<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:24.0pt;
font-family:"Times New Roman",serif;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Times New Roman",serif;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Times New Roman",serif;
font-weight:bold;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Times New Roman",serif;
font-weight:bold;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Times New Roman",serif;
font-weight:bold;}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.anchor
{mso-style-name:anchor;}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.line891, li.line891, div.line891
{mso-style-name:line891;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:73554978;
mso-list-template-ids:-1402049482;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:245069254;
mso-list-template-ids:183555690;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:254673347;
mso-list-template-ids:-1981905932;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:318927114;
mso-list-template-ids:-636565702;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4
{mso-list-id:500586591;
mso-list-template-ids:-481382552;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5
{mso-list-id:546139494;
mso-list-template-ids:-2129513432;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6
{mso-list-id:686637036;
mso-list-template-ids:308211168;}
@list l6:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l6:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7
{mso-list-id:922835387;
mso-list-template-ids:903492612;}
@list l7:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l7:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8
{mso-list-id:1014383883;
mso-list-template-ids:-823885038;}
@list l8:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l8:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l8:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9
{mso-list-id:1017971087;
mso-list-template-ids:-27335586;}
@list l9:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l9:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l9:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10
{mso-list-id:1186334321;
mso-list-template-ids:-1927790162;}
@list l10:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l10:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l10:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11
{mso-list-id:1331524255;
mso-list-template-ids:1066301272;}
@list l11:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l11:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l11:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l11:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12
{mso-list-id:1333801212;
mso-list-template-ids:-1156915028;}
@list l12:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l12:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l12:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l12:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13
{mso-list-id:1396002745;
mso-list-template-ids:2082490792;}
@list l13:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l13:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l13:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l13:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14
{mso-list-id:1422987708;
mso-list-template-ids:422466142;}
@list l14:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l14:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l14:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l14:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15
{mso-list-id:1427770184;
mso-list-template-ids:-714712370;}
@list l15:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l15:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l15:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l15:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16
{mso-list-id:1524897085;
mso-list-template-ids:-42204308;}
@list l16:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l16:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l16:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l16:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17
{mso-list-id:1654410331;
mso-list-template-ids:459156844;}
@list l17:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l17:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l17:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l17:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18
{mso-list-id:1720281784;
mso-list-template-ids:-932570302;}
@list l18:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l18:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l18:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l18:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19
{mso-list-id:1729570769;
mso-list-template-ids:-2100545184;}
@list l19:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l19:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l19:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20
{mso-list-id:1765834094;
mso-list-template-ids:1581425666;}
@list l20:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l20:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l20:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l20:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21
{mso-list-id:1879589723;
mso-list-template-ids:-1765130854;}
@list l21:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l21:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l21:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l21:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22
{mso-list-id:1889683023;
mso-list-template-ids:645796704;}
@list l22:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l22:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l22:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l22:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23
{mso-list-id:2144692861;
mso-list-template-ids:386319154;}
@list l23:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l23:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l23:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l23:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l19:level2 lfo24
{mso-level-start-at:0;
mso-level-number-format:arabic;
mso-level-numbering:continue;
mso-level-text:"%2\.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1027" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Here are the final Minutes from the<b> </b><strong><span style="font-family:"Calibri",sans-serif;color:black;background:white;font-weight:normal">CA/Browser Face-to-Face Meeting Minutes, 6-7 June 2018 – London, UK. We will also post the
Minutes with their attachments on the Forum’s website in the next few days. <a href="https://cabforum.org/category/minutes/">
https://cabforum.org/category/minutes/</a> </span></strong><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><strong><span style="font-family:"Arial",sans-serif;color:black;background:white">CA/Browser Face-to-Face Meeting Minutes, 6-7 June 2018 – London, UK</span></strong><o:p></o:p></p>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Attendees:</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"> Robin Alden, Comodo CA; Don Sheehy, WebTrust/CPA Canada; Jeff Ward,
WebTrust/BDO; Gord Beal, CPA Canada; Enrico Entschew, D-TRUST; Arno Fiedler, D-TRUST; Kirk Hall, Entrust Datacard; Bruce Morton, Entrust Datacard; Wayne Thayer, Mozilla; Frank Corday, Trustwave; Neil Dunbar, TrustCor; Mike Reilly, Microsoft; Aleksandra Kapinos,
ADS SA; Barbara Stysiak, ADS SA; Atsushi Inaba, GlobalSign; Cecilia Kam, GlobalSign; Richard Wang, 360 Group; Tim Hollebeek, DigiCert; Phill Hallam-Baker, Comodo Group Inc; Dimitris Zacharopoulos, HARICA; Tim Shirley, Trustwave; Li-Chun Chen, Chunghwa Telecom;
Nick Pope, ETSI ESI Vice Chair; Zhang Yi, CFCA; Bhanu Deoraj, National Center for Digital Certification; Naif Murizeeq S. Al Otaibi, National Center for Digital Certification; J.P. Hamilton, Cisco Systems, Inc; Tony Seymour, Comsign Europe, Comda; Adriano
Santoni, Actalis S.p.A.; Curt Spann, Apple; Devon O'Brien, Google; Ryan Sleevi, Google; Iñigo Barreira, 360; Jiuqiang Cui, SHECA; Xingkun Tang, SHECA; Toria Chen, SHECA; Mads Henriksveen, Buypass; Peter Miskovic, Disig; Wei Yicai, GDCA; Xiu Lei, GDCA; Dai
Yeqi, SHECA; Tadahiko Ito, SECOM; Dean Coclin, DigiCert; Ben Wilson, DigiCert; Franck Leroy, Docapost - Certinomis; Man HO, Certizen Limited (the operator of Hongkong Post Certification Authority); Tyler Myers, Godaddy; Leo Grove, SSL.com; Fotis Loukos, SSL.com;
Trevoli Ponds-White, Amazon Trust Services; Michael Slaughter, Amazon Trust Services; Daymion Reynolds, Go Daddy; Xu Jiang, CTI Certificate Authority; Tony Nagel, QuoVadis; Travis Graham, Go Daddy; Alex Wight, Cisco; Rob Stradling, Comodo CA; Nick France,
Comodo CA; Monika Radziewicz-Lepczynska, TUVIT/ACABc; Christoph Sutter, TUVIT/ACABc; Jeremy Rowley, DigiCert; Robert Duncan, Netcraft; Doug Beattie, GlobalSign; Tony Perez, GoDaddy; Mike Kushner, PrimeKey; Tom Lowenthal, Brave; David Hsiu, KPMG, Taiwan; Moudrick
Dadashov, SSC; Ryan Hurst, Google; Mark Goodwin, Mozilla; Marcelo Silva, Visa; Geoff Keating, Apple; Bailey Basile, Apple.<o:p></o:p></span></p>
<h1 id="Day_1"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Day 1<o:p></o:p></span></h1>
<h2 id="A360_Root_Program_Update"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">360 Root Program Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: Iñigo Barreira <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Dean<o:p></o:p></span></p>
<p class="line867"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><a href="https://www.cabforum.org/wiki/Meeting%2044%20Minutes?action=AttachFile&do=view&target=360BrowserUpdatesCABF-F2F-LondonJune18.pptx" title=""><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">360BrowserUpdatesCABF-F2F-LondonJune18.pptx</span></a><o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo1">
<span lang="EN">New policy version 1.1 New CA Form to include root CA and subCA end user cert Working on new version; comments welcome<o:p></o:p></span></li></ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l8 level1 lfo1">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Removal of WoSign and Startcom roots from 360 root store - end of March 2018 in v9.1 (current version 9.5)<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo1">
<span lang="EN">Show "not secure" when entering http mode<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo1">
<span lang="EN">Showing more details for errors when pages are blocked<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo1">
<span lang="EN">Root inclusion process: Scheduled to update every quarter For 2018 will start in first week of October<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo1">
<span lang="EN">360 planning 6 month window for CAs to apply, need to be done by September for inclusion in October.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:6.0pt;mso-margin-bottom-alt:auto;mso-list:l8 level1 lfo1">
<span lang="EN">Q: Does this mean that CAs that don't apply, will have their roots removed in October?<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l8 level2 lfo1">
<span lang="EN">A: Probably yes<o:p></o:p></span></li></ul>
</li></ul>
<h2 id="Apple_Root_Program_Update"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Apple Root Program Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: Curt Spann, Bailey Basile <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Doug<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Certificate Transparency<o:p></o:p></span></p>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l22 level1 lfo2">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">CT Validation will be enforced in late 2018 for certificates issued after October 15, 2018. Details and the list of trusted logs can be found here: <a href="https://support.apple.com/en-us/HT205280"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://support.apple.com/en-us/HT205280</span></a><o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Extended Validation<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l14 level1 lfo3">
<span lang="EN">The "Company Name" has been removed from the Safari UI and this has unified the URL bar across all platforms.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l14 level1 lfo3">
<span lang="EN">Apple said that this changes was based on research and customer input. “Org name is not tied to users intended destination the same way that the domain name is”<o:p></o:p></span></li></ul>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Symantec Distrust<o:p></o:p></span></p>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l5 level1 lfo4">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">See this support article: <a href="https://support.apple.com/en-us/HT208860"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://support.apple.com/en-us/HT208860</span></a><o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo4">
<span lang="EN">Phase 1 is in beta builds and this will distrust Symantec issued TLS server certificates issued before June 1, 2016 and after December 1, 2017.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l5 level1 lfo4">
<span lang="EN">Phase 2 is coming, but no details were provided. Watch the support article for updates.<o:p></o:p></span></li></ul>
<p class="line862"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">The Apple presentation is located here: <a href="https://www.cabforum.org/wiki/Meeting%2044%20Minutes?action=AttachFile&do=view&target=201806AppleCABF.pdf" title=""><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">201806AppleCABF.pdf</span></a><o:p></o:p></span></p>
<h2 id="Brave_Root_Program_Update"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Brave Root Program Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: Tom Lowenthal <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Neil Dunbar<o:p></o:p></span></p>
<p class="line862"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">By way of introduction, Tom explained that Brave is Multiplatform browser, Muon based, security focussed fork of Electron on <a href="https://www.cabforum.org/wiki/GitHub"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">GitHub</span></a>,
eventually switching to Chromium fork. User experience focussed, with special interest on privacy, for instance, by-default disabling of tracking methods. On Android, Brave uses a Chrome base.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 level1 lfo5">
<span lang="EN">There is as yet no independent root trust program, and Brave does not anticipate its creation for at least 18 months.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 level1 lfo5">
<span lang="EN">Substantial changes to certificate parsing and user experience are planned.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 level1 lfo5">
<span lang="EN">CT Enforcement will be implemented, but anyone compliant with Google and Apple will almost certainly be compliant.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 level1 lfo5">
