<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:24.0pt;
font-family:"Calibri",sans-serif;
font-weight:bold;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Calibri",sans-serif;
font-weight:bold;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Calibri",sans-serif;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Calibri",sans-serif;
font-weight:bold;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri",sans-serif;
font-weight:bold;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri",sans-serif;
font-weight:bold;}
p.level1, li.level1, div.level1
{mso-style-name:level1;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle26
{mso-style-type:personal-reply;
font-family:"Georgia",serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:417484577;
mso-list-template-ids:-754658484;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:770781200;
mso-list-template-ids:130309954;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:870142544;
mso-list-template-ids:417909140;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:891422650;
mso-list-template-ids:811997100;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4
{mso-list-id:1330866411;
mso-list-template-ids:-1660366160;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5
{mso-list-id:1428966642;
mso-list-template-ids:962475666;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6
{mso-list-id:1505317120;
mso-list-template-ids:1135001112;}
@list l6:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l6:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l6:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7
{mso-list-id:1571307727;
mso-list-template-ids:-392022026;}
@list l7:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l7:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l7:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8
{mso-list-id:1629773280;
mso-list-template-ids:984518390;}
@list l8:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l8:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l8:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l8:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9
{mso-list-id:1670404693;
mso-list-template-ids:1292252842;}
@list l9:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l9:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l9:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l9:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10
{mso-list-id:2005736873;
mso-list-template-ids:1243627558;}
@list l10:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l10:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l10:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l10:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body lang=EN-US link="#0563C1" vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-family:"Georgia",serif'>These are now published to the website.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:Consolas;color:black'>-- <br>Jos Purvis (</span><span style='color:black'><a href="mailto:jopurvis@cisco.com"><span style='font-size:9.0pt;font-family:Consolas;color:#954F72'>jopurvis@cisco.com</span></a></span><span style='font-size:9.0pt;font-family:Consolas;color:black'>)<br>.:|:.:|:. cisco systems | Cryptographic Services<br>PGP: 0xFD802FEE07D19105 | Controls & Trust Verification</span><o:p></o:p></p></div><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Public <public-bounces@cabforum.org> on behalf of CA/B Forum Public List <public@cabforum.org><br><b>Reply-To: </b>Dean Coclin <dean.coclin@digicert.com>, CA/B Forum Public List <public@cabforum.org><br><b>Date: </b>Tuesday, 17 November, 2020 at 11:43<br><b>To: </b>CA/B Forum Public List <public@cabforum.org><br><b>Subject: </b>[cabfpub] Minutes of F2F 51<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>Here are the approved minutes of F2F 51, including SCWG:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><h1>Wednesday, 21 October2020 - Plenary Meeting (Day 1)<o:p></o:p></h1><h2>CA/B Forum Plenary<o:p></o:p></h2><p>The Antitrust statement was read. <o:p></o:p></p><p>Attendees: Doug Beattie, Jeff Ward, Don Sheehy, Ryan Sleevi, Dean Coclin, Atsushi Inaba, Nick France (Sectigo), Dustin Hollenback, Aneta Wojtczak-Iwanicka, Tim Callan, Dimitris Zacharopoulos, Clemens Wanko, Tadahiko Ito, Andreas Henschel, Enrico Entschew, Devon O'Brien, Matthias Wiedenhorst, Eva Van Steenberge, Jos Purvis, Mike Reilly, Karina Sirota, Clint Wilson, Trevoli Ponds-White, Arno Fiedler, Vijay Kumar, Arvind Srinivasan, Saiprasad KP, Bruce Morton, Wayne Thayer, Stephen Davidson, Janet Hines, Hongquan Yin, Peter Miskovic, Hazhar Ismail, Wang Chunlan, Xiu Lei, Leo Grove, Chris Kemmerer, Tom Zermeno, Abdul Hakeem Putra, Ahmad Syafiq MD Zaini, Pedro Fuentes, Tobias Josefowitz, Kathleen Wilson, Ben Wilson, Wendy Brown, Michelle Coon, Li-Chun Chen, Matthias Wiedenhorst, Andrea Holland, Daniela Hood, Clint Wilson, Adrian Mueller, David Kluge, An