<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body>
    <div class="OutlineElement Ltr BCX2 SCXW100400534" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">Hello,</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"><br>
          <br>
        </span></p>
    </div>
    <div class="OutlineElement Ltr BCX2 SCXW100400534" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">We deeply appreciate the useful
            discussion in this thread regarding this issue. We
            especially applaud the efforts of HARICA and </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SpellingErrorV2 SCXW100400534 BCX2">Sectigo</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"> to independently generate more
            comprehensive lists of potentially affected Debian weak
            keys. As Rob Stradling observed through his crt.sh research
            (20210107,
            <a class="moz-txt-link-freetext" href="https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5">https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5</a>)
            of the five most utilized algorithm/key size populations,
            two are ECC (so not impacted by the Debian weak key issue)
            and three are RSA (</span></span><span data-contrast="auto" style="font-size: 11pt; line-height: 19.425px; font-family:
          Calibri, Calibri_EmbeddedFont, Calibri_MSFontService,
          sans-serif;" class="TextRun SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun ContextualSpellingAndGrammarErrorV2
            SCXW100400534 BCX2">2048, 4096, and 3072 bit</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"> length, in that order).</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"><br>
          <br>
        </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">As of their most recent messages it
            appears that these two organizations have independently
            generated comprehensive lists identifying all RSA-</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            ContextualSpellingAndGrammarErrorV2 SCXW100400534 BCX2">2048
            and -4096 bit</span></span><span data-contrast="auto" style="font-size: 11pt; line-height: 19.425px; font-family:
          Calibri, Calibri_EmbeddedFont, Calibri_MSFontService,
          sans-serif;" class="TextRun SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun SCXW100400534 BCX2"> length keys. (We </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">understand</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"> RSA-3072 length keys</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"> are also </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">available</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">.) This offers the possibility that
            complete lists, if accepted as authoritative, could be
            accessed by the community to help prevent exploitation of
            this vulnerability.</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"><br>
          <br>
        </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">It was also noted (by the representative
            from </span></span><span data-contrast="auto" style="font-size: 11pt; line-height: 19.425px; font-family:
          Calibri, Calibri_EmbeddedFont, Calibri_MSFontService,
          sans-serif;" class="TextRun SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun SCXW100400534 BCX2">Let's</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"> Encrypt) that the ROCA vulnerability is
            presently identified through use of a tool supported
            externally. It was suggested that this resource be archived
            in a manner that ensures availability. (Our proposed
            language points to "<a class="moz-txt-link-freetext" href="https://github.com/crocs-muni/">https://github.com/crocs-muni/</a></span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SpellingErrorV2 SCXW100400534 BCX2">roca</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"> or equivalent.")</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"><br>
          <br>
        </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">We think our present ballot language
            (reproduced at the end of this message) provides
            appropriately focused guidance to CAs. If available, </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">we'd</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"> certainly like to also see the HARICA/</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SpellingErrorV2 SCXW100400534 BCX2">Sectigo</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"> lists (which CAs could use for the
            majority of Debian weak key use cases) captured somewhere in
            this ballot language. We are agnostic as to 1) where exactly
            these resources might be maintained and 2) where this ballot
            places directions to these resources - an annex to the
            current requirements, a separate CA/BF guidance document or
            within Sections 4.9.1.1/6.1.1.3.</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}">
          <br>
          <br>
        </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">Our intent is to ensure that 1) clear,
