<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:新細明體;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:新細明體;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@新細明體";
panose-1:2 2 5 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"新細明體","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"註解方塊文字 字元";
margin:0cm;
margin-bottom:.0001pt;
font-size:9.0pt;
font-family:"Cambria","serif";}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"新細明體","serif";}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"新細明體","serif";}
span.a
{mso-style-name:"註解方塊文字 字元";
mso-style-priority:99;
mso-style-link:註解方塊文字;
font-family:"Cambria","serif";}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ZH-TW link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D'>Chunghwa Telecom Co., Ltd. votes “Yes” on ballot 210<o:p></o:p></span></p><div><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D'>Sincerely Yours,<o:p></o:p></span></p><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D'> Li-Chun Chen<o:p></o:p></span></p><p class=MsoNormal><span lang=NO-BOK style='color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal><span lang=EN-US>On 28 Aug 2017, at 16:42, Kirk Hall via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Voting on Ballot 210: NetSec Changes ends Thurs, Aug. 31 at 22:00 UTC – please vote now</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><div><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span class=apple-converted-space><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Public [<a href="mailto:public-bounces@cabforum.org"><span style='color:#954F72'>mailto:public-bounces@cabforum.org</span></a>]<span class=apple-converted-space> </span><b>On Behalf Of<span class=apple-converted-space> </span></b>Ben Wilson via Public<br><b>Sent:</b><span class=apple-converted-space> </span>Saturday, August 12, 2017 8:30 PM<br><b>To:</b><span class=apple-converted-space> </span>CABFPub <<a href="mailto:public@cabforum.org"><span style='color:#954F72'>public@cabforum.org</span></a>><br><b>Subject:</b><span class=apple-converted-space> </span>[EXTERNAL][cabfpub] Ballot 210: Misc. Changes to the Network and Certificate System Security Requirements<o:p></o:p></span></p></div></div></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p></div><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>The discussion period for this ballot is 12 days to give everyone ample time to review it. Voting will start at 2200 UTC on Thursday, August 24, 2017.<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>The Network Security Working Group recommends that the Forum make the following minor revisions to the Network and Certificate System Security Requirements. (Other changes are being considered by the Working Group and will be presented in due course.)<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>The following ballot is proposed by Dimitris Zacharopoulos of HARICA and endorsed by Ben Wilson of DigiCert and Neil Dunbar of TrustCor.<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>--Motion Begins--<span class=apple-converted-space> </span><o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>In the Network and Certificate System Security Requirements:<span class=apple-converted-space> </span><o:p></o:p></span></p><p class=line862><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>ADD ETSI EN 319 411-1 to first sentence of the Scope and Applicability section so that it reads "These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities (CAs) and are adopted with the intent that all such CAs and Delegated Third Parties be audited for conformity with these Requirements as soon as they have been incorporated as mandatory requirements (if not already mandatory requirements) in the root embedding program for any major Internet browsing client and that they be incorporated into the WebTrust Service Principles and Criteria for Certification Authorities, ETSI TS 101 456, ETSI TS 102 042 and ETSI EN 319 411-1 including revisions and implementations thereof, including any audit scheme that purports to determine conformity therewith."<span class=apple-converted-space> </span><o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>REPLACE section 1.a. with "a. Segment Certificate Systems into networks based on their functional or logical relationship, for example separate physical networks or VLANs;"<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>REPLACE section 1.b. with "b. Apply equivalent security controls to all systems co-located in the same network with a Certificate System;"<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>REPLACE "90 days" with "three (3) months" in section 2.g.ii. and 2.j so that they read "ii. For accounts that are accessible from outside a Secure Zone or High Security Zone, require that passwords have at least eight (8) characters, be changed at least every three (3) months, use a combination of at least numeric and alphabetic characters, that are not a dictionary word or on a list of previously disclosed human-generated passwords, and not be one of the user's previous four (4) passwords; and implement account lockout for failed access attempts in accordance with subsection k; OR"<span class=apple-converted-space> </span><o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>AND<span class=apple-converted-space> </span><o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>"j. Review all system accounts at least every three (3) months and deactivate any accounts that are no longer necessary for operations;"<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>REPLACE section 2.m. with "m. Enforce multi-factor OR multi-party authentication for administrator access to Issuing Systems and Certificate Management Systems;"<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>REPLACE section 2.o. with "o. Restrict remote administration or access to an Issuing System, Certificate Management System, or Security Support System except when: (i) the remote connection originates from a device owned or controlled by the CA or Delegated Third Party, (ii) the remote connection is through a temporary, non-persistent encrypted channel that is supported by multi-factor authentication, and (iii) the remote connection is made to a designated intermediary device (a) located within the CA’s network, (b) secured in accordance with these Requirements, and (c) that mediates the remote connection to the Issuing System."