<span lang="EN">For a UI standpoint: positive security identifiers to be scrapped (since current research does not support their further inclusion), and replaced with negative security warnings upon identified dangerous behavior.<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l6 level2 lfo5">
<span lang="EN">As an example of a scenario which would trigger a warning: A user attempts to enter form information, for example, credit card information, into a HTTP (non-secured) page.<o:p></o:p></span></li></ul>
</li></ul>
<h2 id="Cisco_Systems_Root_Program_Update"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Cisco Systems Root Program Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: J.P. Hamilton <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Mike<o:p></o:p></span></p>
<p class="line862"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Cisco Systems: (Had slides for presentation) <a href="https://www.cabforum.org/wiki/Meeting%2044%20Minutes?action=AttachFile&do=view&target=Cisco+Browser+Update.pptx" title=""><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">Cisco
Browser Update.pptx</span></a><o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo6">
<span lang="EN">Introduced their root store at last RTP conference.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo6">
<span lang="EN">Recently mandated for all Cisco products<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo6">
<span lang="EN">Product security baseline. Part of Cisco smart licensing program.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo6">
<span lang="EN">Three bundles:<o:p></o:p></span>
<ol start="1" type="1">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level2 lfo6">
<span lang="EN">Original recipe<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level2 lfo6">
<span lang="EN">Extra crispy<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level2 lfo6">
<span lang="EN">Grilled Lite<o:p></o:p></span></li></ol>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo6">
<span lang="EN">CAs need to already be in the Apple, Mozilla or Microsoft root store before being admitted into the Cisco root store<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo6">
<span lang="EN">Just joined CCADB<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l4 level1 lfo6">
<span lang="EN">Expect specialty root stores in the future (i.e. IoT specific)<o:p></o:p></span></li></ul>
<h2 id="Comodo_Group_Root_Program_Update"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Comodo Group Root Program Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: Phillip Hallam-Baker <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Mads<o:p></o:p></span></p>
<p class="line862"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Comodo Security Services (CSC) provides two browsers: Comodo Dragon (Chrome based) and Comodo <a href="https://www.cabforum.org/wiki/IceDragon"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">IceDragon</span></a> (Firefox
based). The browsers are used both for research purposes and for enterprises who need control over systems they are using.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">The philosophy is based on a believe in giving the user the information they require. The browsers will also be used for usability research – e.g. the behavior of users
on long term. Phillip said he does not believe that people do not understand security signals.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">The current security signals are:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l16 level1 lfo7">
<span lang="EN">Green (EV)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l16 level1 lfo7">
<span lang="EN">Padlock (Most DV)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l16 level1 lfo7">
<span lang="EN">None (non-TLS)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l16 level1 lfo7">
<span lang="EN">Error (defective TLS)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l16 level1 lfo7">
<span lang="EN">Block (fraud alert (multiple sources))<o:p></o:p></span></li></ul>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">As trust criteria, CSC does not plan to introduce any inclusion program, but rather an exclusion program. By default CAs included in the browser/platform are trusted. The
user can choose which root store they use for trust. However, CAs must implement full lifecycle support, e.g. CAs that do not revoke might be excluded. CAs might also be excluded based on empirical measures of suspicious activity. The certificate should tell
the user whether they are safe/secure, if this is done wrong the CAs might be excluded.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Phillip presented some thoughts about next generation PKI. Based on their experience as a CA, they have realized that CAs are not able to curate other CAs. A misused certificate
sould be blocked within 30 minutes. A CA should issue 24 hour certificates, either by using short lived certificates or by enforcing OCSP. A trust curator provides trusted time and compressed CRLs.<o:p></o:p></span></p>
<p class="line862"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Phillip also presented some thoughts about next generation cryptography, introducing end to end secure Web. This not only includes encryption of data in transit between
the browser and the Web server but also encryption of all data on the Web server. Access to the encrypted data requires key server authorization and end user key. Standards are proposed as internet drafts – see <a href="http://mathmesh.com/"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">http://mathmesh.com</span></a>.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">After the presentation there were discussions around some topics and statements from Phillip. One of them was his skepticism about previous research related to security
usability. Phillip responded that CAs should be evaluated on their ability to make the user safe.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">The process of distrusting CAs also raised a lot of questions and comments. Phillip said that distrust would be based more on empirical results for CAs to make users safe,
rather than errors in process. He also said that it was not possible to present the exact rules for distrust at the moment, but rather the philosophy. The problem is people trying to harm other people on the internet.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">This again raised new comments and questions, one of them was that it should be more efficient to block a website rather than a CA. Phillip agreed that this was a fair point.
Questions was raised about what the causes of distrust should be, like malware, phishing and fraud etc. Phillip replied that any site that makes a user unsafe is their focus, but they are not going to set hard lines for bad guys.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Ryan S commented that unclear and undefined rules for distrusting CAs might be problematic and opens up for ambiguity. He also asked why issuing a certificate binding a
key to a domain could be bad. Phillip responded that he was reluctant to enumerate all the causes and think this is legitimate. Geoff and Mike commented that both Apple and Microsoft have policies making it possible to remove any CA for any reason.<o:p></o:p></span></p>
<h2 id="Google_Root_Program_Update"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Google Root Program Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenters</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: Devon O'Brien, Ryan Sleevi <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Dimitris<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo8">
<span lang="EN">Since Chrome 66+, certificates that are non-compliant with the BRs regarding validity (825-day limit) will display errors on the client side. The algorithm to calculate validity has been updated. The new algorithm is based on the longest possible
valid date for that period - for example, 39 months is 366 + 365 + 365 + 31 + 31 + 30 days, or 1188 days.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo8">
<span lang="EN">Chrome 68 distrusted the first wave of Symantec certificates according to the announced distrust plan. Chrome 70 will address the following waves.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:6.0pt;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo8">
<span lang="EN">On the research side, Google's usability and security team continues to explore how to ensure that their products help users make effective and secure decisions. As part of that, studies are being conducted that continue to explore user behavior
based on how the security status of the page is presented. The detailed methodology was discussed to solicit feedback from members present, to solicit additional user feedback, but detailed a variety of measures for user behavior and safety. This was asked
not to be shared in advance of peer-review and potential publication. Current Public research for usability behavior is at research.google.com<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level2 lfo8">
<span lang="EN">Kirk asked if there could be a limited (top 3) set of research documents from research.google.com that the Chrome team based their decision on changing the UI.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level2 lfo8">
<span lang="EN">Ryan responded that there are several public reports for that area and welcomed further discussion on the public list.<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;margin-top:6.0pt;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo8">
<span lang="EN">As far as the Chrome UI is concerned (in desktop versions),<o:p></o:p></span></li></ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:1.0in;text-indent:-.25in;mso-list:l17 level2 lfo8">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:"Courier New";color:black"><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Beginning with Chrome 68, pages with http will be marked as "not secure" - <a href="https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html</span></a><o:p></o:p></span></p>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:1.0in;text-indent:-.25in;mso-list:l17 level2 lfo8">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:"Courier New";color:black"><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Beginning with Chrome 69, positive indicators will start being removed - <a href="https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html</span></a><o:p></o:p></span></p>
<ul type="disc">
<ul type="circle">
<ul type="square">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level3 lfo8">
<span lang="EN">Align chrome address bar with all types (unified color scheme for DV/OV/EV)<o:p></o:p></span></li></ul>
</ul>
</ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:1.0in;text-indent:-.25in;mso-list:l17 level2 lfo8">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:"Courier New";color:black"><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Beginning with Chrome 70, for users entering data on HTTP pages, the negative warning indicators ("not secure") will be stronger - <a href="https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html</span></a><o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo8">
<span lang="EN">Ryan discussed some of the research studies that the Chrome team is conducting around security indicators, including not-yet-published research, to solicit feedback from CAs about possible areas of consideration<o:p></o:p></span></li><li class="MsoNormal" style="color:black;margin-top:6.0pt;mso-margin-bottom-alt:auto;mso-list:l17 level1 lfo8">
<span lang="EN">Certificate Transparency<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level2 lfo8">
<span lang="EN">Main stakeholders are CT Log operators, CAs and User Agents<o:p></o:p></span></li></ul>
</li></ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:1.0in;text-indent:-.25in;mso-list:l17 level2 lfo8">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:"Courier New";color:black"><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Best practices shall be published including results from the "CT Days". Ryan and Devon welcomed participation in <a href="mailto:ct-policy@chromium.org"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">ct-policy@chromium.org</span></a> for
issues related to CT that are not necessarily "Chrome-specific". They consider the <a href="mailto:ct-policy@chromium.org"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">ct-policy@chromium.org</span></a> forum a public forum for the CT
ecosystem.<o:p></o:p></span></p>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level2 lfo8">
<span lang="EN">Chrome team has contacted CAs that issued certificates with potential problems with the CT enforcement. These problems will appear when Chrome 68 is published as stable.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level2 lfo8">
<span lang="EN">Yeti, Nimbus, Argon are now Qualified, which are definitely usable for Chrome 68 and the CT enforcement. For the future, the Chromium team will be announcing when a log is safely "usable" so that CAs can start logging to these new logs.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level2 lfo8">
<span lang="EN">Full page interstitial for not CT compliance<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level2 lfo8">
<span lang="EN">Enterprise administrators can set specific policy and have a couple of options to deviate from the default CT-encorcement Chrome Policy<o:p></o:p></span>
<ul type="square">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l17 level3 lfo8">
<span lang="EN">First option domain name and subdomains match filter and the CT compliance is not required<o:p></o:p></span></li></ul>
</li></ul>
</ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:1.5in;text-indent:-.25in;mso-list:l17 level3 lfo8">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Wingdings;color:black"><span style="mso-list:Ignore">§<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Chrome 67 will add 2 more policy options for Enterprise Administrators (<a href="https://chromium.googlesource.com/chromium/src/+/master/net/docs/certificate-transparency.md#Legacy-CAs"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://chromium.googlesource.com/chromium/src/+/master/net/docs/certificate-transparency.md#Legacy-CAs</span></a>)<o:p></o:p></span></p>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:1.5in;text-indent:-.25in;mso-list:l17 level3 lfo8">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Wingdings;color:black"><span style="mso-list:Ignore">§<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">More details in the <a href="https://www.chromium.org/administrators/policy-list-3"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://www.chromium.org/administrators/policy-list-3</span></a>.