            accurate guidance on CA expectations is provided and 2) any
            resources assisting CAs in meeting these expectations are
            fully described, publicly available (somewhere) and with
            reliable links provided. The language below, we feel, meets
            the first requirement. </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">We'd</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"> appreciate input on how to best meet
            the second. (Note that SSL.com would be happy to support the
            community by hosting any of these as </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">publicly accessible</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"> resources, whether solo or alongside
            other organizations.)</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}">
          <br>
          <br>
        </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">Chris K</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">SSL.com</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}">
          <br>
          <br>
        </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">=====</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">--- Motion Begins ---</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">This ballot modifies the “Baseline
            Requirements for the Issuance and Management of
            Publicly-Trusted Certificates” as follows, based on Version
            1.7.</span></span><span data-contrast="auto" style="font-size: 11pt; line-height: 19.425px; font-family:
          Calibri, Calibri_EmbeddedFont, Calibri_MSFontService,
          sans-serif;" class="TextRun SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun SCXW100400534 BCX2">4</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">:</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">Proposed ballot language:</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif; font-weight: bold;" class="TextRun SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun SCXW100400534 BCX2">4.9.1.1 Reasons for
            Revoking a Subscriber Certificate</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">Replace:</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">4. The CA is made aware of a
            demonstrated or proven method that can easily compute the
            Subscriber’s Private Key based on the Public Key in the
            Certificate (such as a Debian weak key, see
            <a class="moz-txt-link-freetext" href="https://wiki.debian.org/SSLkeys">https://wiki.debian.org/SSLkeys</a>)</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">With:</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">4. The CA is made aware of a
            demonstrated or proven method that can easily compute the
            Subscriber’s Private Key (such as those identified in
            6.1.1.3(4)).</span></span><span class="EOP SCXW100400534
          BCX2" style="font-size: 11pt; line-height: 19.425px;
          font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">---</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif; font-weight: bold;" class="TextRun SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun SCXW100400534 BCX2">6.1.1.3. Subscriber
            Key Pair Generation</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">Replace:</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">The CA SHALL reject a certificate
            request if one or more of the following conditions are met:</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">1. The Key Pair does not meet the
            requirements set forth in Section 6.1.5 and/or Section </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            ContextualSpellingAndGrammarErrorV2 SCXW100400534 BCX2">6.1.6;</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">2. There is clear evidence that the
            specific method used to generate the Private Key was </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            ContextualSpellingAndGrammarErrorV2 SCXW100400534 BCX2">flawed;</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">3. The CA is aware of a demonstrated or
            proven method that exposes the Applicant's Private Key to </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            ContextualSpellingAndGrammarErrorV2 SCXW100400534 BCX2">compromise;</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">4. The CA has previously been made aware
            that the Applicant's Private Key has suffered a Key
            Compromise, such as through the provisions of Section </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            ContextualSpellingAndGrammarErrorV2 SCXW100400534 BCX2">4.9.1.1;</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">5. The CA is aware of a demonstrated or
            proven method to easily compute the Applicant's Private Key
            based on the Public Key (such as a Debian weak key, see
            <a class="moz-txt-link-freetext" href="https://wiki.debian.org/SSLkeys">https://wiki.debian.org/SSLkeys</a>).</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">With:</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">The CA SHALL reject a certificate
            request if one or more of the following occurs:</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">1) The requested Public Key does not
