grove (SSL.com), Li-Chun Chen (Chunghwa Telecom - telephone), Mads Henriksveen (Buypass), Marcin Szulga (Certum), Masakazu Asano (GlobalSign), Mike Reilly (Microsoft), Moudrick
Dadashov (SSC), Neil Dunbar (Trustcor), Peter Bowen (Amazon - telephone), Peter Miscovic (Disig - telephone), Phillip Hallam-Baker (Comodo - telephone), Rich Smith (Comodov- telephone), Richard Wang (WoSign), Robin Alden (Comodo), Ryan Hurst (Google), Ryan
Sleevi (Google), Sissel Hoel (Buypass), Steve Medin (Symantec), Tim Shirley (Trustwave), Tobias Zatti (Symantec), Tyler Myers (GoDaddy), Virginia Fournier (Apple - telephone), Wayne Thayer (GoDaddy)<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Official Welcome from Conference Host Kim Nguyen, D-Trust<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Recap of Prelim Matters, Review Agenda and Logistics<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Antitrust Statement & Assign Note Takers<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Misc. Items of Business:<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Opening statement, welcome new members<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Apple Root Program Update<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Note Taker: Bruce Morton<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Apple Revocation<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Apple played a session "Your Apps and Evolving Network Security Standards, Session 701", <a href="https://developer.apple.com/videos/play/wwdc2017/701/"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://developer.apple.com/videos/play/wwdc2017/701/</span></a>.
This session is available to download, but you will need a developer account. The session discussed revocation:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l13 level1 lfo1;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Apple will currently only check revocation if the server is using OCSP Stapling.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l13 level1 lfo1;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">OCSP has issues as it needs an additional connection and is performed in the clear. There can be a privacy issue where a CA could aggregate data about an end user.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l13 level1 lfo1;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">OCSP Stapling has an advantage as there is no additional network connection and the OCSP status is sent with the SSL handshake.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l13 level1 lfo1;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">OCSP does not protect against malicious servers which could omit the OCSP response.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l13 level1 lfo1;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Apple revocation enhancement will gather data such as the Intermediate CAs from the CT logs.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l13 level1 lfo1;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">For Roots and Intermediate CAs, Apple will gather all revocation information from CRLs and aggregate for their clients. If the CRL response indicates the certificate is revoked, then the client will
check OCSP and status will be based on the OCSP response.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l13 level1 lfo1;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">CRL update will eventually happen on a daily basis.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l13 level1 lfo1;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Lossy compression will be used for large CRLs where it is expected to have false positives (i.e., indicate revoked) at about 2%.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l13 level1 lfo1;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">For many sites, OCSP hits will go to zero, for others it will stay the same.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l13 level1 lfo1;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">What can the CA do to help? 1) Ask customers to OCSP Staple, 2) Update your CRL, 3) Issue full CRL from time-to-time if you are using issuingDistributionPoint, 4) Put certificates in CT or put I
at least certificate in CT that references the CRL.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l13 level1 lfo1;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">If there is an issue contact <a href="mailto:ca-program@group.apple.com"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">ca-program@group.apple.com</span></a> .<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l13 level1 lfo1;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Apple is not putting any new requirements on CAs.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l13 level1 lfo1;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Deployed in an OS release later in 2017.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Q: The false-positive rate is indicated at 2%. When a false positive is encountered, that means clients will perform an OCSP check to determine if it was a false positive, and only fail
if it receives a revoked response, correct? A: Correct<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Q: Does this mean that there will be a stampede of clients all attempting to connect to an OCSP server when a popular site appears in that false-positive list? A: Because these OCSP servers
already need to handle clients making these requests, it should not produce additional load. Q: But macOS and iOS disable OCSP checking by default, except for EV certificates, right? This would potentially mean OCSP responders for DV/OV sites encounter substantially
more load than today.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Q: When a site is on the false positive list, it potentially means that its users on macOS and iOS will have a slower-than-normal experience. Is there anything the site operator can do? A:
Sites in this situation should implement OCSP stapling. If this is impossible, CAs may consider issuing a new certificate with a different serial number, which probably won’t be a false positive. Occasionally (not every update), the hashes may change, and
then a different set of certificates will cause false positives. This is most likely to happen when the number of revoked certificates changes significantly. If OCSP stapling is impossible for a small number of very popular sites, a CA might consider issuing
those certificates from a different intermediate, which should have very few revoked certificates. Small lists of revoked certificates will be represented directly and will cause no false positives.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Apple Trust Store Update<o:p></o:p></span></b></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l7 level1 lfo2;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Apple is refining the audit requirements; no announcement yet.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l7 level1 lfo2;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">In the future, Apple hopes to provide a machine readable formats for trusted roots.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l7 level1 lfo2;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">With the new revocation system, the browser will make revocation harder to click-through.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l7 level1 lfo2;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">CT log approvals have been updated, but not published yet.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l7 level1 lfo2;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">CT logging continues to be supported for EV.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Google Root Program Update.<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Speaker: Andrew Whalley Note Taker: Robin Alden<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Introducing<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Introducing Devon O'Brien<br>
He has been with Google for around for 4 weeks!<br>
A fellow security TPM in the chrome team. Will be focusing on PKI, CT, and general chrome stuff. He was formerly with Apple.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Wosign/Startcom<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">As <a href="https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">previously announced</span></a>,
Chrome has been in the process of removing trust from certificates issued by the CA WoSign and its subsidiary StartCom.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">We started the phase out in Chrome 56 by only trusting certificates issued prior to October 21st 2016, and subsequently restricted trust to a set of white-listed host-names based on the
Alexa Top 1M. We have been reducing the size of the whitelist over the course of several Chrome releases.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Based on the <a href="https://www.chromium.org/developers/calendar"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">Chromium Development Calendar</span></a>, this
change should be visible in the <a href="https://www.chromium.org/getting-involved/dev-channel"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">Chrome Dev channel</span></a> in the coming weeks, the Chrome Beta channel around late July
2017, and will be released to Stable around mid September 2017.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">UI<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">End of April we posted "Next Steps Toward More Connection Security" on the Google Security blog.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Beginning in October 2017, Chrome will show the “Not secure” warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
Eventually, we plan to show the “Not secure” warning for all HTTP pages.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Superfish<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Superfish is adware that came installed on certain Lenovo laptops sold in 2015. Superfish MITMs all users with the same (now public) private key. All users with the Superfish root installed
are vulnerable to trivial MITM on any HTTPS website. Superfish was discovered and addressed in 2015 with a Microsoft/Lenovo response.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">It turns out that the Superfish software also uses SHA-1 signatures, which Chrome started blocking in M57. When M57 went to stable, users who still had Superfish installed now saw ERR_CERT_WEAK_SIGNATURE_ALGORITHM
certificate errors on every HTTPS website.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">In the future we will detect Superfish is installed and provide much more specific information to allow users to remove it. We would like to do this in more cases - provide users with
more specific actionable feedback.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Chris Bailey: Are you making those a new category of action? Andrew: Yes - specific advice steps<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Speaker: Ryan Sleevi<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">CT<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">We lost one log (<a href="https://www.cabforum.org/wiki/PuChuang"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">PuChuang</span></a>) but gained two new open ones
(<a href="https://www.cabforum.org/wiki/DigiCert"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">DigiCert</span></a>, Symantec), which we’ll be sending an update to the <a href="mailto:ct-policy@chromium.org"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">ct-policy@chromium.org</span></a> list
on shortly. Further, there are two other logs from Comodo who have recently completed their monitoring period and which will also have an update to ct-policy@ with respect to the Chrome versions they will be trusted in.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">TLS<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Work continues with TLS 1.3. We continue to see wide-scale deployment issues due to TLS inspection devices. TLS interception remains a significant problem for deploying Internet-wide