Yin, Neil Dunbar, Curt Spann, Jan Völkel, Arnold Essing, Paul van Brouwershaven, Hiroshi Sakai, Andrew Whalley, Tim Hollebeek, Sooyoung Eo, Wei YiCai, Rae Ann Gonzales, Mads Henriksveen, Rebecca Kelley, Niko Carpenter, Rich Smith, Doug Hill, Mariusz Kondratowicz, George Sebastian, Aaron Poulsen (Digicert), Eric Mill, Hannah Sokol (Microsoft). <o:p></o:p></p><h3>Approval of CABF Minutes from last teleconference<o:p></o:p></h3><p>The minutes were approved. <o:p></o:p></p><h3>Report from Code Signing Certificate Working Group<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenters:</span></em> Bruce Morton (Entrust Datacard), Dean Coclin (Digicert)<br><em><span style='font-family:"Calibri",sans-serif'>Note Taker:</span></em> Dustin Hollenback (Microsoft) <o:p></o:p></p><p>Dean Coclin presented <o:p></o:p></p><p>Bruce Morton (Entrust Datacard) has been nominated for Vice Chair position <o:p></o:p></p><p>Ballot CSC-4 is approved sent for IPR review. This ballot was mainly to push out some dates for key sizes to move to 3072 bit RSA. <o:p></o:p></p><p>Conditional audit report update <o:p></o:p></p><ul type=disc><li class=level1 style='mso-list:l2 level1 lfo1'>Audit criteria for Code Signing (CS) and EV Code Signing (EVCS) have been merged. <o:p></o:p></li><li class=level1 style='mso-list:l2 level1 lfo1'>Investigating how to handle audits that occurred in between the Code Signing/EV Code Signing reports being created<o:p></o:p></li><li class=level1 style='mso-list:l2 level1 lfo1'>Don Sheehy, Mike Reilly, Karina Sirota, Ian McMillan and a few others will meet on next steps<o:p></o:p></li></ul><p>Time-stamping to be discussed in more detail at next meeting <o:p></o:p></p><p>Parking lot list started. Dean will add updated list here later. It will be discussed at next meeting. <o:p></o:p></p><h3>Report from S/MIME Certificate Working Group<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenters:</span></em> Stephen Davidson (Digicert) <br><em><span style='font-family:"Calibri",sans-serif'>Note Taker:</span></em> Andreas Henschel (D-TRUST) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/3.SMCWG_cabf-virtual_day2.pdf" title="https://cabforum.org/wp-content/uploads/3.SMCWG_cabf-virtual_day2.pdf">SMCWG Update</a> <o:p></o:p></p><p><strong><span style='font-family:"Calibri",sans-serif'>Notes other than presentation:</span></strong> <o:p></o:p></p><ul type=disc><li class=level1 style='mso-list:l5 level1 lfo2'>Chance to create a worldwide standard because there are a lot of different standards and requirements in place<o:p></o:p></li><li class=level1 style='mso-list:l5 level1 lfo2'>Many discussions within the group on the different use cases of s/mime certificates<o:p></o:p></li><li class=level1 style='mso-list:l5 level1 lfo2'>Creating a parking lot on requirements for later discussions<o:p></o:p></li><li class=level1 style='mso-list:l5 level1 lfo2'>Already identified key issues: key storage, key escrow, key archiving and other aspects of key management<o:p></o:p></li><li class=level1 style='mso-list:l5 level1 lfo2'>First version of the draft: Certificate profiles for leaf and ca certificates, Verification of control over email addresses <o:p></o:p></li><li class=level1 style='mso-list:l5 level1 lfo2'>The main goal of the WG is to create a best practices standard based on the already identified requirements and standards like google, mozilla, etsi, us federal pki, etc.<o:p></o:p></li></ul><p>Discussion after the presentation: <o:p></o:p></p><ul type=disc><li class=level1 style='mso-list:l1 level1 lfo3'>Dean asked, if there are pending member applications to the WG<o:p></o:p></li><li class=level1 style='mso-list:l1 level1 lfo3'>Stephen said, that google joined the WG on the last meeting and other members of the ca/b-forum with interets are welcome to join the WG as well<o:p></o:p></li></ul><h3>Report from Forum Infrastructure subcommittee<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenter:</span></em> Jos Purvis (Cisco) <br><em><span style='font-family:"Calibri",sans-serif'>Note Taker:</span></em> Wayne Thayer (Mozilla) <o:p></o:p></p><ul type=disc><li class=level1 style='mso-list:l8 level1 lfo4'>Jos said that the subcommittee met yesterday and discussed the upcoming separation of the documents repo into separate repos in GitHub, one for each working group. History will be maintained in the migration. Wayne sent an email to the management list describing the plan, and no feedback has been received. The SC plans to make the changes during their Nov 4 meeting.<o:p></o:p></li><li class=level1 style='mso-list:l8 level1 lfo4'>Ryan is working on moving artifact rebuild code from Travis-CI to GitHub actions. He has a prototype in place. When this is in place, we will be able to securely create artifacts upon each pull request, allowing for review of the new Word/pdf documents before merging the pull request.