Look for the following: CertificateTransparencyEnforcementDisabledForCas CertificateTransparencyEnforcementDisabledForLegacyCas CertificateTransparencyEnforcementDisabledForUrls<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">For the user accessibility study:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo9">
<span lang="EN">Kirk: Has Google done studies where they trained users as to what these indicators actually mean?<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo9">
<span lang="EN">Ryan: It's unclear what the proposed methodology is to understand the question - the usability studies have looked at a broad spectrum. If there's proposed methodologies that can be done at scale, open to considering feedback.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo9">
<span lang="EN">Philip: User control makes users feel safe.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo9">
<span lang="EN">Ryan: Some of the things of the study approximate that behavior but people can propose new measurements to Google Chrome team.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo9">
<span lang="EN">Devon: Need quantifiable elements. But if users feel safe but they are effectively not safe, Chrome finds this concerning and takes action to protect the user.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo9">
<span lang="EN">Mike: Is there any other list of studies/research related to the issue of user accessibility?<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l20 level1 lfo9">
<span lang="EN">Ryan: Several around, will send to the list.<o:p></o:p></span></li></ul>
<p class="line862"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">On Thursday, we discussed the W3C WICG's work on Signed Exchanges (<a href="https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html</span></a>).
This allows content to be signed by the operator of example.com, but potentially hosted by any number of CDNs, caches, or even delivered offline such as sharing by users, but be safely and securely loaded by browsers "as if" it came from example.com, and with
all the permissions and privileges. A compliant browser will be able to load and authenticate the page, regardless of the transport.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">This allows for a number of interesting use cases, ranging from offline sharing of content, to web application bootstrapping, to more reliable hosting and sharing of content.
To avoid this feature introducing any additional risk to existing server operators, it's necessary to obtain a certificate that 'opts-in' to this feature.<o:p></o:p></span></p>
<p class="line862"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">This is expected to mitigate some potential risks from accidental usage (use a key offline and not online), and is similar to the discussions around Delegated Certificates
in the IETF. The opt-in is accomplished by an additional X.509v3 extension at present, but could also have been met by listing an additional EKU - in both cases, it is and remains a TLS web server certificate, just with additional capabilities for browsers.
This extension is not marked as "critical" so these certificates can work with existing browsers. It only offers an additional capability. Because of this, CAs should be aware of that work, and the desire for both sites and browsers to experiment with the
draft specification to gather feedback and validate the design choices. This extension complies with the Baseline Requirements' rules around extensions, and a preliminary OID has been assigned for experimentation. CAs that are interested in participating in
such experiments can find discussion links in the specification, and further background available in the <a href="https://www.cabforum.org/wiki/GitHub"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">GitHub</span></a> repository.<o:p></o:p></span></p>
<h2 id="Microsoft_Root_Program_Update"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Microsoft Root Program Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: Mike Reilly <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Tim<o:p></o:p></span></p>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l9 level1 lfo10">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Reminder that <a href="mailto:msroot@microsoft.com"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">msroot@microsoft.com</span></a> should
be used for communications to ensure timely response. Communications to CAs will come from this address as well rather than from individual team members.<o:p></o:p></span></p>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l9 level1 lfo10">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Updated CA application process released on our site’s Certificate Authority Intake Process page (<a href="https://aka.ms/rootcertapply"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://aka.ms/rootcertapply</span></a>.)<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo10">
<span lang="EN">Root Change request form coming for any CA initiated changes. Available for download on our site shortly.<o:p></o:p></span></li></ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l9 level1 lfo10">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Continuing to build out our Crypto Business Intelligence (BI) to manage our root store. This includes use of Windows 10, <a href="https://www.cabforum.org/wiki/SmartScreen"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">SmartScreen</span></a> and
CT Monitor telemetry. This capability enables us to better understand the impact of changes to roots, either Microsoft or CA initiated, and how those changes may impact our customers.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo10">
<span lang="EN">Continuing to conduct end-to-end examination of each root in the root store for EKUs, use, contract compliance and other issues which may represent risk to Microsoft customers. Moving last remaining CAs on 2007 version contracts to updated 2015
version.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo10">
<span lang="EN">Continued efforts toward automation of program processes to minimize errors and enable increased verification of program compliance.<o:p></o:p></span></li></ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l9 level1 lfo10">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">We have the capability to deploy root store changes on a monthly cadence. Root change request review may not move as quickly though depending on complexity,
conformance to CABF baseline requirements and/or Microsoft root program requirements/contract. Information on our monthly changes can be found at <a href="http://aka.ms/rootupdates"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">http://aka.ms/rootupdates</span></a>.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l9 level1 lfo10">
<span lang="EN">Microsoft supports the Certificate Transparency initiative, but is not enforcing CT in Edge at this time.<o:p></o:p></span></li></ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l9 level1 lfo10">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Symantec distrust process planning ongoing in coordination with <a href="https://www.cabforum.org/wiki/DigiCert"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">DigiCert</span></a>.