security improvements; if you work for a vendor who provides such products, we’d love to establish a regular dialog with your teams to ensure your products do not hold back Internet security even more.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Microsoft Root Program Update.<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Note Taker: Gerv Markham<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">New Program Manager: Mike Reilly<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Been at MS 7 years, was in banking and the military<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Other team members are:<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level2 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Keri Street (Communications/Audit and Key Management)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level2 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Gordon Bock (Program Dev and Tools)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level2 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Nate Santiago (Internal Crypto Management)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level2 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Sophia Wong (Crypto Disclosure and SHA-1 Deprecation)<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;margin-top:6.0pt;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Working on a audit verification capability for the CCADB to remove slow manual processes<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Looks for errors and flags them<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">May 9th 2017: Edge and IE no longer load SHA-1 sites<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Working on warning consumers who download software signed with SHA-1, moving towards full distrust in all contexts<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">August: flight-testing TLS/SSL domain constraints using the Federal PKI<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">October: rolling them out more broadly to all government CAs (normally to ccTLD)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l2 level1 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Still TBD: disable trust for new WoSign and StartCom certs (aimed for April 25th but didn't hit it)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Areas of interest:<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level2 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">DV, OV and EV<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level2 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Common browser UI<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level2 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">CT<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level2 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">CCADB improvements and partnerships<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Developing a CT support plan right now both for server and client<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l2 level1 lfo3;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Expect more at the next meeting<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Mozilla Root Program Update.<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">1. Policy 2.5 Nearly Shipped<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Mozilla Root Store Policy 2.5 is close to being shipped. At the moment, we are seeking feedback on whether any of the changes requires a phase-in period. Once we have determined that,
we will be publishing the policy, and any changes without a phase-in period will be immediately applicable. So it would be wise for everybody to read the new policy and if there's anything you think might take a few months, do let Mozilla know. Details of
the changes in the policy are documented in the mozilla.dev.security.policy newsgroup. Here are some highlights:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l26 level1 lfo4;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Certificates with anyEKU have been added to the scope. Firefox doesn't recognise these certs but they are by other users of NSS (1.1)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l26 level1 lfo4;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Accounts which perform "Registration Authority or Delegated Third Party functions" are now also required to have multi-factor auth. (2.1)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l26 level1 lfo4;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">CAs are required to use only the 10 Blessed Methods for domain validation. (2.2) This requirement has already had a deadline set for it in the most recent CA Communication; that deadline is 21st
July 2017.<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l26 level2 lfo4;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Q: If we get ballot 190 passed by that date, will it be updated to align with ballot 190?<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l26 level2 lfo4;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">A: Yes<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l26 level1 lfo4;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">There are further requirements on the information that needs to be contained in publicly-available audit information. E.g. laying out what was covered and what wasn't etc (3.1.3)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l26 level1 lfo4;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">When CAs do their BR-required yearly update of their CPs and CPSes, they MUST indicate this by incrementing the version number and adding a dated changelog entry. (3.3)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l26 level1 lfo4;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The requirements for what constitutes a TCSC for email have been reformed to actually make some sense - the cert now has to have meaningful technical constraints on rfc822Name. Currently in discussions
about if there will be a phase in period for this. (5.3.1)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l26 level1 lfo4;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">New intermediates must be disclosed in the CCADB within a week. (5.3.2)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l26 level1 lfo4;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Section 7.4 ("Transfers") has been replaced by a new section 8 which requires CAs to notify of various operational changes. This is a merge-in of text equivalent to the existing Root Transfer Policy
which was documented on our wiki. (8)<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">2. Wiki Cleanup<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">The Mozilla Root Program wiki content has been simplified and cleaned up, so it should now be much easier to find what you want. The starting page is now <a href="https://wiki.mozilla.org/CA"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://wiki.mozilla.org/CA</span></a> .<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">3. Security UI<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">We have released new security UI which flags pages with password forms over HTTP as insecure. We’re working on a similar feature to detect and flag credit card forms submitted over HTTP.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">4: Queue for Public Discussion<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Things have hopefully improved in terms of moving the queue for public discussion along.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Firstly, we have added a "BR Self Assessment" step. This is a system where the CA prepares a document to explain how all the BR requirements are fulfilled by their CP and CPS, thereby
lightening the load on our reviewers. All CAs in the inclusion process need to perform the BR Self Assessment before their request may proceed further.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Q: What tools are provided for that?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">A: There's a template on the Mozilla Wiki.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">There will be a discussion about if self assessments are generally a good thing and could be done at other times than just the during the application process.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Aaron Wu (under Kathleen’s guidance) has taken over responsibility for working with CAs on their Information Verification and on verifying the BR Self Assessments. Aaron is working on
these as fast as he can, and will be starting discussions for the CAs for which he has completed verification of their information and BR Self Assessments as soon as he can, but no more than one per week (and only after Kathleen has approved his write-up).<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">5. Revoked Intermediate Certs<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">We've been making steady progress to streamline the process of transferring revocations disclosed to the CCADB into OneCRL, Firefox's revocation list. There are now only a handful of
certs which are listed in crt.sh as disclosed as revoked but not in OneCRL. The process still contains a human-in-the-loop check before certifying the resulting list, so there will be a 2 day lag in normal circumstances. We can still take emergency action
in 0-2 hours if necessary.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">6. CA Communication<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">We sent a major CA Communication in April and a small one in May notifying CAs of CCADB changes in May. From the April communication we learned:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l6 level1 lfo5;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">It seems like all CAs are on track to implement domain validation via one of the Ten Blessed Methods by July 21st 2017.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l6 level1 lfo5;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">There is a surprising level of support for reducing certificate lifetimes to 13 months, albeit weighted towards smaller CAs. By CA count, it’s about 50:50. This issue continues to be on our radar,
and no CA should be surprised if further proposals on this topic emerge.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">As a follow-up to the CA Communication we’ve added fields to the CCADB to track a CA’s CAA identifiers and problem reporting mechanisms, and we’ve published a new report which provides
this data. We realise that the canonical source for this will, for the moment, continue to be a CA’s CPS but we hope it’s useful to the community to have this gathered in one place.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">7. SHA-1<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Following on from the question relating to this in the last CA Communication, we are consulting with Microsoft about the possibility of setting a deprecation timeline for SHA-1 in email.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">8. Root Store Community<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">The “Mozilla CA Community” is now the “Common CA Database”, and has its own website at ccadb.org. That should now be where you find both the CCADB Policy, which has moved from Github,
and also instructions for how to use it, which have moved from the Mozilla wiki. Microsoft continues to use the CCADB and we continue to hope that other root store operators will be able to come on board soon. The contact email address for CCADB-related matters
is <a href="mailto:support@ccadb.org"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">support@ccadb.org</span></a> , which reaches all the participating root stores.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">All CAs need to keep their CP/CPS and Audit information for their intermediate certs current. CAs must directly update their CCADB records for their intermediate certs. We will be adding
automation to send email to CAs when their audit statements for their intermediate certs are due.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">9. Annual Updates<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">In addition to any updates as CPs and CPSes change, all CAs in Mozilla's program need to submit an annual update via the CCADB, as documented on ccadb.org. Those updates need to contain
3 things:<o:p></o:p></span></p>
<ol start="1" type="1">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l27 level1 lfo6;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">URLs to updated audit statements;<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l27 level1 lfo6;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">URLs to updated CP/CPS docs;<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l27 level1 lfo6;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">3 Test websites (valid, expired, revoked) for each root certificate that has the TLS/SSL usage (trust bit) enabled.<o:p></o:p></span></li></ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Common problems with the test sites that we have seen:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l24 level1 lfo7;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">sites not accessible outside of the CA’s internal network<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l24 level1 lfo7;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">test site not serving correct intermediate cert chain<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l24 level1 lfo7;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">revoked cert is also expired<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Please visit the test websites using a copy of Firefox on a home computer or similar, and make sure the appropriate error appears, before providing the URLs to the CCADB.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">10. Adding Disclosure-Failed Intermediates to OneCRL<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">As you will all know, since mid-2016 CAs have been required to disclose all their non-constrained SSL intermediates in the CCADB. Compliance with this requirement has been… variable.