<o:p></o:p></li><li class=level1 style='mso-list:l8 level1 lfo4'>We discussed the need to revamp the current cabforum.org website. We encourage involvement from anyone interested in website design. We also discussed the intended audience, breaking the site into working groups, and cases where the WordPress conversion jumbled content. If you find issues on the site, please report it to an infrastructure SC member or email questions@.<o:p></o:p></li><li class=level1 style='mso-list:l8 level1 lfo4'>Jos said that we are soliciting feedback on the new wiki that we began using about 1 year ago. If you have any comments, please let Jos know.<o:p></o:p></li><li class=level1 style='mso-list:l8 level1 lfo4'>We discussed membership management, which is currently a very manual process. We agreed that this is the next to-do. We want to create a standardized place to request changes first, then implement some automation for implementing the changes.<o:p></o:p></li><li class=level1 style='mso-list:l8 level1 lfo4'>We discussed the migration of the mailing lists from GoDaddy to AWS. GoDaddy is planning this to happen in the next month, but we will do it at a time when there are no ballots in the voting period to ensure that votes are not lost. Please let the SC know if you are planning to bring forth any ballots soon.<o:p></o:p></li><li class=level1 style='mso-list:l8 level1 lfo4'>We moved passwords into Bitwarden so that they are accessible to the SC and WG leaders.<o:p></o:p></li></ul><p>Question in chat: What about group photo from last F2F meeting? Jos said that these photos will be posted to the wiki today. <o:p></o:p></p><h3>Discussion on possible Bylaws issues<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenters:</span></em> Dimitris Zacharopoulos (HARICA) <br><em><span style='font-family:"Calibri",sans-serif'>Note Taker:</span></em> Dean Coclin (Digicert) <o:p></o:p></p><p>Most of these issues were tackled during a recent Bylaws update. <o:p></o:p></p><p>Issue 1: Who must sign the IPR Agreement?<o:p></o:p></p><p>Issue 2: Consider removing the need to “READ” the antitrust statement before each meeting<o:p></o:p></p><p>Issue 3: Consider adding minimum days for review of minutes for regular teleconferences and F2F meetings<o:p></o:p></p><p>Issue 4: Consider review and alignment of WG Charters <o:p></o:p></p><p>Issue 5: Resolve ambiguity for where to send/post CWG minutes <o:p></o:p></p><p>We have a <a href="https://docs.google.com/document/d/1EtrIy3F5cPge0_M-C8J6fe72KcVI8H5Q_2S6S31ynU0/" title="https://docs.google.com/document/d/1EtrIy3F5cPge0_M-C8J6fe72KcVI8H5Q_2S6S31ynU0/">doc listing open Bylaws issues</a> <o:p></o:p></p><h3>Summary of accomplishments (2018-11-01 to 2020-10-31)<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenters:</span></em> Dimitris Zacharopoulos (HARICA) <br><em><span style='font-family:"Calibri",sans-serif'>Note Taker:</span></em> Dean Coclin (Digicert) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/6.CABF51-Summary-of-accomplishments-2018-11-01-to-2020-10-31.pdf" title="https://cabforum.org/wp-content/uploads/6.CABF51-Summary-of-accomplishments-2018-11-01-to-2020-10-31.pdf">Summary of accomplishments 2018-11-01 to 2020-10-31</a> <o:p></o:p></p><h3>Guest Speaker #1<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenters:</span></em> Doug Hill (RealRandom) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/7.Cab_rr_entropy_authority_douglass_s_changes_2020-10-20_.pdf" title="https://cabforum.org/wp-content/uploads/7.Cab_rr_entropy_authority_douglass_s_changes_2020-10-20_.pdf">What's All the Fuss About Randomness</a> <o:p></o:p></p><h3>Any Other Business<o:p></o:p></h3><p>No other business was discussed. <o:p></o:p></p><p>Adjourned <o:p></o:p></p><h2>Server Certificate WG Plenary<o:p></o:p></h2><p>Attendees: Doug Beattie, Jeff Ward, Don Sheehy, Ryan Sleevi, Dean Coclin, Atsushi Inaba, Nick France (Sectigo), Dustin Hollenback, Aneta Wojtczak-Iwanicka, Tim Callan, Dimitris Zacharopoulos, Clemens Wanko, Tadahiko Ito, Andreas Henschel, Enrico Entschew, Devon O'Brien, Matthias Wiedenhorst, Eva Van Steenberge, Jos Purvis, Mike Reilly, Karina Sirota, Clint Wilson, Trevoli Ponds-White, Arno Fiedler, Vijay Kumar, Arvind Srinivasan, Saiprasad KP, Bruce Morton, Wayne Thayer, Stephen Davidson, Janet Hines, Hongquan Yin, Peter Miskovic, Hazhar Ismail, Wang Chunlan, Xiu Lei, Leo Grove, Chris Kemmerer, Tom Zermeno, Abdul Hakeem Putra, Ahmad Syafiq MD Zaini, Pedro Fuentes, Tobias Josefowitz, Kathleen Wilson, Ben Wilson, Wendy Brown, Michelle Coon, Li-Chun Chen, Matthias Wiedenhorst, Andrea Holland, Daniela Hood, Clint Wilson, Adrian Mueller, David Kluge, An Yin, Neil Dunbar, Curt Spann, Jan Völkel, Arnold Essing, Paul van Brouwershaven, Hiroshi Sakai, Andrew Whalley, Tim Hollebeek, Sooyoung Eo, Wei YiCai, Rae Ann Gonzales, Mads Henriksveen, Rebecca Kelley, Niko Carpenter, Rich Smith, Doug Hill, Mariusz Kondratowicz, George Sebastian, Aaron Poulsen (Digicert), Eric Mill, Hannah Sokol (Microsoft). <o:p></o:p></p><h3>Approval