<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>REPLACE "every 30 days and" with "once a month to" in section 3.e. so that it reads "e. Conduct a human review of application and system logs at least once a month to validate the integrity of logging processes and ensure that monitoring, logging, alerting, and log-integrity-verification functions are operating properly (the CA or Delegated Third Party MAY use an in-house or third-party audit log reduction and analysis tool); and"<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>REPLACE 4.a. with "a. Implement intrusion detection and prevention controls under the control of CA or Delegated Third Party Trusted Roles to protect Certificate Systems against common network and system threats;"<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>REPLACE 4.C. with "c. Undergo or perform a Vulnerability Scan (i) within one (1) week of receiving a request from the CA/Browser Forum, (ii) after any system or network changes that the CA determines are significant, and (iii) at least every three (3) months, on public and private IP addresses identified by the CA or Delegated Third Party as the CA’s or Delegated Third Party’s Certificate Systems;"<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>REPLACE the definition of Security Support System in the Definitions with "Security Support System: A system used to provide security support functions, which MAY include authentication, network boundary control, audit logging, audit log reduction and analysis, vulnerability scanning, and intrusion detection (Host-based intrusion detection, Network-based intrusion detection)."<o:p></o:p></span></p><p class=line862><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Make other editorial changes as indicated at<span class=apple-converted-space> </span><a href="https://github.com/cabforum/documents/pull/64/files"><span style='color:#954F72'>https://github.com/cabforum/documents/pull/64/files</span></a><span class=apple-converted-space> </span>and in the attached PDF.<span class=apple-converted-space> </span><o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>--Motion Ends—<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>The procedure for approval of this Final Maintenance Guideline ballot is as follows:<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>BALLOT 210 - Final Maintenance Guideline<span class=apple-converted-space> </span><o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Relevant Start times and End Times are 22:00 UTC<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Discussion (7 to 14 days) Start: August 17, 2017 End: August 24, 2017<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Vote for approval (7 days) Start: August 24, 2017 End: August 31, 2017<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>If a vote of the Forum approves this ballot, the Chair will initiate a 30-day IPR Review Period by sending out an IPR Review Notice.<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>After 30 days of announcing the IPR Review period by the Chair:<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>(a) If Exclusion Notice(s) are filed, this ballot approval is rescinded and a PAG will be created; or (b) If no Exclusion Notices are filed, this ballot becomes effective at end of the IPR Review Period.<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From Bylaw 2.3: If the Draft Guideline Ballot is proposing a Final Maintenance Guideline, such ballot will include a redline or comparison showing the set of changes from the Final Guideline section(s) intended to become a Final Maintenance Guideline, and need not include a copy of the full set of guidelines. Such redline or comparison shall be made against the Final Guideline section(s) as they exist at the time a ballot is proposed, and need not take into consideration other ballots that may be proposed subsequently, except as provided in Bylaw Section 2.3(j).<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Votes must be cast by posting an on-list reply to this thread on the Public list. A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here:<span class=apple-converted-space> </span><a href="https://cabforum.org/members/"><span style='color:#954F72'>https://cabforum.org/members/</span></a><o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is half of the number of currently active Members, which is the average number of Member organizations that have participated in the previous three Forum-wide meetings (both teleconferences and face-to-face meetings). Under Bylaw 2.2(g), at least the required quorum number must participate in the ballot for the ballot to be valid, either by voting in favor, voting against, or abstaining.<o:p></o:p></span></p><p class=line874><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><CABForum_Network_Security_Controls_Ballot_Draft_1.pdf></span><span lang=EN-US style='font-size:9.0pt;font-family:"Helvetica","sans-serif"'>_______________________________________________<br>Public mailing list<br></span><span lang=EN-US><a href="mailto:Public@cabforum.org"><span style='font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#954F72'>Public@cabforum.org</span></a></span><span lang=EN-US style='font-size:9.0pt;font-family:"Helvetica","sans-serif"'><br></span><span lang=EN-US><a href="https://cabforum.org/mailman/listinfo/public"><span style='font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#954F72'>https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></span></p></div></blockquote></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div></div></body></html><br><html><div><div>本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. </div><div>Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.</div></div><div><br></div><div><br></div></html>