Policy 2.5 requires that disclosure occur within one week of certificate creation. We are considering moving to a policy of adding undisclosed certificates we discover which are more than a week past their notBefore dates directly to OneCRL, permanently. In
other words, Firefox would treat them as revoked. We hope this will provide sufficient incentive for disclosure, and for CAs to implement proper tracking of their intermediates (and perhaps even cross-referencing with CCADB data) such that “oversights” no
longer happen. Comments on this proposal are welcomed.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Q: Would the listing be permanent?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">A: Yes<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Q: What about sub-CAs for non-included roots?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">A: No need to disclose for non-included roots, but if they are ever included there will be a period in which they must be disclosed.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Q: What about if a CA does large volume sub-CA creation?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">A: Had not considered that, but there's currently a bulk import to the CCADB and there could be an API in the future.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">11. Disclosure of TCSCs<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">We are considering additionally requiring disclosure of technically constrained intermediates in the CCADB. Such certs need to be disclosed in CT anyway, and it helps us to check that
they are actually technically constrained as they should be. There would be no need for CP/CPS or audit documents. crt.sh finds only 50 certificates across 8 CAs which are TCSCs valid for server authentication, so it currently seems like this won’t be high
impact. Still, feedback on this idea is welcome.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">URLs related to the above:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l30 level1 lfo8;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Firefox release schedule: <a href="https://wiki.mozilla.org/RapidRelease/Calendar"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://wiki.mozilla.org/RapidRelease/Calendar</span></a><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l30 level1 lfo8;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Root Store Policy 2.5 draft: <a href="https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md</span></a><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l30 level1 lfo8;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Root Program Wiki: <a href="https://wiki.mozilla.org/CA"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://wiki.mozilla.org/CA</span></a><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l30 level1 lfo8;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Queue for Public Discussion: <a href="https://wiki.mozilla.org/CA/Dashboard#Ready_for_Public_Discussion"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://wiki.mozilla.org/CA/Dashboard#Ready_for_Public_Discussion</span></a><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l30 level1 lfo8;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">April 2017 CA Communication: <a href="https://wiki.mozilla.org/CA:Communications#April_2017"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://wiki.mozilla.org/CA:Communications#April_2017</span></a><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l30 level1 lfo8;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">CA Operator Information Report: <a href="https://ccadb-public.secure.force.com/mozilla/CAInformationReport"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://ccadb-public.secure.force.com/mozilla/CAInformationReport</span></a><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l30 level1 lfo8;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">CA Operator Information Report (CSV): <a href="https://ccadb-public.secure.force.com/mozilla/CAInformationReportCSVFormat"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://ccadb-public.secure.force.com/mozilla/CAInformationReportCSVFormat</span></a><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l30 level1 lfo8;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">CCADB Website and Documentation: <a href="http://ccadb.org/"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">http://ccadb.org/</span></a><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l30 level1 lfo8;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Technically constrained intermediates: <a href="https://crt.sh/mozilla-disclosures#constrained"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://crt.sh/mozilla-disclosures#constrained</span></a><o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">WebTrust Update<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Note Taker: Kirk<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Jeff Ward and Don Sheehy provided the following report. They introduced their guest Janet Treasure of CPA Canada.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Background<o:p></o:p></span></b></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l8 level1 lfo9;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">As many Forum members know, WebTrust for CAs was based on ISO 21188<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l8 level1 lfo9;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">WebTrust criteria are generally based on frameworks that have been publicly vetted and that are generally available to the public<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l8 level1 lfo9;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The Task Force does not create technical criteria, only audit criteria based on the technical criteria developed by others<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l8 level1 lfo9;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Have proposed changes for the CABF to consider, ballot, vet and vote<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Current Status<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">There is no update for the following:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l18 level1 lfo10;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">WebTrust EV<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l18 level1 lfo10;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">WebTrust EV Code signing<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l18 level1 lfo10;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">WebTrust Code signing<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l18 level1 lfo10;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">WebTrust Baseline + Network Security<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">!WebTrust for RA (Registration Authorities)<o:p></o:p></span></b></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l22 level1 lfo11;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">There is a draft version needing CABF comments - available soon (likely July)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l22 level1 lfo11;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">CABF input will clarify our path to completion – some of the critical issues are “how much security is needed”<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">!WebTrust for CAs Version 2.1<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Version 2.1 updates to WebTrust for CAs will include:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo12;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Updated introduction section<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l0 level1 lfo12;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Removed references to WebTrust v1 for Business Practices Disclosures. All CP and CPS documents must now be structured in accordance with RFC 3647 (recommended) or RFC 2527.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level1 lfo12;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Updates to the following criteria:<o:p></o:p></span>
<ul style="margin-top:0in" type="circle">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l0 level2 lfo12;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Criteria 1.1 and 1.2 – removed WebTrust v1 references<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo12;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Criteria 2.1 and 2.2 – swapped order to be consistent with 1.1 and 1.2<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo12;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Criterion 3.6 – Expanded scope to specifically address hypervisors and network devices<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo12;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Criterion 3.7 – Expanded scope to specifically address system patching and change management activities<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo12;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Criterion 3.8 – Clarified scope to include requirement for backups of CA information and data to be taken at regular intervals in accordance with the CA’s disclosed practices.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo12;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">[New] Criterion 4.5 – Clarified scope to include destruction of any copies of CA keys for any purpose, and added illustrative controls addressing formal key destruction ceremonies.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo12;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">[New] Criterion 4.9 – New criterion added to address CA Key Transportation events<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo12;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">[New] Criterion 4.10 – New criterion added to address CA Key Migration events<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l0 level2 lfo12;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Criterion 7.1 – Cross certificate requests added<o:p></o:p></span></li></ul>
</li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Audit reporting issues<o:p></o:p></span></b></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l29 level1 lfo13;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Consistency in reporting has been an issue at times<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l29 level1 lfo13;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Types of audit opinions – there are four main types:<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l29 level2 lfo13;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Unqualified/unmodified (clean)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l29 level2 lfo13;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Qualified (except for)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l29 level2 lfo13;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Adverse – the point where there are too many qualifications<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l29 level2 lfo13;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Disclaimer – work is performed but the report states no opinion is being made by the auditor – these are rare<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l29 level1 lfo13;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">As part of reporting templates being developed, the Task Force will provide a sample report that discusses each section of the audit report to provide guidance to the browsers [what they should be
looking for etc.]<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l29 level1 lfo13;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Will try to keep consistency in qualified reports – both US and Canada have options that will try to be limited<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l29 level1 lfo13;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Possible transmittal letter being addressed<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l29 level1 lfo13;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Distribution of qualified reports being considered for alternatives<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Other Updates<o:p></o:p></span></b></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l25 level1 lfo14;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Practitioner Audit Reports – US – have received AICPA comments to release updated reporting under SSAE 18. Some changes will be for modified reports.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l25 level1 lfo14;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Canada and international reports undergoing minor updates to approved versions under CSAE 3000 and CSAE 3001. Task also includes Management Assertions that are given in qualified report scenarios.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l25 level1 lfo14;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Practitioner guidance for auditors under development covering public and private CAs. Draft expected later this year.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Report Content Additions<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Disclosure of Changes in Scope or Roots with no Activity<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l10 level1 lfo15;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">During the year, various roots may be retired and may not be in use at the end of the reporting period. In addition, certain roots that are included in scope may not have issued any certificates.