of SCWG Minutes from last teleconference<o:p></o:p></h3><p>The minutes were approved. <o:p></o:p></p><h3>Apple Root Program Update<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenter:</span></em> Clint Wilson (Apple) <br><em><span style='font-family:"Calibri",sans-serif'>Note Taker:</span></em> Curt Spann (Apple) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/9.2020-October-CABF-Apple.pdf" title="https://cabforum.org/wp-content/uploads/9.2020-October-CABF-Apple.pdf">Apple Root Program Update</a> <o:p></o:p></p><ul type=disc><li class=level1 style='mso-list:l7 level1 lfo5'>Presentation about Apple’s Root Program updates presented by Clint Wilson<o:p></o:p></li><li class=level1 style='mso-list:l7 level1 lfo5'>A recap of upcoming changes to the Apple CT Policy (see presentation for details)<o:p></o:p></li><li class=level1 style='mso-list:l7 level1 lfo5'>Timeline for new CT Policy: April 1, 2021<o:p></o:p></li></ul><p>Discussion/Questions <o:p></o:p></p><p>Are the changes going to be published somewhere? <o:p></o:p></p><ul type=disc><li class=level1 style='mso-list:l0 level1 lfo6'>Been published in the CT Policy mailing list<o:p></o:p></li><li class=level1 style='mso-list:l0 level1 lfo6'>Will also be published to Apple’s CT Policy page<o:p></o:p></li></ul><p>What is the audit scheme for SMIME sub CAs chaining up to root trusted for other uses (TLS server auth)? <o:p></o:p></p><ul type=disc><li class=level1 style='mso-list:l9 level1 lfo7'>Apple will provide a response at later time<o:p></o:p></li></ul><p>Details of question from Li-Chun: What is the audit scheme if an intermediate S/MIME CA chain up to a Root with website and secure-email trust bit/EKU ? The intermediate S/MIME CA's CA & EE certificates are with e-mail protection and clientauth EKU. <o:p></o:p></p><ul type=disc><li class=level1 style='mso-list:l10 level1 lfo8'>Besides WebTrust for CA, does this intermediate S/MIME CA need to pass principle 4 of WebTrust for CA-SSL Baseline Requirement with Network Security Audit?<o:p></o:p></li><li class=level1 style='mso-list:l10 level1 lfo8'>Principle 4 of WebTrust for CA-SSL Baseline Requirement with Network Security Audit is corresponding to Network and Certificate System Security Requirements. <o:p></o:p></li><li class=level1 style='mso-list:l10 level1 lfo8'>Or Principle 4 of WebTrust for CA-SSL Baseline Requirement with Network Security Audit is only for a CA with anyEKU in CA certificates but not issues to SSL certificates.<o:p></o:p></li></ul><h3>Cisco Root Program Update<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenter:</span></em> Jos Purvis (Cisco) <br><em><span style='font-family:"Calibri",sans-serif'>Note Taker:</span></em> Vijay Kumar (eMudhra) <o:p></o:p></p><p>Presentation: <a href="https://cabforum.org/wp-content/uploads/10.Cisco-TRSUpdate-F2F51.pdf" title="https://cabforum.org/wp-content/uploads/10.Cisco-TRSUpdate-F2F51.pdf">Cisco Root Program Update</a> <o:p></o:p></p><p><strong><span style='font-family:"Calibri",sans-serif'>Notes other than presentation:</span></strong><br>Conversion to CCADB: This has been happening in Cisco Root Program for about an year now. It has been finished the first wave of conversion to CCADB content in Cisco intersect and union root stores. Cisco is doing its regular releases using CCADB content, which is the primary source for root inclusion now. This is based on the common trust by other trust stores. The next step on this one is to move to principal inclusion instead of trusting other root stores, which needs direct interfacing with CAs. This is tentatively expected by Spring. CAs should expect a brief request from CCADB channels to confirm their continued inclusion in Cisco Trust Stores. We will then be working on third phase, which includes some sort of contractual relationship with CAs that are included.<br>Miscellaneous updates: In reviewing the issues that arose in the summer with OCSP and PKIX no-check OCSP Signer flag issues, the tentative plan at this point is to look at establishing a flag date somewhere in the mid-2021 range, by when CAs need to be fixing this problem for TLS certificate roots that is included in Cisco root program. Will circulate the dates way in advance than the deadline. CAs are to be prepared for the same. Planning to work with CAs one-on-one. Will be sharing more in next face-to-face. <br>Some adjustments to code on intersect and Union, we are doing some more aggressive removal of expiring roots. There were some past problems with Add Trust, etc. What it means is that CAs should be on top of things in getting their newer replacement roots in place, so that it can be made sure that these are included. <o:p></o:p></p><h3>Microsoft Root Program Update<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenter:</span></em> Karina Sirota (Microsoft) <br><em><span style='font-family:"Calibri",sans-serif'>Note Taker:</span></em> Rae Ann Gonzales (GoDaddy) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/12.Microsoft-CABF-51-Update-PDF.pdf" title="https://cabforum.org/wp-content/uploads/12.Microsoft-CABF-51-Update-PDF.pdf">Microsoft Root Program Update</a> <o:p></o:p></p><p><strong><span style='font-family:"Calibri",sans-serif'>Notes other than presentation:</span></strong> <o:p></o:p></p><p>All key points available in slide deck. <o:p></o:p></p><p>Dimitris asked for more detail on the flighting releases. Karina replied that it is for different MS “rings”, early releases for selected users that want to test what's coming early. <o:p></o:p></p><h3>Google Root Program Update<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenter:</span></em> Eric Mill, Devon O'Brien, Ryan Sleevi (Google) <br><em><span style='font-family:"Calibri",sans-serif'>Note Taker:</span></em> Michelle Coon (OATI) <o:p></o:p></p><p>Presentation: <a href="https://cabforum.org/wp-content/uploads/13.CABF-F2F-51-Chrome-Browser-Update.pdf" title="https://cabforum.org/wp-content/uploads/13.CABF-F2F-51-Chrome-Browser-Update.pdf">Chrome Root Program Update</a> <o:p></o:p></p><p><strong><span style='font-family:"Calibri",sans-serif'>Notes other than presentation:</span></strong> <o:p></o:p></p><p>TLS 1.0/1.1 Deprecation delayed, but still rolled out on schedule. <br>DNS over HTTPS support is not on for everyone by default, but if a browser is already set to use a custom DNS provider, and we know that the custom DNS provider also supports a secure channel, then Chrome will, without changing the provider, enable a secure connection to the user's already chosen DNS provider. <br>Blocking insecure downloads from secure pages - staged plan available in slides and the blog post. <br>Forms on secure page posting to insecure URL - Show strong warning to users within the form before they submit (full page interstitial to confirm they want to submit insecurely). Disable auto-fill; exception for password forms.<br>URL Display Experiment - Attempting to tackle misleading domains (used in phishing and deceptive campaigns). Just show domain name on URL and cut off the full path. Measuring whether or not limiting to just domain name helps with phishing precautions. May also hide the sub-domain depending on length (deceptive use of sub-domains). Results will be out in 2021. <o:p></o:p></p><p>Certificate Transparency<br>Substantive re-write presented at CT days in September. <o:p></o:p></p><ul type=disc><li class=level1 style='mso-list:l4 level1 lfo9'>Sharding required in CT logs in order to become qualified in Chrome.<o:p></o:p></li><li class=level1 style='mso-list:l4 level1 lfo9'>Certificates logged multiple times to a CT log could be issued duplicate SCTs that did not actually then get included in the log.<o:p></o:p></li><li class=level1 style='mso-list:l4 level1 lfo9'>Exclusively embedded SCTs or exclusively OCSP or TLS SCTs - no longer allow via policy “mixed” SCT; rarely used mechanism. Chrome behavior has not changed, but no longer endorsed by policy.<o:p></o:p></li><li class=level1 style='mso-list:l4 level1 lfo9'>Edge and Chrome compatibility with other browser programs.<o:p></o:p></li></ul><p>Chrome Root Program Updates <o:p></o:p></p><ul type=disc><li class=level1 style='mso-list:l3 level1 lfo10'>Revamp of Chrome Root Program Policy.<o:p></o:p></li><li class=level1 style='mso-list:l3 level1 lfo10'>Timeline for Chrome Root Store is TBD yet; follow the root store page.<o:p></o:p></li><li class=level1 style='mso-list:l3 level1 lfo10'>Prioritization for inclusion requests.<o:p></o:p></li></ul><p>Questions: <o:p></o:p></p><p>Dean asked about incident reporting and where to disclose incidents and whether or not this needs to be in addition to disclosure on Mozilla list. Ryan responded that this is in addition to the Mozilla list. <o:p></o:p></p><p>Dean asked how the Chrome Root certificate list was populated. Ryan answered that the principles there are captured within the policy - bolded list. <o:p></o:p></p><p>Doug asked if root policy is only for TLS roots or does it include S/MIME? Ryan said that they are focused on Chrome root policy right now. Primary focus right now is on the roll out of Chrome Certificate Verifier in the Chrome Root Store across the various Chrome platforms. <o:p></o:p></p><p>Doug asked if S/MIME Roots are TBD or inherited from the platform in which the browser is operating? Ryan noted that the browser does nothing with S/MIME today. Doug: Use the roots that are known to be trusted globally and not just Chromium Roots. Ryan: Multiple google root stores for multiple google products and teams. S/MIME is separate as they don't have this in Chrome - close collaboration with other teams and gmail. <o:p></o:p></p><p>Ryan: Prioritizing inclusions of CAs and replacement of CAs, focused on CAs for single trust meaning that for a given certificate and everything beneath it is used for a consistent singular purpose. Previous discussion on having a root trusted for TLS and S/MIME - for Chrome Root Store, ensuring that the hierarchy is for a singular purpose.