Our main concern is down level OS support for Code Signing and Time Stamping for our customers.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Reminder on the different states of roots in the Microsoft Trusted Root Programs:<o:p></o:p></span></p>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Root Certificate Expiration</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Each root certificate has a validity period with a defined Start and End date. The validity period enables new certificates to be signed during that period. Customers will
find roots that are expired are still in the Microsoft Certificate Trust List. This is because of Code Signing and Time Stamping. Microsoft doesn't want to unnecessarily impair our customer's ability to run valid applications and code that has been written
years ago. For these applications to properly execute, they must chain to a root certificate in the Certificate Trust List. For example: To ensure that our customers can run their copy of Age of Empires, which was released in 2003, the root certificate that
issued the certificate that signed that code must be retained in Windows indefinitely.<o:p></o:p></span></p>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Certificate Removal</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">The Trusted Root Program removes the certificate from the program. All certificates that chain to this root are no longer valid. Any code signed by a removed certificate
is no longer trusted by Windows.<o:p></o:p></span></p>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Disable</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">The ability to Disable a root was introduced in Windows10RS1. Before the Disable functionality was introduced, Microsoft's only ability to prevent certificate issuance from
the root was Removal. This had consequences for Microsoft Windows users when Code Signing and Time Stamping were involved. By disabling a root, Microsoft is able to revoke all EKU capabilities while still allowing Code Signing and Time Stamped code to function.<o:p></o:p></span></p>
<p class="line867"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><a href="https://www.cabforum.org/wiki/NotBefore"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">NotBefore</span></a><o:p></o:p></span></p>
<p class="line862"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Similar in functionality to Disable, but allowing more granularity, <a href="https://www.cabforum.org/wiki/NotBefore"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">NotBefore</span></a> was
introduced in Windows 10 RS2 to allow the certain EKU's to be disabled on a specified date. All certificates issued with those EKU's prior to the <a href="https://www.cabforum.org/wiki/NotBefore"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">NotBefore</span></a> date
are still valid and will function normally; however, certificates signed after the <a href="https://www.cabforum.org/wiki/NotBefore"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">NotBefore</span></a> date are invalid. Utilizing the <a href="https://www.cabforum.org/wiki/NotBefore"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">NotBefore</span></a> functionality
is the most granular approach to removing certificate capabilities, as it allows the natural deprecation of existing end-level certificates.<o:p></o:p></span></p>
<h2 id="Mozilla_Root_Program_Update"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Mozilla Root Program Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: Wayne <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Cecilia<o:p></o:p></span></p>
<p class="line867"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><a href="https://www.cabforum.org/wiki/Meeting%2044%20Minutes?action=AttachFile&do=view&target=CAB-ForumLondon-June+2018-BrowserNews.docx" title=""><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">CAB-ForumLondon-June
2018-BrowserNews.docx</span></a> <a href="https://www.cabforum.org/wiki/Meeting%2044%20Minutes?action=AttachFile&do=view&target=CABF_F2Fpreso_030518_vmf.pdf" title=""><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">CABF_F2Fpreso_030518_vmf.pdf</span></a><o:p></o:p></span></p>
<h2 id="Guest_Speaker:_Agile_Crypto_-_How_are_we_to_survive_the_death_of_RSA.2FEC.3F">
<span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Guest Speaker: Agile Crypto - How are we to survive the death of RSA/EC?<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: (Michael Kushner, PrimeKey) No Minutes<o:p></o:p></span></p>
<h2 id="WebTrust_Update"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">WebTrust Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenters</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: Don Sheehy, Gord Beal, Jeff Ward <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Kirk<o:p></o:p></span></p>
<h3 id="Current_Work"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Current Work<o:p></o:p></span></h3>
<p class="line891" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l11 level1 lfo11">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> Baseline + NS vs 2.3:<o:p></o:p></span></p>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Released effective February 1, 2018<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Updated to conform with Baseline 1.5.4 and NS 1.1<o:p></o:p></span></li></ul>
</ul>
<p class="line891" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l11 level1 lfo11">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> for CA 2.1<o:p></o:p></span></p>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Released effective September 1, 2017<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Sections added on key migration, destruction and transport<o:p></o:p></span></li></ul>
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level1 lfo11">
<span lang="EN">Publicly Trusted Code Signing Vs 1.0.1<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Released effective October 1, 2017<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Modified version released to fix error in material and to remove unauditable criterion<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Current Status - updated<o:p></o:p></span></li></ul>
</li></ul>
<p class="line891" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l11 level1 lfo11">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> EV SSL<o:p></o:p></span></p>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Released v 1.6.2 effective October 1, 2017<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Updated EV SSL Audit Criteria to conform to EV SSL Guidelines v1.6.2 and other clarifications<o:p></o:p></span></li></ul>
</ul>
<p class="line891" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l11 level1 lfo11">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> EV Code Signing<o:p></o:p></span></p>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Released vs 1.4.1 effective October 1, 2017<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Removed Principle 2, Criterion 5.12 as it was not auditable<o:p></o:p></span></li></ul>
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level1 lfo11">
<span lang="EN">Practitioner Audit Report templates<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Approved by AICPA/CPA Canada<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Released Sept 1, 2017<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Covers almost all potential types of reports (about 18 examples in each) and assertions<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Assertion based examples, as well as direct subject matter<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level2 lfo11">
<span lang="EN">Need to be followed to get the seal<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l11 level1 lfo11">
<span lang="EN">Applicability Matrix updated<o:p></o:p></span></li></ul>
<p class="line891" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:1.0in;text-indent:-.25in;mso-list:l11 level2 lfo11">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:"Courier New";color:black"><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><a href="http://www.webtrust.org/principles-and-criteria/docs/item85436.pdf"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">http://www.webtrust.org/principles-and-criteria/docs/item85436.pdf</span></a><o:p></o:p></span></p>
<h3 id="New_Work"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">New Work<o:p></o:p></span></h3>
<p class="line891" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l21 level1 lfo12">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> for RA<o:p></o:p></span></p>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l21 level2 lfo12">
<span lang="EN">Third draft version prepared<o:p></o:p></span></li></ul>
</ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:1.0in;text-indent:-.25in;mso-list:l21 level2 lfo12">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:"Courier New";color:black"><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Has main principles similar to <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> and
additional principles (appendices) for Baseline+NS, EV<o:p></o:p></span></p>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l21 level2 lfo12">
<span lang="EN">Strength of controls will be issue – volunteers from CABF for review and comment?<o:p></o:p></span></li></ul>
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l21 level1 lfo12">
<span lang="EN">Reporting alternatives being discussed including SOC2 like, public report and impact on CA report<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l21 level2 lfo12">
<span lang="EN">Practitioner guidance for auditors under development covering public and private CAs.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l21 level2 lfo12">
<span lang="EN">Will provide examples of tools and approaches as best practices – please share if you have any in mind<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l21 level2 lfo12">
<span lang="EN">First draft reviewed May 2018 meeting – expected release 2019<o:p></o:p></span></li></ul>
</li></ul>
<h3 id="New_and_Old_Issues_-_Terminology"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">New and Old Issues - Terminology<o:p></o:p></span></h3>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">CABF public post from Don and Jeff March 15, 2017 provided definition of:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l18 level1 lfo13">
<span lang="EN">Point In Time (Will now be called Type 1)<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l18 level2 lfo13">
<span lang="EN">As of a given date<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l18 level2 lfo13">
<span lang="EN">Focused on the design and implementation of controls<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l18 level2 lfo13">
<span lang="EN">Effectiveness of controls not tested<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l18 level2 lfo13">
<span lang="EN">Audit report, example in our reporting guidance<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l18 level1 lfo13">
<span lang="EN">Period Of Time (Will now be called Type 2)<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l18 level2 lfo13">
<span lang="EN">Minimum 2 months, max of 12 (not just when auditors were there)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l18 level2 lfo13">
<span lang="EN">Includes testing effectiveness of controls<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l18 level2 lfo13">
<span lang="EN">Audit report examples in our reporting guidance<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l18 level1 lfo13">
<span lang="EN">Readiness Assessment<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l18 level2 lfo13">
<span lang="EN">Consulting report – not an audit<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l18 level2 lfo13">
<span lang="EN">Report is for management and internal users only<o:p></o:p></span></li></ul>
</li></ul>
<h3 id="New_Issues"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">New Issues<o:p></o:p></span></h3>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo14">
<span lang="EN">Privacy – impact of GDPR - a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR replaces the 1995 Data Protection Directive.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo14">
<span lang="EN">Additional formalization of CPA Canada processes being undertaken based on perceived risk of service<o:p></o:p></span></li></ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:1.0in;text-indent:-.25in;mso-list:l3 level2 lfo14">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:"Courier New";color:black"><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Replacement of Webtrust.org with CPA Canada - <a href="https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/standards-other-than-cas/publications/overview-of-webtrust-services"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/standards-other-than-cas/publications/overview-of-webtrust-services</span></a><o:p></o:p></span></p>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo14">
<span lang="EN">More detailed license and process considerations for auditors, including international<o:p></o:p></span></li></ul>
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo14">
<span lang="EN">Analysis of new ISO 21188 – recently released<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo14">
<span lang="EN">Public key infrastructure for financial services -- Practices and policy framework<o:p></o:p></span></li></ul>
</li></ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:1.0in;text-indent:-.25in;mso-list:l3 level2 lfo14">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:"Courier New";color:black"><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Last version was basis for <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> for
CA vs 2.0<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo14">