This information is important to users of the report and should be included. Reporting When Certain Criteria Not Applicable as Services Not Performed by CA<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l10 level1 lfo15;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">There will be situations where certain <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> criteria are not applicable
as the CA does not perform the relevant CA service. (e.g. certificate rekey activities). In these scenarios, it is recommended that the auditor note in the audit report that the criteria were not audited.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">List of Root and Subordinate CAs in Scope<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l4 level1 lfo16;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">All reports issued must list all root and subordinate CAs that were subject to audit. For attestation engagements, this list should match the list provided in management’s assertion.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l4 level1 lfo16;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The names of the CAs should be presented in a manner consistent with how these names appear in applications that use the CA’s certificate (for example, when viewing the certificate chain in a web
browser). The most common method of identification would be the “Common Name (CN)” field in the “Subject” extension of each CA certificate.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l4 level1 lfo16;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The list of CAs should be presented in a clear format. It is preferred to list the CAs in a referenced appendix.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Being discussed:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l9 level1 lfo17;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">WebTrust for Delegated Third Party Providers (DTP)<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l9 level2 lfo17;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Would include Cloud, OCSP, etc<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l9 level2 lfo17;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Feedback from CABF on integration of WebTrust for Registration Authorities<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l9 level2 lfo17;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Basic guidance developed in past – issues will include extent of testing, report leverage, full SOC 2 vs specific testing<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l9 level1 lfo17;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Criteria for integrity of Certificate Transparency databases (data in CT logs might be used by auditors)<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l9 level2 lfo17;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">How can auditors determine log integrity - two CT logs might have same certificate content but could both be wrong<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l9 level2 lfo17;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Criteria and audit needed for public/user confidence and potential audit reliance<o:p></o:p></span></li></ul>
</li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Some new and old issues<o:p></o:p></span></b></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l5 level1 lfo18;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Issues in Network Security still leading to qualifications in audits – potential modification of the guidelines<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l5 level1 lfo18;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">WebTrust for CA reports – should a more detailed version be created similar to SOC 2 (limited distribution/no seal). Cost and usefulness<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l5 level1 lfo18;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Cloud questions continuing to surface as well as DTP involvement, creating confusion and inconsistency on audit scope<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l5 level1 lfo18;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The audit standards have changed in US and Canada<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">CPA Canada<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Latest Changes<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l19 level1 lfo19;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">CPA Canada: Gord Beal, Janet Treasure, Kaylynn Pippo, Lori Anastacio, John Tabone, Bryan Walker<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l19 level1 lfo19;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Consultant to CPA Canada - Don Sheehy (Vice –chair)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l19 level1 lfo19;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Task Force Members and Technical Support Volunteers: Jeff Ward (Chair), BDO; Daniel Adam, Deloitte; Chris Czajczyc, Deloitte; Tim Crawford, BDO; Reema Anand, KPMG; Zain Shabbir, KPMG; David Roque,
EY; Donoghue Clarke, EY<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Reporting Structure/Roles<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l14 level1 lfo20;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Gord Beal – <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> falls into Guidance and Support activities of
CPA Canada<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l14 level1 lfo20;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Janet Treasure – Seal system responsibility / product responsibility<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l14 level1 lfo20;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Bryan Walker –Licensing advisor<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l14 level1 lfo20;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Don Sheehy - Task Force and CABF<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l14 level1 lfo20;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Jeff Ward - Chair of the <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> Task Force and primary contact<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l14 level1 lfo20;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">All Task Force members provide <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> services to clients<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l14 level1 lfo20;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Volunteers are supported by additional technical associates and CPA Canada liaison but report to CPA Canada<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">The next day, the Forum discussed the interest of many CAs in moving portions of their certificate systems to the cloud. It is widely believed that this is prohibited by current <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a>requirements,
especially the Network Security audit requirements. Kirk asked Jeff and Don if <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> could formulate new audit requirements
that could address cloud-based CA systems. There was a lengthy discussion of the challenges involved in auditing activities in a cloud-based environment. In theory, an auditor could apply existing audit requirements to a cloud data center if the data center
allowed it, but that would be difficult. The general conclusion was that the new Network Security Working Group should address some of these issues in any new requirements. Kirk asked whether the new requirements should include special provisions for cloud
environments, but Ryan said no, the requirements should just be stated and left to the CA, auditor, and cloud service provider to figure out how to comply and prove compliance to the auditors.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Guest Speaker<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Dr. Jens Bender, BSI Bundesamt für Sicherheit in der Informations-technik Referat "eID-Technologies and Smart Cards" Topic: "eIDAS -- Current Status"<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">ETSI Update on European Norms for Trust Service Providers by ETSI (Arno Fiedler)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Note Taker: Connie Enke<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l20 level1 lfo21;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Presentation with the Standardization Framework – Slide 2<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l20 level1 lfo21;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">TSP Standard Overview – Slide 2<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l20 level1 lfo21;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Ongoing Standardization –Slide 3<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l20 level1 lfo21;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Question on requirements for Signing Service – hint from Arno join the ongoing working group<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l20 level1 lfo21;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">EN 39 411-1/2 policy requirement - Slide 5<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l20 level1 lfo21;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">New Service within eIDAS signature Validation based on a new Standard - Slide 6<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l20 level1 lfo21;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">New CN Standards are upcoming for Signing Device - Slide 7<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l20 level1 lfo21;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Also a new introduces I secure delivery Services - Slide 8<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l20 level1 lfo21;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Next new Service – long-term signature preservation - slide 9<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l20 level1 lfo21;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Internationalization Workshop in USA March 2017 – Slide 10<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l20 level1 lfo21;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Workshop with Jipdec – in July 2018 - Slide 11<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l20 level1 lfo21;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Allover Information for actual project please reverse to slide 12 of Arnos presentation<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Presentation of updated ETSI EN 319 411-1<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l16 level1 lfo22;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Question regarding issuing CA last CRL<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l16 level2 lfo22;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Inigo answered it should be covered in the new standard revision<o:p></o:p></span></li></ul>