<br>Andrew mentioned that for S/MIME there are help center articles on the Google workspace admin help center that discuss how they are used in gmail which is managed independently from Chrome. <o:p></o:p></p><h3>Mozilla Root Program Update<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenter:</span></em> Ben Wilson (Mozilla) <br><em><span style='font-family:"Calibri",sans-serif'>Note Taker:</span></em> Neil Dunbar (Trustcor) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/13.CAB-Forum-October-2020-Mozilla-Update.pdf" title="https://cabforum.org/wp-content/uploads/13.CAB-Forum-October-2020-Mozilla-Update.pdf">Mozilla Root Program Update</a> <o:p></o:p></p><p>Dimitris recommended following any questions with the Mozilla team regarding the Bugzilla CA-compliance statistics, owing to the level of detail in the presentation, and regarding the pressure of maintaining meeting schedule. <o:p></o:p></p><h3>CCADB Update<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenter:</span></em> Kathleen Wilson (Mozilla) <br><em><span style='font-family:"Calibri",sans-serif'>Note Taker:</span></em> Devon O'Brien (Google) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/14.CCADB-News-CABF-F2F-October-2020.pdf" title="https://cabforum.org/wp-content/uploads/14.CCADB-News-CABF-F2F-October-2020.pdf">CCADB Update</a> <o:p></o:p></p><p>Topics: <o:p></o:p></p><ul type=disc><li class=level1 style='mso-list:l6 level1 lfo11'>Update for multiple CP/CPS documents with a many to many mapping to root certificates<o:p></o:p></li><li class=level1 style='mso-list:l6 level1 lfo11'>Discussion of ALV and guides on how to use<o:p></o:p></li><li class=level1 style='mso-list:l6 level1 lfo11'>Add field called “Full CRL issued by this CA”<o:p></o:p></li></ul><p>Clint: Apple would like CAs to publish links to full CRLs <o:p></o:p></p><p>Discussion being taken to M.D.S.P. due to running behind schedule. <o:p></o:p></p><h3>Report from SCWG Network Security Subcommittee<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenter:</span></em> Neil Dunbar (Trustcor) <br><em><span style='font-family:"Calibri",sans-serif'>Minute Taker:</span></em> Trevoli Ponds-White (Amazon Trust Services) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/15.NetSec-F2F-51-Summary-Presentation.pdf" title="https://cabforum.org/wp-content/uploads/15.NetSec-F2F-51-Summary-Presentation.pdf">Network Subcommittee Update (Summary)</a> <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/15.NetSec-F2F-51-Main-Presentation.pdf" title="https://cabforum.org/wp-content/uploads/15.NetSec-F2F-51-Main-Presentation.pdf">Network Subcommittee Update (Main)</a> <o:p></o:p></p><p><strong><span style='font-family:"Calibri",sans-serif'>Notes other than presentation:</span></strong><br>A new Net Sec sub team to explore usage of cloud service providers is forming and would like new participants. The Net Sec group will also be re-organizing the meeting schedule for the sub teams to better align with the primary meetings. <o:p></o:p></p><h1>Thursday, 22 October 2020 - Plenary Meeting (Day 2)<o:p></o:p></h1><h2>Server Certificate Working Group<o:p></o:p></h2><p>Attendees: Jeff Ward, Don Sheehy, Ryan Sleevi, Dean Coclin, Atsushi Inaba, Nick France (Sectigo), Dustin Hollenback, Tim Callan, Dimitris Zacharopoulos, Clemens Wanko, Tadahiko Ito, Andreas Henschel, Enrico Entschew, Devon O'Brien, Matthias Wiedenhorst, Eva Van Steenberge, Jos Purvis, Mike Reilly, Karina Sirota, Clint Wilson, Trevoli Ponds-White, Arno Fiedler, Vijay Kumar, Arvind Srinivasan, Saiprasad KP, Bruce Morton, Wayne Thayer, Janet Hines, Hongquan Yin, Peter Miskovic, Hazhar Ismail, Xiu Lei, Leo Grove, Chris Kemmerer, Abdul Hakeem Putra, Ahmad Syafiq MD Zaini, Pedro Fuentes, Tobias Josefowitz, Ben Wilson, Wendy Brown, Michelle Coon, Li-Chun Chen, Matthias Wiedenhorst, Andrea Holland, Daniela Hood, Clint Wilson, Adrian Mueller, David Kluge, Neil Dunbar, Nikolaos Soumelidis, Jan Völkel, Arnold Essing, Paul van Brouwershaven, Hiroshi Sakai, Andrew Whalley, Tim Hollebeek, Wei YiCai, Mads Henriksveen, Rebecca Kelley, Niko Carpenter, Rich Smith, Michael Jahnich, Mariusz Kondratowicz, Aaron Poulsen (Digicert), Tsung-Min Kuo, Julie Olson (Globalsign), Christoph Broter. <o:p></o:p></p><h3>Report from SCWG Validation Subcommittee<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenter:</span></em> Tim Hollebeek (Digicert) <br><em><span style='font-family:"Calibri",sans-serif'>Minute Taker:</span></em> Julie Olson (GlobalSign) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/16.2020-10-20-Validation-Subcommittee.pdf" title="https://cabforum.org/wp-content/uploads/16.2020-10-20-Validation-Subcommittee.pdf">Validation Subcommittee Update</a> <o:p></o:p></p><p>On the topic of moving from Trello to Github <br>Dean: Is there a way to automatically propagate