<span lang="EN">ISO 21188:2018 sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use of public key certificates in the financial services industry.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo14">
<span lang="EN">Defines control objectives and supporting procedures to manage risks.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo14">
<span lang="EN">Does not address authentication methods, non-repudiation requirements or key management protocols.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo14">
<span lang="EN">Draws a distinction between PKI systems used in closed, open and contractual environments. It further defines the operational practices relative to financial-services-industry-accepted information systems control objectives.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo14">
<span lang="EN">Intended to help implementers to define PKI practices that can support multiple certificate policies that include the use of digital signature, remote authentication, key exchange and data encryption.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo14">
<span lang="EN">Facilitates the implementation of operational, baseline PKI control practices<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo14">
<span lang="EN">While the focus is on the contractual environment, application to other environments is not specifically precluded.<o:p></o:p></span></li></ul>
<p class="line862"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">5. CPA Canada: Gord Beal, Kaylynn Pippo (on leave), Janet Treasure, Bryan Walker, Annette <a href="https://www.cabforum.org/wiki/DaRocha"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">DaRocha</span></a>,
Taryn Abate. Consultant to CPA Canada: Don Sheehy (Vice–chair)<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Task Force Members and Technical Support Volunteers: Jeff Ward (Chair), BDO; Chris Czajczyc, Deloitte; Reema Anand, KPMG; David Roque, EY; Daniel Adam, Deloitte; Tim Crawford,
BDO; Zain Shabbir, KPMG; Donoghue Clarke, EY.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Reporting Structure/Roles:<o:p></o:p></span></p>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l12 level1 lfo15">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Gord Beal – <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> falls into
Guidance and Support activities of CPA Canada<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l12 level1 lfo15">
<span lang="EN">Janet Treasure – Seal system and licensing responsibility<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l12 level1 lfo15">
<span lang="EN">Bryan Walker –Licensing advisor<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l12 level1 lfo15">
<span lang="EN">Don Sheehy - Task Force and CABF liaison<o:p></o:p></span></li></ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l12 level1 lfo15">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Jeff Ward - Chair of the <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> Task
Force and primary contact<o:p></o:p></span></p>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l12 level1 lfo15">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">All Task Force members provide <a href="https://www.cabforum.org/wiki/WebTrust"><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">WebTrust</span></a> services
to clients<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l12 level1 lfo15">
<span lang="EN">Volunteers are supported by additional technical associates and CPA Canada liaison but report to CPA Canada<o:p></o:p></span></li></ul>
<h2 id="ETSI_Update.2C_Supplement_to_ETSI_EN_319_403:_Draft_TS_119_403-2_and_ACAB.2BALQ-c_Update">
<span lang="EN" style="font-family:"Calibri",sans-serif;color:black">ETSI Update, Supplement to ETSI EN 319 403: Draft TS 119 403-2 and ACAB´c Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenters</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: (Arno, Nick + Monika, Christoph) <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Enrico<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Nicks presentation was about two main topics:<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">1. Use of organizationIdentifier in subjectDN of EV Certificates: Nick explained the motivation of the usage of EV certificates in the context of the European Payment Service
Directive 2 (PSD 2). The PSD2 requires EU banks to provide open interfaces for third party payment service. PSD 2 mandates qualified Website Certificates (QWACs) for financial institutes within Europe. QWACs could be EV certificates. ETSI and the European
Banking Association develop the technical specification for implementing QWACs. ETSI and the European Banking Association propose additional text for EV Guidelines. The specification ETSI TS 119 495 to add a specific PSD2 authorization number was controversial
discussed during the meeting. It was suggested by members of the auditorium that the additional organizationIdentifier attribute doesn’t require any specific processing by the browsers. For more details see Nicks presentation. <a href="https://www.cabforum.org/wiki/https:/de.slideshare.net/ArnoFiedler?action=AttachFile&do=upload_form&ticket=005b4be0c7.8b0dffcfb96fb35ed7bb98c4aa1def50&target=etsi-cabf-plenary-20180607-org-identification" title="Upload new attachment "etsi-cabf-plenary-20180607-org-identification""><span style="color:#666666;border:none windowtext 1.0pt;padding:0in">https://de.slideshare.net/ArnoFiedler/etsi-cabf-plenary-20180607-org-identification</span></a><o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">2. Introduction of TS 119 403-2 (Audit Attestation Letter) About 2. The meeting discussed the proposed specification for "Conformity Assessment Bodies auditing Trust Service
Providers that issue Publicly-Trusted Certificates" TS 119 403-2. The meeting encouraged ETSI to go ahead and publish TS 119 403-2. A few detailed comments were raised during discussion which will take into account in an update to the draft document. The resulting
revised draft is planned be tabled at the upcoming ETSI ESI meeting in a couple of weeks with the aim of publication in July. The meeting welcomed further exchange of audit requirements between CAB Forum and ETSI that might be taken into account in future
revisions.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Monika from TÜVIT gave an update on the ACAB´c activities:<o:p></o:p></span></p>
<p class="line867"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><a href="https://de.slideshare.net/ArnoFiedler/20180607-cabf-acabcpresentationlondonv03"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://de.slideshare.net/ArnoFiedler/20180607-cabf-acabcpresentationlondonv03</span></a><o:p></o:p></span></p>
<h2 id="Announcement_of_.2BIBw-London_Protocol.2BIB0.3B_Invitation_to_Participate">
<span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Announcement of “London Protocol”; Invitation to Participate<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: Chris Bailey <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Ryan<o:p></o:p></span></p>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><a href="https://www.cabforum.org/wiki/Meeting%2044%20Minutes?action=AttachFile&do=view&target=London+Protocol+Presentation.pdf" title=""><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">London
Protocol Presentation.pdf</span></a></span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Objective</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: Improve identity assurance and minimize the possibility of phishing
from identity certificates <strong><span style="font-family:"Calibri",sans-serif">Protocol to be Implemented</span></strong>:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l13 level1 lfo16">
<span lang="EN">Actively monitor phishing reports<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l13 level1 lfo16">
<span lang="EN">Notify the affected website owner that phishing content was found and remediation instructions<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l13 level1 lfo16">
<span lang="EN">Each CA will share data regarding common database for future phishing content. The data will be available to participating CAs to conduct due diligence before issuing OV and EV certificates<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l13 level1 lfo16">
<span lang="EN">Developing name collision system to prevent the “Stripe Inc” threat vector<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l13 level1 lfo16">
<span lang="EN">Other: May add, delete, or modify efforts from time to time<o:p></o:p></span></li></ul>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Sources of data</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">:<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo17">
<span lang="EN">CAs will collaborate to find reliable sources<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo17">
<span lang="EN">Data will be shared among participating CAs<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo17">
<span lang="EN">Members will periodically publish aggregate statistics to the CA/Browser Forum and to the media<o:p></o:p></span></li></ul>
<h3 id="Q.26A"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Q&A<o:p></o:p></span></h3>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo18">
<span lang="EN">Ryan Sleevi: From the slides presented, it appears to be attempting to exclude certain users from certain products. How does this discussion comply with the antitrust statement?<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level2 lfo18">
<span lang="EN">Kirk Hall: It is purely informational sharing, it does not deny certificates. It gathers information about trends about malware and misissuance. For example, “bad actors” going from one CA to another CA, share information about that customers.<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo18">
<span lang="EN">Mark Goodwin: Do you have data about whether this reduces the customer exposure to attack or helps users in any way?<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level2 lfo18">
<span lang="EN">We currently use antiphishing lists like Phishlabs as the basis for denying certificates. Do you think those have any effect?<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level2 lfo18">
<span lang="EN">Follow-up: From working in banking previously, takedowns were not effective if completed after a few hours.<o:p></o:p></span>
<ul type="square">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level3 lfo18">
<span lang="EN">Response: You were working with URLs. With this, it's possible a particular organization will go on a flag list, such that certificates for that organization also go onto a flag list.<o:p></o:p></span></li></ul>
</li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo18">
<span lang="EN">Devon O'Brien: One of the slides mentioned “Monitor for the reports for DV/OV/EV for phishing, and the CAs will contribute to a database that can be consulted by CAs as a gate to no OV and EV issuance”<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level2 lfo18">
<span lang="EN">Kirk Hall: It is not a gate to issuance<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level2 lfo18">
<span lang="EN">Follow-up: How will the process change, then?<o:p></o:p></span>
<ul type="square">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level3 lfo18">
<span lang="EN">Kirk Hall: It is still being developed. It may simply result in a statement about the information.<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level2 lfo18">
<span lang="EN">Follow-up: What will you do with that information?<o:p></o:p></span>
<ul type="square">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level3 lfo18">
<span lang="EN">Dimitris: This is similar to using blacklists or high risk lists, but also checks the organization for additional information<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level3 lfo18">
<span lang="EN">Kirk: Just because a customer with an OV or EV certificate has phishing content doesn’t mean they’ll go on a flag list. We have not to date been helping customers clean up their site once phishing is detected, it would only go on such a list
if the customer was uncooperative and not doing anything with it<o:p></o:p></span></li></ul>
</li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo18">
<span lang="EN">Dimitris: Wasn’t there an information sharing WG to examine this?<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level2 lfo18">
<span lang="EN">Ben Wilson: Yes, we eventually lost interest, especially after going through the analysis of the antitrust. Various groups establish ISACs that can operate without violating anti-trust laws<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level1 lfo18">
<span lang="EN">Ryan Hurst: The slides presented says voluntary protocol is open to all CAs. Other organizations, such as Netcraft, are active in this space. Will they be able to participate?<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l15 level2 lfo18">
<span lang="EN">Kirk Hall: It includes, but is not limited to, CAs<o:p></o:p></span></li></ul>
</li></ul>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Organizations interested in participating, e-mail Chris Bailey, project will start up over the next few years.<o:p></o:p></span></p>
<h2 id="Development_of_Name_Clash_Application"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Development of Name Clash Application<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: Daymion Reynolds <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Travis<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">The name collision service will be mechanism for CA’s to query if an organization name is already in use. The first steps will be to backfill the service using organization
information within the CT logs. Members who wish to participate will be able to query, and add new certificates in real time. Once the dataset is collected to see how often name collisions exist within the ecosystem we will report collision types and frequency.