</li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Presentation Clemens Wanko TüVIT<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Conformance Assessment Body – located in Germany<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Why Europe needs eIDAS – harmonized legally bnding digital communication within the EU legislation, industry and citizens. Qualified Service binding legal value is anticipated / reverse
burden of proof<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Slide2 of Presentation listing of defined Services from 01.July 2017<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">QWACS- European Alternative to register at Browser Rootstores<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">eIDAS and ETSI Assessment Players there is a TSP that is assessed by Assessors they are belonging to an Conformity Assessment Body (CAB) using the defined Assessment Criteria’sThe CAB
is reporting to a supervisory Body (National) the supervisory body puts the certificates the are good to the rusted list.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan formulated the following GAP: When a Supervisory Body removing a TSP from the List it is possible that the TSP will be on the List back again on the List with the same keys – that
is a GAP in the law<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">This Problem is related to the validation process<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Dimitris said that the TSL does not "remove" a TSP from the List but merely removes the "granted" status for corresponding CA and Time-Stamping Certificates. If there is a problem with
a TSP, and depending on the problem (for example a Root or CA Key compromise is different than an issue where the Auditor delayed to provide the Conformance Assessment Report in due time), the Supervisory Body will mark this TSP's entries accordingly. In order
for signing actions to be "qualified" (whether in document signing, SSL/TLS authentication, etc), at the time the signing action take place, the CA or Time-stamp Certificate must be in the TSL with status "granted". He presented the following example:<o:p></o:p></span></p>
<ol start="1" type="1">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l23 level1 lfo23;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">A TSP is in the TSL with status "granted" in May 2017<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l23 level1 lfo23;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The TSP issues a Qualified Certificate for digital signatures in June 2017<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l23 level1 lfo23;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The Subscriber uses this Certificate and signs a document in June 2017 (signature A)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l23 level1 lfo23;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The TSP fails to deliver a Conformance Assessment Report (CAR) by July 1st 2017 (as required by the eIDAS regulation) and removes the "granted" status from the TSP on July 10th 2017<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l23 level1 lfo23;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The Subscriber, using the same Certificate, signs a document July 15 2017, when the TSP does not have the "granted" status (signature </span><span style="color:windowtext"><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">
<v:stroke joinstyle="miter" />
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0" />
<v:f eqn="sum @0 1 0" />
<v:f eqn="sum 0 0 @1" />
<v:f eqn="prod @2 1 2" />
<v:f eqn="prod @3 21600 pixelWidth" />
<v:f eqn="prod @3 21600 pixelHeight" />
<v:f eqn="sum @0 0 1" />
<v:f eqn="prod @6 1 2" />
<v:f eqn="prod @7 21600 pixelWidth" />
<v:f eqn="sum @8 21600 0" />
<v:f eqn="prod @7 21600 pixelHeight" />
<v:f eqn="sum @10 21600 0" />
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect" />
<o:lock v:ext="edit" aspectratio="t" />
</v:shapetype><v:shape id="Rectangle_x0020_1" o:spid="_x0000_s1026" type="#_x0000_t75" alt="B)" style='width:12pt;height:12pt;visibility:visible;mso-left-percent:-10001;mso-top-percent:-10001;mso-position-horizontal:absolute;mso-position-horizontal-relative:char;mso-position-vertical:absolute;mso-position-vertical-relative:line;mso-left-percent:-10001;mso-top-percent:-10001'>
<w:wrap type="none"/>
<w:anchorlock/>
</v:shape><![endif]--><![if !vml]><img width="16" height="16" src="cid:image001.png@01D30618.8C9FC8E0" alt="B)" v:shapes="Rectangle_x0020_1"><![endif]></span><span style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l23 level1 lfo23;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The TSP submits a "clean" CAR to the Supervisory Body in August 2017 and the Supervisory Body updates the TSL by <b>adding</b> a new entry for the TSP, which marks the new date after which the TSP
has the "granted" status again.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l23 level1 lfo23;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The Subscriber, using the same Certificate, signs a new document on September 2017, (signature C)<o:p></o:p></span></li></ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">The result would be:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l21 level1 lfo24;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">"Signatures A and C" are Qualified, because the TSP had the "granted" status when the document was signed.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l21 level1 lfo24;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">"Signature B" is not Qualified because the TSP did not have the "granted" status when the document was signed.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">People can expand from this example for what is expected for QWACs. "Qualified" status for a web site is similar to EV. If the TSP did not have a granted status in the TSL at the time
of the TSL/SSL connection, it would not have "Qualified treatment".<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Summary of Discussion: To provide a most possible Security for clients a List of all issued client certificates should be created – to ensure and overview all existing certificates for
every subject<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">The ETSI standard provides guidance and requirements to report any incident and have plans and procedures available to handle situation like key compromise or misissuance.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Conformity assessment body will accreditate the national accreditation bodies – they will accreditate conformity accreditation bodies<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Note: there may be more conformity assessment bodies – they may be not allowed to conduct ETSI conformance audits<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Please note that the ACAB-C has provided a sample for an attention letter. This letter was before presented in Redmond. If there are any questions or remarks on it post it to the ACAB-C
Forum.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Guest Speaker<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Clemens Wanko from TÜVIT/ACABc – "Update: Addressing Browser Audit Requirements under eIDAS/ETSI"<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Clemens said that there were several discussions with the Browsers that resulted in an audit report template that would meet the Browser's expectations.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Dimitris asked if this template could be posted on the public mailing list.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Governance Working Group Report – Overview of draft Bylaws changes.<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Note Taker: Dean Coclin<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">The group presented a summary of changes to the bylaws with slides prepared by Virginia Fournier. These are attached here. In addition, a markup of the bylaws was presented and comments
were provided by the attendees. They are provided below, by section:<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">5.1 (a): change to 2 weeks following the meeting after the minutes were taken. Ryan was concerned that the minutes might take too long to publish if left as is. In addition, he said the
publication of the minutes allows for transparency and triggers IP obligations.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">VMF: We talked about this in the Governance WG, and we didn’t like the idea of minutes approved by default before the next meeting. In other standards organizations, minutes are approved
at the following meeting - this gives members the opportunity to discuss and correct any issues. The working group will take this under advisement and discuss at its next meeting<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">5.3.1: add Associate Members, provided they sign the IPR policy. A separate discussion took place regarding the status of AMs and their participation in the WGs. Specifically <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a>.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">VMF: Associate Members could participate in WGs if the charter permits that. However, Associate Members are non-voting members of the Forum, so they would not have a vote in WGs either.