            meet the requirements set forth in Sections 6.1.5 and/or </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            ContextualSpellingAndGrammarErrorV2 SCXW100400534 BCX2">6.1.6;</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">2) The CA is aware of a demonstrated or
            proven method that exposes the Subscriber's Private Key to </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            ContextualSpellingAndGrammarErrorV2 SCXW100400534 BCX2">compromise;</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">3) The CA has previously been made aware
            that the Subscriber's Private Key has suffered a Key
            Compromise, such as through the provisions of Section </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            ContextualSpellingAndGrammarErrorV2 SCXW100400534 BCX2">4.9.1.1;</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">4) The Public Key corresponds to an
            industry demonstrated weak Private Key, in particular:</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">a) In the case of ROCA vulnerability,
            the CA SHALL reject keys identified by the tools available
            at <a class="moz-txt-link-freetext" href="https://github.com/crocs-muni/roca">https://github.com/crocs-muni/roca</a> or equivalent.</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">b) In the case of Debian weak keys
            (<a class="moz-txt-link-freetext" href="https://wiki.debian.org/SSLkeys">https://wiki.debian.org/SSLkeys</a>), the CA SHALL reject at
            least keys generated by the flawed OpenSSL version with the
            combination of the following parameters:</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SpellingErrorV2 SCXW100400534 BCX2">i</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">) Big-endian 32-bit, little-endian
            32-bit, and little-endian 64-bit </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            ContextualSpellingAndGrammarErrorV2 SCXW100400534 BCX2">architecture;</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">ii) Process ID of 0 to 32767, </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            ContextualSpellingAndGrammarErrorV2 SCXW100400534 BCX2">inclusive;</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">iii) All RSA Public Key lengths
            supported by the CA up to and including 4096 </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            ContextualSpellingAndGrammarErrorV2 SCXW100400534 BCX2">bits;</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">iv) </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SpellingErrorV2 SCXW100400534 BCX2">rnd</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">, </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SpellingErrorV2 SCXW100400534 BCX2">nornd</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">, and </span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SpellingErrorV2 SCXW100400534 BCX2">noreadrnd</span></span><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"> OpenSSL random file state.</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">For Debian weak keys not covered above,
            the CA SHALL take actions to minimize the probability of
            certificate issuance.</span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2"></span></span><span class="EOP
          SCXW100400534 BCX2" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p>
    </div>
    <div class="OutlineElement Ltr SCXW100400534 BCX2" style="direction:
      ltr;">
      <p class="Paragraph SCXW100400534 BCX2" style="font-weight:
        normal; font-style: normal; vertical-align: baseline;
        background-color: transparent; color: windowtext; text-align:
        left; margin-left: 0px; margin-right: 0px; padding-left: 0px;
        padding-right: 0px; text-indent: 0px;"><span data-contrast="auto" style="font-size: 11pt; line-height:
          19.425px; font-family: Calibri, Calibri_EmbeddedFont,
          Calibri_MSFontService, sans-serif;" class="TextRun
          SCXW100400534 BCX2" lang="EN-US"><span class="NormalTextRun
            SCXW100400534 BCX2">--- Motion Ends ---</span></span><span class="EOP SCXW100400534 BCX2" style="font-size: 11pt;
          line-height: 19.425px; font-family: Calibri,
          Calibri_EmbeddedFont, Calibri_MSFontService, sans-serif;" data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}">
          <br>
        </span></p>
    </div>
    <div class="moz-cite-prefix">On 1/18/2021 3:34 PM, Rob Stradling
      wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:MW3PR17MB41223A5595178F433B5F431DAAA40@MW3PR17MB4122.namprd17.prod.outlook.com">
      
      <style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
      <div style="font-family: Calibri, Arial, Helvetica, sans-serif;
        font-size: 12pt; color: rgb(0, 0, 0);">
        > I'm mid-way through generating the RSA-4096 keys.</div>
      <div style="font-family: Calibri, Arial, Helvetica, sans-serif;
        font-size: 12pt; color: rgb(0, 0, 0);">
        <br>
      </div>
      <div style="font-family: Calibri, Arial, Helvetica, sans-serif;
        font-size: 12pt; color: rgb(0, 0, 0);">