The service will be available in July, with a follow up report planned for September.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo19">
<span lang="EN">Do the planned changes to the browser UI solve this problem already?<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level2 lfo19">
<span lang="EN">No.<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo19">
<span lang="EN">Will we there be fuzzy matching on this dataset?<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level2 lfo19">
<span lang="EN">The first step will be character equivalency matching with follow up to fuzzy matching after the data has been analyzed.<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo19">
<span lang="EN">Will Uniform Name Dispute will be followed, if a conflict is found?<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level2 lfo19">
<span lang="EN">Currently this tool is just being used to gather the data, and do the initial investigation. This will not be used for any issuance gating.<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo19">
<span lang="EN">Problem statement needs to be updated to reflect organizational names are not globally unique and not EV names<o:p></o:p></span></li></ul>
<h2 id="Validation_Working_Group_Update"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Validation Working Group Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: Tim <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Wayne<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Met for 4 hours on Tuesday. Notes of the meeting were distributed on the WG mail list.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo20">
<span lang="EN">Discussed GDPR’s effect on WHOIS. Potential solution is allowing domain owners to communicate contact information in WHOIS. SOA records can include an email field and the BRs currently allow this email address to be used. Also discussed placing
email address and phone number in CAA records and the steps that need to be taken to allow that to happen via IANA and IETF.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo20">
<span lang="EN">Discussed 2 versions of ballot 225 that proposed improved operational existence requirements for EV. Discussed reliability of QIIS’. There was disagreement on what problem these improvements are intended to solve.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo20">
<span lang="EN">Discussed status of findings from Validation Summit in Virginia, focusing on how to avoid pitfalls of some methods.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo20">
<span lang="EN">Discussed CAs disclosing the validation method used in the certificate, and how to allow domain registrants to use CAA records to specify allowable domain validation methods - preferably with human-readable names rather than OIDs.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo20">
<span lang="EN">Priorities for the group are adding and updating domain validation methods, and specifying domain control methods in CAA and certs.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo20">
<span lang="EN">Curt suggested that browsers could convert validation method OIDs in certs into friendly names.<o:p></o:p></span></li></ul>
<h2 id="Plenary_discussion_of_Validation_Improvements"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Plenary discussion of Validation Improvements<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: Tim <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Wayne<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Refer to the Validation Working Group Update above. There was no further discussion on this topic.<o:p></o:p></span></p>
<h1 id="Day_2"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Day 2<o:p></o:p></span></h1>
<h2 id="Governance_Change_Working_Group_Update"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Governance Change Working Group Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenters</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: (Dean, Virginia) <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Bruce<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Ballot 165 was approved. The result is a change in governance of the CAB Forum to allow other topics to be covered. All members need to resign the new IPR agreement by 3
July 2018. Many members have not yet signed to date. Dean read list of non-signed members.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">If you don’t sign, then the status was discussed. This issue should be discussed with Virginia or on the Governance list. Of course the the IPR agreement can be signed anytime
in the future.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Working Group mission should be completed after July 3rd and will probably disband before the next face-to-face.<o:p></o:p></span></p>
<h2 id="Policy_Review_Working_Group_Update"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Policy Review Working Group Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenters</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: (Dimitris, Ben) <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Ben<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">The Policy Review WG was formed to review the Forum’s guideline documents (Baseline Requirements and EV Guidelines) for consistency with RFC 3647 and other industry standards.
One of the tasks over the past year has to been to review the use of the term “CA” and to distinguish between when we are referring to it as an organization versus when it is used to refer to the system that issues certificates. A remaining task before this
can go forward as a ballot will be to review the definition of CA to ensure that it refers to the combination of a unique key pair and the CA name as the logical CA entity. We will review the use of the term “CA” in sections 5, 6 and 7, and the language around
that. Then we will come back to the Forum for input.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Also, with the new Bylaws the Policy Review Working Group has the option to continue for a period or become a committee of the Server Certificate Working Group. Members
of the WG were thinking that because the WG has dealt mainly with guidelines dealing with server certificates that it would become a committee of the Server Certificate Working Group.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Also, the WG discussed the effort to convert the EV Guidelines to RFC 3647 format. Options included merging the EV Guidelines with the Baseline Requirements, keeping them
separate, or converting the EVGs to RFC 3647 outline and then aligning them and comparing them side-by-side with the Baseline Requirements. The WG anticipates that the latter approach of aligning and comparing the two will be the next step.<o:p></o:p></span></p>
<h2 id="Network_Security_Working_Group_Update"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Network Security Working Group Update<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenters</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: (Ben Wilson, DigiCert; Tim Hollebeek, DigiCert; Dimitris Zacharopoulos,
HARICA) <strong><span style="font-family:"Calibri",sans-serif">Minute Taker</span></strong>: Trevoli Ponds-White, Amazon Trust Services<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">The charter of the group was to take a look at the Networking Security Requirements and come back with a recommendation to keep, amend, replace, or repeal them. Informally
the group decided to amend them. Once the group recognized this they began working on trying to improve them by amending them. However the group still needs to create the core deliverable which is a document that is a summary of the work done, learnings acquired,
and the recommendation.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l10 level1 lfo21">
<span lang="EN">Question: Kirk Hall, Entrust Datacard - What is the feeling of the people working on this on how quickly we can make changes?<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l10 level2 lfo21">
<span lang="EN">Answer: Ben, Dimitris, Tim - The work will continue in the server certificate working group. Originally the group proposed a 3 month plan, but after discussion they are going in a different direction. First, start with improving the definitions.
Then look at other standards, look at a threat model, and rework the requirements. Additionally the group needs a plan to maintain the networking security requirements going forward, should it rely on another standard or group? However there has already been
research that shows there isn't another standard that can easily be used. The group also encourages more people to join to drive requirements there are only 7 or 8 people participating in the group currently.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l10 level2 lfo21">
<span lang="EN">Follow-up Question: Ryan Sleevi, Google - People likely don't participate because the group feels like it has a high bar of entry due to the undocumented knowledge that has been gained by the participants in the group. So the report will be
critical. Also for figuring out what should change it's recommended that the group should start with what are the potential threats that are not yet covered in the baseline requirements and target improvements there. When we do look at other standards and
documentation they should be as an input to the identified threats in the threat model. The threat model approach will allow the group to prioritize and focus.<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;margin-top:6.0pt;mso-margin-bottom-alt:auto;mso-list:l10 level1 lfo21">
<span lang="EN">Question: Kirk - Does the group have a large portion of members that don't participate and what can be done to engage more participation?<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l10 level2 lfo21">
<span lang="EN">Answer: Tim - The group uses multiple forms of communication, please participate.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l10 level2 lfo21">
<span lang="EN">Follow Up Comment: Kirk - Send out an email to the list to encourage people to be vocal about they are interested in working on.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l10 level2 lfo21">
<span lang="EN">Follow Up Comment: People can do ballots if they have targeted things they are interested in.<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;margin-top:6.0pt;mso-margin-bottom-alt:auto;mso-list:l10 level1 lfo21">
<span lang="EN">Question: Kurt - Is ballot 221 on 2FA and passwords coming back?<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l10 level2 lfo21">
<span lang="EN">Answer: Tim - Yes, it will be reworked to be more clear and have a redline. Members please read the draft before voting.<o:p></o:p></span></li></ul>
</li></ul>
<h2 id="Discussion_of_Relevance_of_the_European_GDPR_to_Trust_Services"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Discussion of Relevance of the European GDPR to Trust Services<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: (Arno) <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Tony<o:p></o:p></span></p>
<p class="line862"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Arno introduced the discussion on the GDPR indication that the regulations had been in the public domain since 2016. AF presented Sections 30/32 highlighting the TSP’s duty
with respect to records; the data subject’s right to assert claim over their data and the requirement on the TSP to maintain a risk management program as regards data. AF described the requirement of “Controllers” and “Processors” not in the EU to appoint
representative in the EU as regards data protection. This services are available from third parties in the event that the TSP does not appoint internally but, details of the representative must be prominently displayed on the TSP’s website. Best practise is
available by BITKOM Germany: <a href="https://www.bitkom.org/Bitkom/Publikationen/The-Processing-Records-Records-of-Processing-Activities-according-to-Art-30-General-Data-Protection-Regulation-GDPR.html"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://www.bitkom.org/Bitkom/Publikationen/The-Processing-Records-Records-of-Processing-Activities-according-to-Art-30-General-Data-Protection-Regulation-GDPR.html</span></a><o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">General Discussion of the GDPR<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">KH – How does representative comply? AF – Representative is contact – TSP does not comply just by appointing representative, but certain details [shown on slide from BITKOM]
must be displayed.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">RA- TSP is obliged to appoint representative PHB – Although regulations have been in the making for the last 7 years, some DPO’s will only be learning of these at the last
minute AF – Under Roman Law, the law is published and people SHOULD be aware. Note – PRIVACY DIRECTIVE from the EU is coming!<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">DZ – (Regarding information transfer) Data subject has the ability to request transfer of data from one TSP to another? KH – Is this transfer and delete or copy? RA – Data
Subject has the right to be forgotten. Discussion took place on the potential conflict of GDPR with responsibilities of a CA<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Bruce – BRs are compliant with GDPR, but may have to review profiles, validation data retained. PHB – We need to be aware of GDPR (and similar) designing new technology
TPW –TSP’s should be compliant generally – we have processes for retention and safeguarding of information anyway, and we should be aware that we should only keep data we need and scrub data we do not need.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">RS – TSPs should discuss the matter with Counsel. It is not the place of the forum to provide legal advice to members. Key is really system design with respect to data access.
BRs do not need to change.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Dimitri – Regarding Data Retention in contravention of s Subject’s request to delete ….Is compliance with BRs/Industry best practice a “Legal Basis” to allow override of
request to delete??<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Further discussions: GDPR applies to “natural persons” • Is an IP address personal data? • Is there any impact on CT Logs • Make up your own mind! • Article 17 gives some
ability to work around the general provisions of “Right to be Forgotten” Concludes with “seek your own Counsel (Legal Advice) and bring specific concerns to the Forum (as regards potential changes required for the BRs).<o:p></o:p></span></p>
<h2 id="New_S.2FMIME_Working_Group_Charter"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">New S/MIME Working Group Charter<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: (Tim) <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Cecilia<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Tim discussed an email he sent to the Public Discussion list titled: [cabfpub] For Discussion: S/MIME Working Group Charter S/MIME should be the simpler of the two proposed
working groups. Most the issues for this charter was discussed in the Code signing one. There's not a good forum to discuss S/MIME issues which is why the formation of a working group could help with policy around issuance. IETF only does technical standards.