Also, Associate Members would have to sign up to the IPR Policy as required by the Bylaws. Perhaps a separate IPR for AMs should be considered.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">5.3.1 (c) should create top level definitions/criteria for communications. Examples are x,y,z<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">VMF: The Governance WG decided that each WG could specify what communication methods works for them in their own charter, rather than having a Forum mandate that everyone needs to use
a Sharepoint site, for example. Some members felt that the bylaws should not be prescriptive, but rather list just high level requirements such as "open, transparent, archivable, etc). The group will re-look at this.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">5.3.2 (b) set some boundaries for length of time of poll<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">VMF: This seems ok. We talked about 1 week (similar to ballot review). The working group will discuss what is reasonable<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">IPR Policy Check definitions of Participants and Members. Participant refers to Members (should refer to AMs as well)<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">VMF: The IPR Policy doesn’t mention “Associate Members” at all. Does anyone remember why that was?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">The draft Bylaw will be sent out to all members, requesting that their legal teams review and provide feedback.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Recap, logistics<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Adjourn for the Day<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Day 2 - Thursday, 22 June 2017<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Recap of Prelim Matters, Review Agenda and Logistics<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Antitrust Statement & Assign Note Takers<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Approve Minutes CABF teleconference June 8, 2017<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Validation Working Group Report.<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Note Taker: Doug Beattie<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Notary ballot 192: Voting has started (and ballot subsequently passed)<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Peter created 4 different branches in github to document the proposed changes for upcoming ballots:<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Add dnQualifier as an allowed attribute for all certificate types (including DV).<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l11 level1 lfo25;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">If <a href="https://www.cabforum.org/wiki/SubjectAltName"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">SubjectAltName</span></a> is critical, then you can have an empty subjectDN
but this will likely not be compatible with PKI clients<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l11 level1 lfo25;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The DN qualifier is a CA specified value (not subscriber) that will allow the subject DN to not be empty. This will allow the depreciated CN to be phased out.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l11 level1 lfo25;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif"><a href="https://github.com/cabforum/documents/compare/master...pzb:dnqualifier?expand=1"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://github.com/cabforum/documents/compare/master...pzb:dnqualifier?expand=1</span></a><o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Add ASN.1 info on the EV jurisdiction attribute types. There is ambiguity about what the valid values of these fields are and this change re-affirms the common understanding and more
clearly specifies the values<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l28 level1 lfo26;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif"><a href="https://github.com/cabforum/documents/compare/master...pzb:evj-asn?expand=1"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://github.com/cabforum/documents/compare/master...pzb:evj-asn?expand=1</span></a><o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Add language to the EV guidelines to clarify that CAs may limit their aggregate liabilities, These align with the current ENO insurance limits already in the guidelines.<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l12 level1 lfo27;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif"><a href="https://github.com/cabforum/documents/compare/master...pzb:ev-liability?expand=1"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://github.com/cabforum/documents/compare/master...pzb:ev-liability?expand=1</span></a><o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Allow underscores in domain names and clarifies what can go in common names. This builds on Ben Wilson’s draft<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:black;margin-top:3.0pt;margin-bottom:3.0pt;line-height:normal;mso-list:l1 level1 lfo28;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif"><a href="https://github.com/cabforum/documents/compare/master...pzb:underscores?expand=1"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://github.com/cabforum/documents/compare/master...pzb:underscores?expand=1</span></a><o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Validation ballot, 190:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l15 level1 lfo29;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Kirk sent out a recommended ballot recently.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l15 level1 lfo29;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Peter send out a recommendation to split the ballot<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l15 level1 lfo29;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Ryan recommends split: Adopt 11 methods while leaving the re-use discussion to future ballot and work through the question of interpretation of reuse because there is some uncertainty about what
is “data in documents”, for example, is an audit event considered “data in documents” that can be reused?<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l15 level1 lfo29;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Is the statement “I validated this with a random number” the “data”? There may be a need to document more precisely what this is for each method.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l15 level1 lfo29;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Gerv suggests tracking domain validation by method and date so CAs can re-do only those validations if there is an issue with the method in the future.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l15 level1 lfo29;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Kirk recommends moving forward with the latest ballot text while Google and Apple want to postpone until the language on reuse is more clearly specified.<o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Disclosure of SSL Technically-Constrained Sub-CAs in the CCADB.<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Note Taker: Mads Henriksveen<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv: The CCADB has a disclosure scope which currently includes root certificates and unconstrained intermediates used for SSL. Email intermediates or technically constrained intermediates
for SSL do not have to be disclosed. My proposal is to require disclosure of Technically Constrained SSL intermediates in the CCADB to further improve the better transparency for the ecosystem. Are there any difficulties with this proposal?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Robin: Could these be logged in CT-logs instead?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv: Disclosure in CCADB does not need CT.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ben: Mozilla requires that disclosure occur within one week of creation and before use.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv: CCADB is public and this is good for the analysis of the ecocsystem.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ben: Microsoft would like this information as well, but perhaps with a broader perspective.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Dimitris: What about intermediates for Code Signing and S/MIME?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv: Code Signing is out of scope for Mozilla, regarding S/MIME this is not clear (at least not for those only doing that). How SSL tight is the CCADB?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan: Microsoft use CCADB for Code Signing etc – it is not that SSL tight.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv: Disclosing S/MIME intermediates is a good idea.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Chris: CCADB has a batch import mechanism that can be used to import several certificates.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Neil: Would it be possible to automate this through APIs and provide documentation on how to do this?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv: I will talk to Kathleen about how hard this will be, i.e. endpoints where you can deliver certificates and add metadata to define the type of certificates.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan: Metadata for S/MIME and Technically constrained intermediates, there are not needed audits.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ben: This is not undoable, but it will take some time.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv: Only new ones have to be included. An API will be useful, but in general no objections.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Doug: Since Technically Constrained has not yet required disclosure, this could be a lot of certificates.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Policy Review Working Group Report.<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Note Taker: Neil Dunbar<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Dimitris Zacharopolous (DZ): Policy Working Group review ballot 188. Discussed concerns raised on the mailing list. There emerged three principle conclusions:<o:p></o:p></span></p>
<ol start="1" type="1">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l3 level1 lfo30;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Where we use the new text 'CA Certificate', ensure this implies no policy changes due to the replacements. The goal would be for the new ballot to be policy neutral.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l3 level1 lfo30;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Add term 'CA Operator' where we use the term 'CA', so the term CA Operator or CA Certificate should be present in BRs where applicable (instead of just 'CA').<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l3 level1 lfo30;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">'Externally Operated CA' shall be used in 6.1.1 and Policy Identifiers Section. All others will use Subordinate CA, without the adjective Internal/External, to the extent possible.<o:p></o:p></span></li></ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Kirk Hall (KH): Any markup to show for the proposed changes?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">DZ: The group was working from BR 1.4.1, so it should not be difficult to mark up a copy. We will use <a href="https://www.cabforum.org/wiki/GitHub"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">GitHub</span></a> to