        The RSA-4096 private keys and blocklists are now in <a href="https://github.com/CVE-2008-0166/private_keys" moz-do-not-send="true">
          https://github.com/CVE-2008-0166/private_keys</a> and <a href="https://github.com/CVE-2008-0166/openssl_blocklists" moz-do-not-send="true">
          https://github.com/CVE-2008-0166/openssl_blocklists</a>.</div>
      <div style="font-family: Calibri, Arial, Helvetica, sans-serif;
        font-size: 12pt; color: rgb(0, 0, 0);">
        <br>
      </div>
      <div style="font-family: Calibri, Arial, Helvetica, sans-serif;
        font-size: 12pt; color: rgb(0, 0, 0);">
        The RSA-2048 and RSA-4096 private keys in <a href="https://github.com/HARICA-official/debian-weak-keys" moz-do-not-send="true">https://github.com/HARICA-official/debian-weak-keys</a> (which
        only covers 2 of the 3 word size / endianness combinations) are
        identical to the equivalents in <a href="https://github.com/CVE-2008-0166/private_keys" moz-do-not-send="true">https://github.com/CVE-2008-0166/private_keys</a>.</div>
      <div>
        <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
          font-size:12pt; color:rgb(0,0,0)">
          <br>
        </div>
        <hr tabindex="-1" style="display:inline-block; width:98%">
        <div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b>
            Dimitris Zacharopoulos (HARICA) <a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a><br>
            <b>Sent:</b> 14 January 2021 18:39<br>
            <b>To:</b> Rob Stradling <a class="moz-txt-link-rfc2396E" href="mailto:rob@sectigo.com"><rob@sectigo.com></a>; CA/B Forum
            Server Certificate WG Public Discussion List
            <a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a>; Jacob Hoffman-Andrews
            <a class="moz-txt-link-rfc2396E" href="mailto:jsha@letsencrypt.org"><jsha@letsencrypt.org></a>; Christopher Kemmerer
            <a class="moz-txt-link-rfc2396E" href="mailto:chris@ssl.com"><chris@ssl.com></a><br>
            <b>Subject:</b> Re: [Servercert-wg] SCXX Ballot proposal:
            Debian Weak keys</font>
          <div> </div>
        </div>
        <div>
          <div style="background-color:#FAFA03; width:100%;
            border-style:solid; border-color:#000000; border-width:1pt;
            padding:2pt; font-size:10pt; line-height:12pt;
            font-family:'Calibri'; color:Black; text-align:left">
            <span style="color:000000">CAUTION:</span> This email
            originated from outside of the organization. Do not click
            links or open attachments unless you recognize the sender
            and know the content is safe.</div>
          <br>
          <div><br>
            <br>
            <div class="x_moz-cite-prefix">On 14/1/2021 12:30 π.μ., Rob
              Stradling wrote:<br>
            </div>
            <blockquote type="cite">
              <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                font-size:12pt; color:rgb(0,0,0)">
                Thanks Dmitris.</div>
              <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                font-size:12pt; color:rgb(0,0,0)">
                <br>
              </div>
              <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                font-size:12pt; color:rgb(0,0,0)">
                So far I've generated the RSA-2048 and RSA-3072 keys
                using <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fkey_generator&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775248278%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=h6lLKGnPQ%2BVjFki%2FRPVYojQlhnphnaiHOG0RBUv%2F7dY%3D&reserved=0" originalsrc="https://github.com/CVE-2008-0166/key_generator" shash="dYL4UII7m40qf3u0yQ+8/+W/DuaBQ0jFLw9qNkmkjgUzgEV7MuXipdYY7JQGcI7TQpI7UEnpwuvR0ZlqebhP4y88DJNtGMAn8eu92j932xzEgFWppcl716AjSytmx4nZiLLdzyjVcS0lvHLPBGkjdrid2I2nWtqol9OR5zCUgcE=" moz-do-not-send="true">
                  https://github.com/CVE-2008-0166/key_generator</a> and
                uploaded them to <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fprivate_keys&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775258234%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=bdCzSq%2BYw%2BntiCnItW9fOTlGDGfSnp05q75uxjHJTmY%3D&reserved=0" originalsrc="https://github.com/CVE-2008-0166/private_keys" shash="bnbXgdleDzyTfjQ9q/g4E2yiQLyEQjoYqj9DzdXxw2I1A+W9q9XGnj5+307rGKQw86rz1CgeTv1zG7lXnxdq2cUwVJvkH4yQu5SoDOsoCkTd2klBbWy5YiGkNKAsCWUGa3+zwydWW6PjzTQVlnYNCAuEPkHcIE0zzqZnV+yAjW4=" moz-do-not-send="true">
                  https://github.com/CVE-2008-0166/private_keys</a>, and
                I've generated the corresponding blocklists and uploaded
                them to
                <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCVE-2008-0166%2Fopenssl_blocklists&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775258234%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=RYZRTpmNZzW9oMrQr2BD9GnAP%2FAvIN%2FQ9cugZI%2BNwh0%3D&reserved=0" originalsrc="https://github.com/CVE-2008-0166/openssl_blocklists" shash="QnWz80zx01KHGePIDMjcbwj2OlfLmgZDGAe6LczW4uY/WjlSAbzYFN98yDWO3zA0YPOzQFzt3wy8oocIpUDLkK/H2E0yvJvtR3GPghTJswuvRzJWjj39JabR3mbdaRQ2z72jKgjtFjwzHUge3+Y1z7NoAObLRrJ2eILSPvHVanA=" moz-do-not-send="true">
                  https://github.com/CVE-2008-0166/openssl_blocklists</a>. 