Currently, we are unable to confirm if any S/MIME certs are misissued. The formation of this group could help identify that. There was some discussion on how you are allowed to authenticate the subject and standardizing form for S/MIME certs. Currently the
draft email thread is long. Next step is for Tim to recap and finalize the charter scope. Tim will circulate to the mailing list when ready.<o:p></o:p></span></p>
<h2 id="New_Code_Signing_Working_Group_Charter"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">New Code Signing Working Group Charter<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: (Tim) <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Dean<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Tim Hollebeek-presenter<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Tim had sent the draft charter to the list a few weeks ago.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Previously there were a set of CS guidelines developed but not adopted by the Forum.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Governance reform gives the ability to create a new, chartered working group.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Tim read the draft charter out loud and asked for feedback.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Ryan H - What about the topic of best practices? Tim H - yes, that could be included.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Ryan S - Regarding scope, it would be good to identify the work and then define the working group. Ryan H - perhaps not make it platform specific Tim H - We don't want to
modify the Net Sec guidelines nor make it platform specific Ryan S - If your goal is not to modify the Net Sec guidelines but to make recommendations, it should be ok. But again, should review what the current problems are. Bailey- we would be more interested
in a best practices document (not a profile) Tim -it's possible to contribute but not adopt, if that is your concern Ryan S - but then you may have IP rights as an issue Dean - Other code signing consumers outside of the current membership may be interested
in joining such a working group (such as Oracle or Adobe). Wayne - Perhaps form the working group with limited charter and revisit depending on who participates to expand charter Bruce - We need to fix the current document Ryan - Can't CASC work on it? Bruce
- We have 2 code signing docs: EV and regular code signing. CASC is just hosting the latter<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Discussion on who should participate in a working group and what user agents would be involved.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Jeremy- can we have a group with only CAs? Ryan H - the bylaws permit that but is it in best interests of all? Ryan S - We don't want this to be like PKIX WG which went
down a rat hole Ryan H - or harm brand/reputation of CABF Wayne - I'm arguing for a narrow scope for now<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Tim-In conclusion, we'd like to continue to have this discussion to modify the scope as appropriate.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Kirk-why would anyone participate if they don't know the scope of the group Wayne-Start with a charter that outlines it and broadcast it Ryan S - Keeping scope narrow allows
for broader participation by a variety of IP holders who can then withdraw if the scope gets more defined<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Kirk-we passed the new bylaws because we had a large number of CAs that know code signing and already know what to do Ryan S - From Google's perspective, there are alternatives
that should be considered Ryan H - We would participate if it was possible but as defined it is not possible Tim - We would like to have all participate so continued discussion is likely Kirk - Publish to public list to gather more data from groups outside
of the forum Tim- We will continue the discussion on the list<o:p></o:p></span></p>
<h2 id="Guest_Speaker:_SSL_State_of_the_Union"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Guest Speaker: SSL State of the Union<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: (Robert Duncan, Netcraft) No Minutes<o:p></o:p></span></p>
<h2 id="Reviving_Ballot_213_-_Revocation_Timeline_Extension"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Reviving Ballot 213 - Revocation Timeline Extension<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: (Wayne) <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Leo<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo22">
<span lang="EN">4.9.1.1 amendment<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo22">
<span lang="EN">Meant to assists CAs accommodate subscribers so that cert is not unnecessarily or inconveniently revoked causing the site to abruptly go down (on a Friday evening for instance)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo22">
<span lang="EN">Must revoke within 5 days<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo22">
<span lang="EN">should revoke within 24 hours<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo22">
<span lang="EN">4 cases where must revoke in 24 hours:<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level2 lfo22">
<span lang="EN">subscriber requests revocation in writing<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level2 lfo22">
<span lang="EN">compromised private key<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level2 lfo22">
<span lang="EN">CA determines cert is not authorized to be issued<o:p></o:p></span></li></ul>
</li></ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l23 level1 lfo22">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">(<strong><span style="font-family:"Calibri",sans-serif">new</span></strong> </span><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">
<v:stroke joinstyle="miter" />
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0" />
<v:f eqn="sum @0 1 0" />
<v:f eqn="sum 0 0 @1" />
<v:f eqn="prod @2 1 2" />
<v:f eqn="prod @3 21600 pixelWidth" />
<v:f eqn="prod @3 21600 pixelHeight" />
<v:f eqn="sum @0 0 1" />
<v:f eqn="prod @6 1 2" />
<v:f eqn="prod @7 21600 pixelWidth" />
<v:f eqn="sum @8 21600 0" />
<v:f eqn="prod @7 21600 pixelHeight" />
<v:f eqn="sum @10 21600 0" />
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect" />
<o:lock v:ext="edit" aspectratio="t" />
</v:shapetype><v:shape id="Rectangle_x0020_1" o:spid="_x0000_s1026" type="#_x0000_t75" alt="(./)" style='width:12pt;height:12pt;visibility:visible;mso-left-percent:-10001;mso-top-percent:-10001;mso-position-horizontal:absolute;mso-position-horizontal-relative:char;mso-position-vertical:absolute;mso-position-vertical-relative:line;mso-left-percent:-10001;mso-top-percent:-10001'>
<w:wrap type="none"/>
<w:anchorlock/>
</v:shape><![endif]--><![if !vml]><img width="16" height="16" src="cid:image001.png@01D41C5E.3436FEF0" alt="(./)" v:shapes="Rectangle_x0020_1"><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"> )
CA determines faulty validation was used (whether validation method or problematic cctld for example)<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo22">
<span lang="EN">proposed - CA shall support all the validation methods to verify "owner" can request revocation, but getting pushback because not all CAs support all validation methods<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo22">
<span lang="EN">slippery slope on revoking certs on sites with "misleading" information<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo22">
<span lang="EN">remove subsection 13, doesn't makes sense as it applies to intermediate certs<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo22">
<span lang="EN">4.9.5 amendment<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level2 lfo22">
<span lang="EN">require acknowledgment and preliminary investgaion and report back to person that reported the problem within 24 hours<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;margin-top:6.0pt;mso-margin-bottom-alt:auto;mso-list:l23 level1 lfo22">
<span lang="EN">"Misuse" Definition and Usage Debate<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level2 lfo22">
<span lang="EN">Ryan S - dropping ambiguous definition of "misuse" since it's not "crisp" enough on clarity<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level2 lfo22">
<span lang="EN">Kirk and Dimitris - debated philisophically about defining "misuse" to include sites distributing "malware", phishing, etc<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level2 lfo22">
<span lang="EN">Ryan S - legacy vs modern CAs differ on what "misuse" means<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level2 lfo22">
<span lang="EN">Kirk - auditors never complained about this, proposed that this definition has worked fine thus far. Objects to the definition change.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level2 lfo22">
<span lang="EN">Wayne - disagrees with Kirk, asking for better definition<o:p></o:p></span></li></ul>
</li></ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:1.0in;text-indent:-.25in;mso-list:l23 level2 lfo22">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:"Courier New";color:black"><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Ryan S - this definition change does not impact current CA operations, but the says current definition is causing problems. People on msdp have posted questions
on "what is misuse"? (see <a href="https://cabforum.org/pipermail/public/2018-June/013547.html"><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">https://cabforum.org/pipermail/public/2018-June/013547.html</span></a> )<o:p></o:p></span></p>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level2 lfo22">
<span lang="EN">Geoff - sounds familiar, this was debated last year<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level2 lfo22">
<span lang="EN">Wayne - will put something forth that hopefully most everyone can agree on<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l23 level2 lfo22">
<span lang="EN">lively debate, discussion will continue<o:p></o:p></span></li></ul>
</ul>
<h2 id="Requiring_IPR_Agreements_from_Associate_Member_Representatives.3B_attendance_at_Forum_meetings_of_representative_of_separate_CA_manager">
<span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Requiring IPR Agreements from Associate Member Representatives; attendance at Forum meetings of representative of separate CA manager<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: (Kirk) <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Ben<o:p></o:p></span></p>
<p class="line862"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">This agenda item was for discussion of who should sign the new IPR Agreement. One position might be that everyone needs to sign the IPR Agreement—every representative of
a Member, Associate Member, or Interested Party. While this might be technically right, from a practical standpoint this hasn’t been what we have done. The Bylaws provide that as a condition of membership, Members must sign the IPR Agreement. All Interested
Parties must sign the IPR Agreement to get whatever benefit there is when being an Interested Party. Then there are Associate Members, which consist of organizations who we find useful to our work—ETSI, WebTrust, ACAB’C, and a few others. ETSI has a prohibition
on signing the Agreement because the CAB Forum is not a legal entity, it is just a name. In 2009 ETSI signed a letter of understanding instead, which we accepted and continue to accept for them so that they can continue as an Associate Member. One issue that
Chair considered when receiving these new IPR Agreements was determining the official representatives of the Associate Members. The solution would be for the Associate Members to identify their official representatives. They should be able to update their
list at any time. The purpose is to have a list by which we can confirm representation whenever someone walks through the door. If they are not a representative, then they can participate as Interested Parties. The Bylaws provide that “Interested Parties and
others may be invited by the Chair, in the Chair’s discretion, to participate in those portions of Forum Teleconferences and Forum Meetings that are relevant to their expertise or their participation in a CWG.”<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Kirk presented a strawman proposal that for the official representatives of Associate Members we do not require their firms to sign the IPR Agreement. Ryan suggested that
IP legal counsel were key to the discussion. Ben asked what we would do about ETSI and whether anyone appearing on behalf of ETSI would be willing to sign the IPR Agreement as an individual, in situations where we cannot get the Associate Member to sign the
IPR Agreement. Nick stated that, as referenced previously, for ETSI to sign a legal agreement it needs an entity to sign with. ETSI’s IPR Policy requires disclosures and has a requirement for reasonable licensing but not free licensing. So that has created