demonstrate the proposed changes.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">KH: Have any ambiguities arisen as a result of those changes?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">DZ: We tried to ensure that there were no ambiguities. If any do come up, we will revert the changes so that both CAs and auditors have a clear idea of what each term means.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">KH: Noting that the previous ballot on terminology failed, is the new ballot substantially different?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">DZ: The new ballot will be introduced with knowledge of what caused the previous failure.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ben Wilson (BW): Wasn't there an additional discussion in the WG besides ballot 188?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">DZ: We also talked about future work for the Policy WG. The central idea was to separate policy requirements from practice requirements. In thinking of including S/MIME and Code Signing
working groups, it might make sense to have a common language and practice document which spans certificate types, e.g. a common identity validation definition. So, that different certificate types only need to address type-specific concerns. However, most
certificate types have common policy requirements.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">BW: We also discussed this in the Governance WG. With different models, how do we track CA/B Forum commonality across subordinate groups?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">KH: For a new WG, can we just say validation shall be via BRs, excepting particular steps as needed? But if the base document changes, how does the WG handle this? Is the notion to create
a superior document which can't be overridden by a single WG?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">DZ: Yes. WGs would refer to the specific base document. But focussed primarily on policy rather than practice, i.e., a true Certificate Policy, then a different document would show specific
controls and procedures, somewhat like a practice statement.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">KH: So if Governance WG changes go through, will Policy become a subgroup of the Web Server WG which takes over?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">DZ: Working Group leaders will need to convene to ensure no inter-group conflict.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">KH: Or each WG can do so independently?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Andrew Whalley: Non controversial commonality should be able to be established. Maybe not validation but key storage, or certificate profile, could be defined by a common vocabulary,
which would extend across working groups.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">DZ: Also definitions for terms can be made common.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">KH: Governance WG probably needs to think this through, has it come up so far?<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">BW: It needs to be thought on, but the Governance WG has not yet done so.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">DZ: Hopefully by the time of the next meeting, we should have a replacement ballot for ballot 188 ready.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">KH: I recommend that in the future, the WG pick a given BR version, then drop in changes on a chapter-by-chapter basis, rather than all in one. This avoids the failure of the entire workload.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">DZ: Some of these changes will need to be looked at throughout the whole document, for example, when we introduce definition changes.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Add BR-Required Self-Assessment - CA mapping of their CP/CPS to the BRs.<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Note Taker: Jos Purvis<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv opened discussion: When CP/CPS documents are submitted for approval, Mozilla has to ensure they’re compliant with the Baseline Requirements, which means mapping requirements in BRs
to the CA's CP/CPS documents. This work seems better done by people more familiar with them—i.e., the CAs—and that will reduce the amount of work being done by Mozilla personnel. Mozilla is therefore now requiring a BR self-assessment, and has provided a template
document for this. Kathleen at Mozilla has suggested that this template might be better owned by the CA/B Forum for the use of all the root programs, and potentially be made a part of the BRs as a periodic requirement on CAs.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan raised a clarification that the current Mozilla document does not list the BRs: instead, it takes the structure of the BRs and asks CAs to provide references to where in their CP/CPS
documents these requirements are placed. This allows CAs to map between RFC3647 structure and their own CPS, where there are differing placements of sections. Today's Mozilla form, then, is just a means to map the bits of 3647 to the CA's own CP document.
*This is still useful*, he said, particularly when discussing 3647 mapping into other languages, but it's not quite what Gerv initially described. He indicated that what Gerv is describing is closer to what ETSI has done with their standards: mapping them
to other standards and listing out specific requirements to make life easier for ETSI auditors (cf. ETSI "assessor's guidance document").<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Bruce said that since the BRs are 3647-structured and there's a forthcoming ballot requiring CP/CPSes to map to 3647, the sort of mapping Ryan is talking about (that the Mozilla document
currently does) wouldn't be very useful because everything will already be where it's expected to be.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv asked about the status of the ballot on mapping to 3647; Ryan responded that it's on Github, just awaiting co-sponsors. Ryan wondered whether that ballot might need changes in light
of this discussion, and whether it might want to add normative requirements with the assignment of tags for auditors around requirements (e.g. "DV-REQ-01" for the first domain validation requirement).<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ben pointed out that CAs often do these mapping exercises to other requirements documents like the BRs for participation in other PKIs like the Federal Bridge, and that this seemed similar
to what Gerv was originally describing. He felt it could be very useful for other purposes outside of the BRs.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv said it seemed to him that passing a ballot to require 3647 compliance would meet a lot of what Kathleen was trying to achieve. He wondered if he needed to go back and meet with
her to understand how much that would do for her and whether there was more to it.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan pointed out that it's a tremendous effort for the root stores to do CP/CPS review, and that CAs may still place representations of requirements in different sections. He pointed
to the certificate profile or validation practices as ones that could reasonably be inserted in at least two different places in a CP/CPS document depending on interpretation. 3647, he said, has some general statements about what goes where, but in today's
world it's still pretty spread out and that while compliance to 3647 helps, it may still allow things to go in other places. He felt this templating/mapping work would therefore still be useful.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv wondered whether it would be useful to insert hints in the BRs to indicate which section of a CP/CPS document is best to put information about compliance to each requirement.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan said that, looking at the recent OCSP ballot, some CAs put information about CRL/OCSP into section 7.2, others in section 4.6. ETSI documents tend to more rigorously mandate the
structure and content of the resulting document (e.g. "section 7.6 shall be a table describing..."). He felt that more rigorous approach might be more useful with the BRs—more of a "fill in the blank" approach.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Neil pointed out that it's not a simple mapping. CAs have to put in explanatory text indicating how you arrived at that mapping. Sometimes the placement of a section may be very obvious,
but other times (he cited domain validation) they may be all over the map. In addition, he pointed out, some sections in the BRs have no text at all.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan said CAs have asked Google, "What do you want in this section?" He said Google is looking for, "You said you validate these things: how do you validate them? Which methods do you
use?" 3647 would get to the substance of what's needed, but it's still not sufficient. The only issue with being too prescriptive about structure is that it may cause conflicts for participation in multiple PKIs like the Federal Bridge whose requirements for
mapping might conflict with the BRs.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Network Security Working Group – Initial Discussions.<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Note Taker: Dean Coclin<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ballot 203 has passed which forms the Network Security Working Group.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">During the working group meeting on Tuesday, the following raised their hands as interested participants: Ben Wilson, Dimitris Zacharopoulos, Jos Purvis, Mike Reilly, Ryan Hurst, Doug
Beattie, Steve Medin, Dean Coclin, Don Sheehy, Moudrick Dadashov, Robin Alden, Neil Dunbar, Wayne Thayer, Tim Shirley, Bruce Morton, Gerv Markham (volunteering Tom Ritter of Mozilla), Janet Treasure, Dean Coclin<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">The Forum Chair will send out a formal notice of invitation to members and interested parties to join the working group.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">During the working group meeting, Dean nominated Gerv (or representative of Mozilla) as WG Chair. Ben said we should wait till the formal notice goes out. Ryan Hurst volunteered to be
interim chair<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Wayne will setup the WG mail list.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">A regular meeting will be scheduled on the alternate weeks of the regular CABF meetings, same time.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">On Tuesday's meeting we discussed the following:<o:p></o:p></span></p>
<ol start="1" type="1">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l17 level1 lfo31;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Partially reviewed Ben’s spreadsheet of issues<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l17 level1 lfo31;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">The current regulations do not accommodate CAs in cloud environments<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l17 level1 lfo31;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Don Sheehy suggests a “risk based” approach, rather than a “controls based” approach<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l17 level1 lfo31;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Ryan H suggests we don’t have the right people in the room to create/modify this document<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;mso-list:l17 level1 lfo31;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif">Root programs don’t universally agree on the current requirements in the Net Sec document<o:p></o:p></span></li></ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">It was hoped that a general call for participants will result in interested parties with general knowledge of this area and/or professionals from the participating CAs<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">It was suggested that the group focus on CA "pain points" as a first step, specifically areas such as offline root management, prescriptive days, and AV requirements for read only media.