                My RSA-2048 blocklists exactly match the ones from the
                original Debian openssl-blacklist package.</div>
              <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                font-size:12pt; color:rgb(0,0,0)">
                I'm mid-way through generating the RSA-4096 keys.</div>
              <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                font-size:12pt; color:rgb(0,0,0)">
                <br>
              </div>
              <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                font-size:12pt; color:rgb(0,0,0)">
                Let's compare keys when we're both done.  <span id="x_🙂">🙂</span></div>
            </blockquote>
            <br>
            Certainly :-) the RSA-2048 keys already match the
            fingerprints from the openssl-blacklist Debian package.<br>
            <br>
            We did this work several months ago but never found the time
            to make it publicly available. We managed to break down the
            big task and run jobs in parallel which made things a bit
            more interesting.<br>
            <br>
            It's nice we did this independently, I guess it increases
            the accuracy level of the resulted keys :)<br>
            <br>
            <br>
            Cheers,<br>
            Dimitris.<br>
            <br>
            <blockquote type="cite">
              <div>
                <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                  font-size:12pt; color:rgb(0,0,0)">
                  <br>
                </div>
                <hr tabindex="-1" style="display:inline-block;
                  width:98%">
                <div id="x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Dimitris Zacharopoulos
                    (HARICA)
                    <a class="x_moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr" moz-do-not-send="true"><dzacharo@harica.gr></a><br>
                    <b>Sent:</b> 13 January 2021 21:49<br>
                    <b>To:</b> Rob Stradling <a class="x_moz-txt-link-rfc2396E" href="mailto:rob@sectigo.com" moz-do-not-send="true">
                      <rob@sectigo.com></a>; CA/B Forum Server
                    Certificate WG Public Discussion List <a class="x_moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org" moz-do-not-send="true">
                      <servercert-wg@cabforum.org></a>; Jacob
                    Hoffman-Andrews <a class="x_moz-txt-link-rfc2396E" href="mailto:jsha@letsencrypt.org" moz-do-not-send="true">
                      <jsha@letsencrypt.org></a>; Christopher
                    Kemmerer <a class="x_moz-txt-link-rfc2396E" href="mailto:chris@ssl.com" moz-do-not-send="true">
                      <chris@ssl.com></a><br>
                    <b>Subject:</b> Re: [Servercert-wg] SCXX Ballot
                    proposal: Debian Weak keys</font>
                  <div> </div>
                </div>
                <div>
                  <div style="background-color:#FAFA03; width:100%;
                    border-style:solid; border-color:#000000;
                    border-width:1pt; padding:2pt; font-size:10pt;
                    line-height:12pt; font-family:'Calibri';
                    color:Black; text-align:left">
                    <span style="color:000000">CAUTION:</span> This
                    email originated from outside of the organization.
                    Do not click links or open attachments unless you
                    recognize the sender and know the content is safe.</div>
                  <br>
                  <div>Dear friends,<br>
                    <br>
                    HARICA has generated the weak keys (RSA 2048 and
                    4096 bit lengths) from the vulnerable openssl
                    package. We will generate 3072 bit keys as well and
                    add them soon. The methodology is described in the
                    following GitHub repo along with the produced keys:<br>
                    <ul>
                      <li><a class="x_x_moz-txt-link-freetext" href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FHARICA-official%2Fdebian-weak-keys&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775268186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=xU%2Bhp%2BIBkFMpongcbCX%2BRNpazBeWZ%2FwAJ7gR8HT8Xtw%3D&reserved=0" originalsrc="https://github.com/HARICA-official/debian-weak-keys" shash="LicOl2Gfki6XaZws5fFX6PY5D1rzCWoB3obtOB6801YS3/C/Dv5vFebpSf79K0j92RtkXWe2QHhEbp9p02AVsPXL/Ob5teTTgnDFEOIvNPM85B35Yqfk+7paWw4tQQvcMD9+O3PINgTHisjURzYGjGfi2tHRm/5NoA/QsBumm9A=" moz-do-not-send="true">https://github.com/HARICA-official/debian-weak-keys</a></li>
                    </ul>
                    Please review and let us know if you spot any issues
                    or problems with our approach and methodology.<br>
                    <br>
                    As always, please use other people's work at your
                    own risk.<br>
                    <br>
                    <br>
                    Dimitris.<br>
                    <br>
                    <div class="x_x_moz-cite-prefix">On 7/1/2021 2:25
                      μ.μ., Rob Stradling via Servercert-wg wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                        font-size:12pt; color:rgb(0,0,0)">
                        I've used crt.sh to produce a survey of key
                        algorithms/sizes in currently unexpired,
                        publicly-trusted server certificates:</div>
                      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                        font-size:12pt; color:rgb(0,0,0)">
                        <br>
                      </div>
                      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                        font-size:12pt; color:rgb(0,0,0)">
                        <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Frobstradling%2Fa5590b6a13218fe561dcb5d5c67932c5&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775268186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=rDYvM1B7KhDWct7ORBm66M5idtru2lW7VAvGk8UZFVY%3D&reserved=0" originalsrc="https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5" shash="BxN3/YOqX2fdozG0EpPynRejW31lJaofh0CXD0Y8M19pFEJzkM2cxRBltcCHiClN2Do1uKLtkcmniNnRF76YOFAtFjaajj3vHJVaCOKC81HOgf0gRN1GFn4l2eKv4JPMMUphxo7WAshWNRU1bprJx1f3IpfFg4mowARiomzXDYo=" moz-do-not-send="true">https://gist.github.com/robstradling/a5590b6a13218fe561dcb5d5c67932c5</a><br>
                      </div>
                      <div>
                        <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                          font-size:12pt; color:rgb(0,0,0)">
                          <br>
                        </div>
                        <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                          font-size:12pt; color:rgb(0,0,0)">
                          The four most popular choices are no surprise:
                          RSA-2048, P-256, RSA-4096, and P-384. 