github to a public list? <br>Tim has asked a few people if there are significant github discussions and has tried to get cross discussions going through that platform, would be a useful resource for all to employ <o:p></o:p></p><p>Dimitris: It’s difficult to follow conversation/discussion on github. From his perspective, it would be better to see changes/proposals on github, but conversations/discussions should be on the mailing list. <o:p></o:p></p><p>Paul VB: Migrating to github is better because keeps everything in one spot. Mailing list doesn't have any search functionality, github is easier to track changes/search for topics. <o:p></o:p></p><p>Tim: Mailing list archives ARE searchable, but not the most intuitive. If the mailing list could automatically insert archived posts in each new message from prior discussion that would be helpful. <o:p></o:p></p><p>Paul: Would also be good to mirror all mailing list discussions to googlegroups. <o:p></o:p></p><p>Ryan: Mailing lists have search functionality. It could be useful to send out digest summaries, google has tools available to accommodate this. There’s room for improvement from infra side and google is researching. You can also subscribe to CABF github and get notified on poll requests etc. <o:p></o:p></p><p>Tim: Will be moving subcommittee items (missed which ones) form trello to github, into appropriate issues, in the next few weeks. <o:p></o:p></p><h3>Report from Quantum Cryptography liaisons<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenters:</span></em> Tadahiko Ito (Secom), Tim Hollebeek (Digicert) <br><em><span style='font-family:"Calibri",sans-serif'>Note Taker:</span></em> Tobias Josefowitz (Opera) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/17.2020-10-21-PQC.pdf" title="https://cabforum.org/wp-content/uploads/17.2020-10-21-PQC.pdf">Update on Post-Quantum Cryptography</a> <br><em><span style='font-family:"Calibri",sans-serif'>Presentation2:</span></em> <a href="https://cabforum.org/wp-content/uploads/17.2020-10-21-PQC-2.pdf" title="https://cabforum.org/wp-content/uploads/17.2020-10-21-PQC-2.pdf">Update on Post-Quantum Cryptography Tarahiko</a> <o:p></o:p></p><p><strong><span style='font-family:"Calibri",sans-serif'>Notes other than presentation:</span></strong> <o:p></o:p></p><p>(Tim Hollebeek presents (see first Presentation)) <o:p></o:p></p><p>Tim Hollebeek: Questions? <o:p></o:p></p><p>Dimitris: Things are still quite safe? <o:p></o:p></p><p>Tim Hollebeek: Yes, but it is important to keep up to date on this. It depends on your timeline. If you are producing signatures for highly trusted applications that you want to be able to verify ten years into the future, the timeline is suddenly looking a lot less safe. You have to look at individual use cases, they will need different transition dates. <o:p></o:p></p><p>(Tadahiko presents (see second Presentation)) <o:p></o:p></p><p>Dimitris: Is there any algorithm that is a very strong candidate to be used for quantum-safe authentication? Tadahiko: In my opinion, FALCON or DILITHIUM. There are maybe a few more, but there are not that many quantum-safe signature algorithms. <o:p></o:p></p><p>Dimitris: The authentication ones would be the most appropriate and compatible with this working group because we focus on authentication? <o:p></o:p></p><p>Tadahiko: Our authentication data does not have a very long lifetime, it is in fact rather short, so for our use case it may not be extremely relevant yet, in my opinion. <o:p></o:p></p><p>Ryan Sleevi: The term “authentication” might be a bit ambiguous here, we are talking about either key exchange or dignital signatures, and digital signatures is as Tadahiko was saying the question of how long that digital signature needs to be valid. In a TLS exchange for example, digital signature of the key material only needs to be valid minimally for the duration of that session. The digital signature of the certificate used in that negotiation needs to be valid longer, but that is still bounded by say one year. The use of digital signatures for code signing maybe needs to be valid for, say, a decade, and so there are differences there. When we say “authentication”, it may help to be precise here, to talk about “key exchange”, “digital signature”, and how long these things things need to be valid. Dimitris: Thanks for the clarification, that is exactly what I had in mind. I was wondering if there is any differentiation or any different candidate algorithms for this particular case, and for the longterm case, mainly if there is any approach in NIST or other research. <o:p></o:p></p><p>Tadahiko: It seems NIST is concerning itself with the key encryption purpose, but not so much with the digital signature case, so for digital signature, the easiest way is using extended signature schemes. I think hash based signature scheme seems to work a bit better than the next best one, for large inputs. I think we need to