problems before when ETSI has tried to establish liaisons. He said that because he is presenting standards, not on behalf of himself or his company, he would have difficulty signing something that said that he was acting as an individual. One possible workaround
is to rely on Forum Members who are also members of ETSI to relay information. There would need to be a disclaimer that information exchanged is not officially from ETSI, but this would make it more difficult to have the free exchange of information as we’ve
done in the past. Sometimes draft ETSI documents will be presented and Forum members will give comments on those documents. Kirk noted that the IPR Agreement isn’t actually with the Forum. The IPR Agreement says, “[it] constitutes a binding contract amongst
all participants of the CAB Forum (“Participants”) that execute the Agreement.” Nick said he could go back to ETSI on this point, but that he doubts that ETSI’s position would change.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Ryan noted that if individuals signed as individuals, they may not hold the IP implicated. For instance with ETSI, ETSI holds the IP. The problem is that today anyone who
presents on a topic could be contributing something that is encumbered by someone else’s IP rights.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Nick noted that when he presents, it’s not he himself or his company, but just the consensus standard that has been developed by ETSI in order to improve the market. If
contributions can’t come from ETSI, they can come from other Forum members like Arno or Dimitris. Something else would have to be arranged for when a presentation is to be made to the Forum.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Discussion followed about whether individuals who sign the IPR agreement would recognize that when they make a contribution, they are representing that the IP is unencumbered
or that they do so with the understanding that they are authorized to share that information. If not, then they are either breaching an agreement with the Forum or breaching an agreement with their employer (or the holder of the IP). If an IPR agreement were
signed by just an employee/individual, and that individual contributes something that the employer holds the IP rights to, then the individual has not entered the employer into the IP agreement. So that is why as a Forum we want to ensure that the company
is obligated under the IPR agreement.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Kirk stated that we need more clarity on these issues and that if we intend to require individuals or employers of Associate Member representatives to sign the IPR Agreement,
it will require a bylaw change. He also said that he doesn’t see much risk in adopting the strawman proposal.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Kirk requested that Governance Reform Working Group provide clarifications on these issues, in light of the upcoming July 3rd transition to a new IPR Policy.<o:p></o:p></span></p>
<h2 id="Subject_information_in_EV_certificates_specified_in_clause_9.2_of_the_EV_Guidelines_and_whether_this_allows_for_the_inclusion_of_X.520_organizationIdentifier">
<span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Subject information in EV certificates specified in clause 9.2 of the EV Guidelines and whether this allows for the inclusion of X.520 organizationIdentifier<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: (Nick) <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Tim<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo23">
<span lang="EN">Discussed on call about a month ago and passed on to VWG<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo23">
<span lang="EN">Ryan S asked if Nick got notes, and Nick confirmed<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo23">
<span lang="EN">Main requirement: to open up EU banks to provide services<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo23">
<span lang="EN">Issued as a directive; up to each country on whether or not it adopts<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo23">
<span lang="EN">One of the rules is that you have to use qualified certificates for SSL and digital signatures (electronic seal)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo23">
<span lang="EN">Allows banks to authenticate and exchange data<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo23">
<span lang="EN">Includes requirement to include unique identifier in certificate alongside the name<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo23">
<span lang="EN">Banks must provide test interface by March 14, 2019 and be operational by September 14, 2019.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo23">
<span lang="EN">Have developed standard for satisfying the requirement, by using the organizationIdentifier attribute of the Subject DN<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo23">
<span lang="EN">Defined Format: identifier of value type, country code, dash, identifier number<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo23">
<span lang="EN">Highest priority was to secure connection between the third party processor and the bank, which isn't in scope for CA/B Forum. But it is expected that those parties would like to provide the same authorization identifier to their customers.
This provides a hook into ascertaining if this is a bona fide service provider. Is what we're doing going to work in the public domain?<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo23">
<span lang="EN">Proposal to extend EV guidelines to explicitly list organizationIdentifier in 9.2.x.<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level2 lfo23">
<span lang="EN">Specific exclusion of NTR as an option since that value should go in serialNumber. Open to removing this if desired.<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level1 lfo23">
<span lang="EN">Questions<o:p></o:p></span></li></ul>
<ul type="disc">
<ol start="1" type="1">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level2 lfo24">
<span lang="EN">Is the text appropriate or reasonable?<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l19 level2 lfo24">
<span lang="EN">How do we handle semantics indicating how you interpret it?<o:p></o:p></span></li></ol>
</ul>
<p class="line862"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Ryan S: How and Why. First part of why is understandable (TPP <-> Bank). Doesn't need to be in publicly-trusted certificates. Second part is crux of question: should this
overlap public PKI? Are you describing bank to browser experience? (Yes, but would like client assistance) Would this provide value? No, without changes to browsers. Sounds unlikely. Would browsers expose additional information to extensions to allow them
to show this? Unknown. How well does this align with security models? (There are people who have the ability to get the information even if it's not shown in the browser. Banking community is asking how can we do this.)<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Marcelo: Believe this is worth looking further into this use case. Private PKI vs. public<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Ryan S: Just because we want a solution doesn't mean it's what you want to use. Important to understand the why.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Marcelo: Can we make certificate not accepted by browser if you include this specific OID? Just an idea.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Tom: Biggest fear of having certification presented to users is no matter how good the specification is there is always a risk that the presentation to the user makes them
think it's safe to do business with that company.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Wayne: This sounds like philosophical arguments against EV rather than about this specific change. How does this change make EV any worse than it is today, if that's your
opinion?<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Moudrick: Isn't this the serial number?<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Nick: No that's the trade register. This is a separate register to do with payment services. Says this trade organization has been approved by financial services agency
in that country.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Adriano: It's not always clear who issued the identifier we put in the EV serialNumber<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Nick: The fact that we're using a structured format is something useful not only for authorization identifier but also useful in general.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Ryan S: There's a whole design question on how, but to Wayne's question: one part of it is understanding what is the goal and the other is to understand what are the possible
consequences. Once we have this identifier as proposed we can have no other usage. What if another organization comes in the future wanting a different use case for the same field?<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Wayne: Seems to reserve this field for ETSI use only. Two ways forward: no, you can't use this field at all (status quo), or reserve it for ETSI and make sure it is extensible,
or reserve it for ETSI and revisit guidelines when/if another request comes along<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Dimitris: Fourth option already defined in ETSI: If it is missing the QC statement extension, it doesn't matter what you put in the field.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Ryan S: Would need to encode those requirements in the EV guidelines as well as the BRs. How do we make sure that the guidelines ensure the lack of ambiguity.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Nick: Not going to get a total answer today, but is there an opportunity to continue exploring this with the validation working group?<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Tim H: Needless conflict between individual standards are bad. Looks to be a small problem we should be able to fix. Validation mailing list is probably good avenue, but
also happy to put on the agenda.<o:p></o:p></span></p>
<p class="line874"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Wayne: Needs a champion to make it happen.<o:p></o:p></span></p>
<h2 id="Schedule_for_Election_of_Forum_Officers"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Schedule for Election of Forum Officers<o:p></o:p></span></h2>
<p class="line867"><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Presenter</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">: (Kirk) <strong><span style="font-family:"Calibri",sans-serif">Minute
Taker</span></strong>: Frank C.<o:p></o:p></span></p>
<p class="line867"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><a href="https://www.cabforum.org/wiki/Meeting%2044%20Minutes?action=AttachFile&do=view&target=Process+for+Election+of+CABF+Officers+-+2018.pdf" title=""><span style="color:#0044AA;border:none windowtext 1.0pt;padding:0in">Process
for Election of CABF Officers - 2018.pdf</span></a><o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo25">
<span lang="EN">Kirk – Table parses the bylaws<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level2 lfo25">
<span lang="EN">October 22 is the date for the new officers.<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo25">
<span lang="EN">Kirk went over the timelines for elections based off the process document he distributed<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level2 lfo25">
<span lang="EN">In 2016, the process took longer than expected<o:p></o:p></span></li></ul>
</li></ul>
<p class="line862" style="mso-margin-top-alt:3.0pt;margin-right:0in;margin-bottom:3.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l7 level1 lfo25">
<![if !supportLists]><span lang="EN" style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Dimitris – Elections to happen after July 3<sup>rd</sup>, do we need separate elections? Kirk was not sure and will need to look into it.<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo25">
<span lang="EN">Dimitris – suggested we do not have voting rules at this time<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo25">
<span lang="EN">Tim H. – Working group chair would be forum chair. The group would decide at another time. Forum level is unchanged.<o:p></o:p></span>
<ul type="circle">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level2 lfo25">
<span lang="EN">Server group is different based on the Ballot<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level2 lfo25">
<span lang="EN">There are no rules currently for elections for the server group.<o:p></o:p></span></li></ul>
</li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo25">
<span lang="EN">Ryan – Suggested we have 6 months to establish a charter.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l7 level1 lfo25">
<span lang="EN">Kirk – The server group will need to create a process for elections for that group.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>