                          openssl-blacklist covers RSA-2048 and
                          RSA-4096, and ECC keys are implicitly not
                          Debian weak keys.</div>
                        <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                          font-size:12pt; color:rgb(0,0,0)">
                          <br>
                        </div>
                        <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                          font-size:12pt; color:rgb(0,0,0)">
                          <span style="color:rgb(0,0,0);
                            font-family:Calibri,Arial,Helvetica,sans-serif;
                            font-size:12pt">Fifth most popular is
                            RSA-3072, with over 3 million unexpired,
                            publicly-trusted server certs. 
                            openssl-blacklist doesn't cover RSA-3072,
                            but ISTM that this is a key size that CAs
                            will want to permit.</span><br>
                        </div>
                        <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                          font-size:12pt; color:rgb(0,0,0)">
                          <span style="color:rgb(0,0,0);
                            font-family:Calibri,Arial,Helvetica,sans-serif;
                            font-size:12pt"><br>
                          </span></div>
                        <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                          font-size:12pt; color:rgb(0,0,0)">
                          Some of the lesser used key sizes are mostly
                          likely due to Subscriber typos (e.g., 2408 and
                          3048 were probably intended to be 2048, 4048
                          was probably intended to be either 2048 or
                          4096, etc), but some of the other ones look
                          like they were deliberately chosen (e.g., 2432
                          is 2048+384).  Is it worth generating Debian
                          weak keys/blocklists for any of these key
                          sizes?</div>
                        <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                          font-size:12pt; color:rgb(0,0,0)">
                          <span style="color:rgb(0,0,0);
                            font-family:Calibri,Arial,Helvetica,sans-serif;
                            font-size:12pt"><br>
                          </span></div>
                        <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                          font-size:12pt; color:rgb(0,0,0)">
                          <span style="color:rgb(0,0,0);
                            font-family:Calibri,Arial,Helvetica,sans-serif;
                            font-size:12pt"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2FSpecialPublications%2FNIST.SP.800-57pt1r5.pdf&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775278149%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ojfSL3FI8PZNFYyJymIrcbp7yGEzsbwDPcAp9sqod%2B4%3D&reserved=0" originalsrc="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf" shash="kIqxOJjRN8W4k9L0J/60EHwnlfcvWiJcFsgTj3o0E/ybyqZTbjHo+pPnAhI7tTYnsMzcv8TDZjgebyr3A9MITIhuB5Ph+snhPS9le9+K0YLfZExpdQezH0/fkHg3DT5dhexvTKZLo77+ozoEIe4a4xDKHwS0kHSy/O8WPJitajs=" moz-do-not-send="true">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf</a> (Table
                            4, p59) permits RSA-2048 until the end of
                            2030, whereas </span><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.sogis.eu%2Fdocuments%2Fcc%2Fcrypto%2FSOGIS-Agreed-Cryptographic-Mechanisms-1.2.pdf&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775278149%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=bWtdoWny7GbCWI6C2zc89crKs662WgVKPXyAz6iXDK8%3D&reserved=0" originalsrc="https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.2.pdf" shash="aYI6lW0bCN0TRa16YmLlJFUti1krfB0A4tYRGtavfPGIfwmKLWyYyDjUmV+d9CiQcsTieQ7gP/Umm6dgyoJDU4K5RD7ugxZLL3WGLmBB1fUjCdhU3agL56DlP8jPzTQrosumrjTHYA7hnaVRYxGaj5wXiegUTZFYioND/0X+po4=" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt" moz-do-not-send="true">https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.2.pdf</a> per
 mits
                          RSA-2048 only until the end of 2025.  It is of
                          course possible that quantum computing will
                          render RSA obsolete before Subscribers need to
                          think about which larger RSA keysize they want
                          to migrate to; however, it seems prudent to
                          also plan for the possibility that RSA will
                          survive and that some other RSA keysize(s)
                          might become popular.</div>
                        <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                          font-size:12pt; color:rgb(0,0,0)">
                          <br>
                        </div>
                        <hr tabindex="-1" style="display:inline-block;
                          width:98%">
                        <div id="x_x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri,