Perhaps the group can do a quick pass to fix things that are major issues.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Review of pending ballots.<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ballot 184 - RFC 822 Names and otherNames, SRV names (Jeremy)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ben Wilson: Peter Bowen is working on the ballot on <a href="https://www.cabforum.org/wiki/GitHub"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">GitHub</span></a><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ballot 186 – Limiting reuse of validation information (Ryan)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan: Update depends on ballot 190 progress, based on technical risk and suitability of validation method for long-term use.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ballot 190 – BR 3.2.2.4 Validation Methods (Kirk)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Already dealt with.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ballot 192 - Notary Clarification (Jeremy)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">No comments.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ballot 202 – Underscore Characters in SANs (Ben)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ben Wilson: Have final language, Need endorsers.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">RAs and Delegated Third Parties (Gerv)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv: Looking for endorsers. It's possible the existing state might be needed by certain CAs who are having problems and might need delegation.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv: The problem here is that it's difficult to ensure that audit qualifications of DTPs are reflected in the audit of the parent CA<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan: Translation services and such will be covered in the audit of the parent CA under this proposal.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Doug Beattie: If you delegate to someone who is <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> audited,
would that not be covered? Gerv: No. Ryan: You already have to be doing that [having an audit of the DTP] before the ballot. The problem this tries to solve is of audit qualifications and remediations of DTPs not being visible. Gerv: It might be possible to
fix the problem other ways, but since no-one was actually using full DTPs it seemed easier to just ban the practice. Ryan: This is a similar problem to the SOC.2 application to service providers and other work, so maybe if that gets solved we can bring this
back.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Doug: What if we made an exception just for people in one or more root programs? Gerv: Is this for a contract you might be signing with another root program? If that relationship looks
like this, you have done something wrong. In such a case all the issuance of certificates should be done by the partner, so the domain validation will not be done by a different person than is issuing the certificates. Doug: That's not the way I read it, so...
Ryan: The proposal for this specific case has said there will be no DTPs involved, it is a specific bullet point. ... If you have an audit, and another root CA has an audit, you might be using systems from the other root CA which aren't covered by their audit,
leaving a gap.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Arno: Explained how his system works. They successfully guarantee that the topmost audit's requirements are covered. Gerv: The problem is not that auditors don't know how to audit correctly,
it's one of pass-through between the audits.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Kirk: If I have a translator in Ecuador, and they make a phone call for me, I think that's a DTP. Ryan: Yes, although these are corporate identity checks not domain validation. Kirk:
I was discussing practices at Trend Micro, not Entrust, but this is something we did. I'm concerned the exact wording of the ballot might prohibit this. Ryan: This just means the translator will be in scope of your audit. Geoff: But today, the translator doesn't
have his own little <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> audit, correct? Kirk: No... Gerv: It's true that the section on DTPs doesn't say that agents covered
by your own <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> audit are not DTPs.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Kirk: For example, the requirements only say that your employees need to have background checks, not your agents. Ryan: There are some giant loopholes as applied in practice.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Expected ASN.1 grammar for BR & EV certificates (Peter)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">We went over that already.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Bylaws change – Membership requirements (Gerv)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv: Now has a second endorser so it'll be brought to the list shortly.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Bylaw change - Voting rules (Jos)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Jos: Did I propose that? Uh, in that case, this is a great idea! We've had a number of recent problems with the balloting process, and there's a real problem with 'so what now' when a
problem occurs. There might be some quick fixes we want to think about. Email is not a good system, except for all the others available to us... We might make organizations specify who can submit a vote. Maybe some strictures about what happens if there is
a debate about the validity of a vote. The rest we can safely punt to the governance working group.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ben: Also, something about which version of the ballot text takes precedence. Jos: I'm happy to discuss it, or just toss out a version on the mailing list.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Requiring RFC 3647 format (Ryan)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan: Proposed effective date 1 Feb 2018. Hopefully vague enough to allow the flexibility we discussed while still having an effect. Intentionally loop-holey to get the rough idea. Two
endorsers found in meeting.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Profiling OCSP & CRLs (Ryan)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan: Will send to management list. Concerns around issuance of CRLs and frequency of that, offline CAs vs. how quickly you can revoke an intermediate. One recent intermediate revocation
took multiple days to propagate from a CA's issuance of CRL through their CDN. The OCSP side is mostly there except for subordinate CAs and multiple OCSP responder certificates. Some CAs give their OCSP certificates to other entities, under a 'creative' interpretation
[of the BRs].<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan: We know there are ~50 CAs which sign OCSP online because they'll sign a nonce. It's basically the same as online certificate issuance, it needs to be robust, but we haven't provided
any guidance.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan: We've heard from some CAs that the restriction on delegated CA responders will be a problem. We'll listen and adjust accordingly.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Change in liability for EV certificates (Peter)<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Nothing to add.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Any other ballots?<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">None!<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Information about next F2F Meeting 42 in Taipei, October 3-5, 2017<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Membership Requirements for Browsers<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Note Taker: J.P. Hamilton<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Mozilla proposed changing the CABF Bylaws language to allow non-browser Root Stores like Cisco to join as a Browser member.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv read the current Bylaw for Browser membership requirements. Discussion then turned to allowing Cisco to join, but also ensuring that the language doesn’t allow just any product with
a simple root store to join as a browser member of the Forum<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Dean asked if Cisco was formally asking to join Forum as a Browser. Cisco confirmed its interest in joining as a browser member and its willingness to wait until new working group bylaws
for the new Web Server Working Group are drafted, if necessary.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan brought up previous discussions on a similar issue years ago with Ballot 28. Gerv suggested Cisco could join under current rules.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">There was a discussion of the uses of the Cisco root store and program versus that of the uses of the roots stores of current browser members, and whether the relationship between CAs
and Cisco was similar to the relationship between CAs and the current browser members.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Gerv stated that Cisco is running a set of Root stores where it is making independent decisions on root store inclusion, similar to current browser members. Ryan brought up previous ballot
28 again as an example of difficulty in deciding the scope of browser membership and concerns that were previously brought up about overly broad criteria for browser members.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan and Gerv discussed the options for Cisco’s membership as a browser under the current Bylaws language. Ryan also brought up previous discussions about browser membership criteria
with Oracle and Adobe.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan then suggested that Cisco may already meet the browser membership requirements in the Bylaws due to its multiple products using its root store. He also asked that we update the membership
language in the future.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Ryan and Gerv then suggested that Cisco reapply as a Browser member and include information showing it meets all current membership criteria for a browser members. Under the Bylaws, the
application will then be submitted to Forum members for approval by consensus, subject to the ability of any member to ask for a formal ballot on membership. Gerv then asked any member who thought Cisco did not qualify as a browser member under the current
Bylaws to express any concerns about this privately to him or to Cisco.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Review accomplishments / list of tasks, thank you to hosts<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white">
<b><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Adjourn<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:12.0pt;line-height:106%;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>