think about this; it seems there is not that much discussion about it, currently, and we need to think about it here. <o:p></o:p></p><p>Tim Hollebeek: From my perspective, NIST has started talking the approach that the long term ones are also perfectly appropriate for more shorter termed things, so there is a split between key exchange and signatures and things like that, but other than that they are trying to do something like AES where we have a small number of use case based well-vetted algorithms that work for all of the use cases that they need to, instead of trying to fracture it up and have several different schemes. <o:p></o:p></p><h3>ETSI Update<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenter:</span></em> Arno Fiedler (ETSI ESI) <br><em><span style='font-family:"Calibri",sans-serif'>Note Taker:</span></em> Enrico Entschew (D-TRUST) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/18.ETSI_ESI_Update_CAB-Forum-10-2020.pdf" title="https://cabforum.org/wp-content/uploads/18.ETSI_ESI_Update_CAB-Forum-10-2020.pdf">ETSI ESI Activities Update</a> <o:p></o:p></p><p><strong><span style='font-family:"Calibri",sans-serif'>Notes other than presentation:</span></strong> All key points available in slide deck. Main highlight for CAB-Forum is the updated version of ETSI TS-119 403-2 (Part 2: Additional requirements for Conformity Assessment Bodies auditing Trust Service Providers that issue Publicly-Trusted Certificates). <o:p></o:p></p><h3>ACAB'c Update<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenters:</span></em> Clemens Wanko (TÜV AUSTRIA) <br><em><span style='font-family:"Calibri",sans-serif'>Minute Taker:</span></em> Mads Henriksveen (Buypass) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/19.20201022_CABForum_Tokio_ACABc_Slides_01.pdf" title="https://cabforum.org/wp-content/uploads/19.20201022_CABForum_Tokio_ACABc_Slides_01.pdf">ACAB'c Update</a> <o:p></o:p></p><p><strong><span style='font-family:"Calibri",sans-serif'>Notes other than presentation:</span></strong> <o:p></o:p></p><p>No additional discussion. <o:p></o:p></p><h3>WebTrust Update<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenters:</span></em> Jeff Ward (BDO), Don Sheehy (WebTrust)<br><em><span style='font-family:"Calibri",sans-serif'>Minute Taker:</span></em> Andrea Holland (SecureTrust) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/20.Webtrust-CABF-update-Oct-2020.pdf" title="https://cabforum.org/wp-content/uploads/20.Webtrust-CABF-update-Oct-2020.pdf">WebTrust Update</a> <o:p></o:p></p><p><strong><span style='font-family:"Calibri",sans-serif'>Notes other than presentation:</span></strong> <o:p></o:p></p><p>- WebTrust Temporary Seal is meant to be stop sign or caution sign used if the auditor cannot complete audit procedures within the 90 day deadline due to COVID-19 restrictions. <o:p></o:p></p><p>- Reporting Templates are being updated for consistency of reporting as some standards have changed or been modified slightly. This is in the review stage. <o:p></o:p></p><p>- Updated WebTrust Documents: Discuss effective date with primary certificate users on how these reports are handled for the transition of EV Code Signing merged into Publicly Trusted Code Signing version 2.0. Standard transitional recommendation would be for new audit periods commencing on or after but with an asterisk to contact the certificate users to get agreement on what the transitional report should be for 2020. <o:p></o:p></p><p>- Historically all the WebTrust documents have been on the CPA Canada website this is going to change due to the AODA. CPA Canada decided to only include the latest document on the website and the historical documents will be removed. CPA Canada is working out an effective solution to handle the hyperlinks in the audit reports. One possible solution is a password protected link that is hidden from the public, so that the users of the report can understand what criteria was used. <o:p></o:p></p><p>- CPA Canada figuring out how to handle validating the qualification of auditors. Potential option for practitioner guidance to require passing an exam, this is not expected until late 2021. <o:p></o:p></p><p>No additional discussion. <o:p></o:p></p><h3>Guest Speaker #2<o:p></o:p></h3><p><em><span style='font-family:"Calibri",sans-serif'>Presenters:</span></em> Michael Jahnich (achelos) <br><em><span style='font-family:"Calibri",sans-serif'>Presentation:</span></em> <a href="https://cabforum.org/wp-content/uploads/21.2020-10-22-CAB-Forum-Presentation-achelos.pdf" title="https://cabforum.org/wp-content/uploads/21.2020-10-22-CAB-Forum-Presentation-achelos.pdf">Compliance testing of electronic certificates</a> <o:p></o:p></p><h3>Any Other Business<o:p></o:p></h3><h3>Arrangements for Next Meeting<o:p></o:p></h3><p>Next F2F meeting is taking place Feb-March virtually. <o:p></o:p></p><p>Adjourn. <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p></div></body></html>