                            sans-serif" color="#000000"><b>From:</b>
                            Servercert-wg
                            <a class="x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org" moz-do-not-send="true">
                              <servercert-wg-bounces@cabforum.org></a>
                            on behalf of Rob Stradling via Servercert-wg
                            <a class="x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org" moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
                            <b>Sent:</b> 06 January 2021 16:08<br>
                            <b>To:</b> Jacob Hoffman-Andrews <a class="x_x_moz-txt-link-rfc2396E" href="mailto:jsha@letsencrypt.org" moz-do-not-send="true">
                              <jsha@letsencrypt.org></a>;
                            Christopher Kemmerer <a class="x_x_moz-txt-link-rfc2396E" href="mailto:chris@ssl.com" moz-do-not-send="true">
                              <chris@ssl.com></a>; CA/B Forum
                            Server Certificate WG Public Discussion List
                            <a class="x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org" moz-do-not-send="true">
                              <servercert-wg@cabforum.org></a><br>
                            <b>Subject:</b> Re: [Servercert-wg] SCXX
                            Ballot proposal: Debian Weak keys</font>
                          <div> </div>
                        </div>
                        <div dir="ltr">
                          <div style="background-color:#FAFA03;
                            width:100%; border-style:solid;
                            border-color:#000000; border-width:1pt;
                            padding:2pt; font-size:10pt;
                            line-height:12pt; font-family:'Calibri';
                            color:Black; text-align:left">
                            <span style="color:000000">CAUTION:</span>
                            This email originated from outside of the
                            organization. Do not click links or open
                            attachments unless you recognize the sender
                            and know the content is safe.</div>
                          <br>
                          <div>
                            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                              font-size:12pt; color:rgb(0,0,0)">
                              <div style="margin:0px; font-size:12pt">Jacob
                                wrote:</div>
                              <div style="margin:0px; font-size:12pt">>
                                Lastly, I think we should archive
                                openssl-blacklist, and include in the
                                BRs: "A CA may reject the full set of
                                Debian weak keys by rejecting this
                                superset of the Debian weak keys:</div>
                              <div style="margin:0px; font-size:12pt">><br>
                                <div>> - All RSA public keys with
                                  modulus lengths other than 2048 or
                                  4096, and</div>
                                <div>> - All RSA public keys with
                                  exponents other than 65537, and</div>
                                <div><br>
                                </div>
                                <div>Hi Jacob.  65537 (aka 0x10001) is
                                  hard-coded here...</div>
                                <div><span style="background-color:rgb(255,255,255);
                                    display:inline!important"><br>
                                  </span></div>
                                <div><span style="background-color:rgb(255,255,255);
                                    display:inline!important"><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2FOpenSSL_0_9_8f%2Fapps%2Freq.c%23L768&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775288099%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fcOuxgLtDQdVrRE7opSTMYaox48w5775zx7Ka2mvZkQ%3D&reserved=0" originalsrc="https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768" shash="otuDrXcUlUwjoAzFV485dGD3eXoDqSNMnFGgV24UOoPUyF/+0Jje9Crhc3Qc14oeVYNIBUYHiahFwjgc5S7frYTjc4QL/6KUZtY3enPYBMBN2wyMob19mLN0URd1/79OHiZNBzFvLFFR9kUl84ZNCkpKoBe6ISeEB/rh8f9BM7w=" moz-do-not-send="true">https://github.com/openssl/openssl/blob/OpenSSL_0_9_8f/apps/req.c#L768</a><br>
                                  </span></div>
                                <div><br>
                                </div>
                                <div>Would it therefore be fair to say
                                  that keys with public exponents other
                                  than 65537 are implicitly
                                  <u>not</u> Debian weak keys?</div>
                                <div><br>
                                </div>
                                > - All RSA public keys that are
                                detected as vulnerable by the
                                openssl-vulnkey program in the
                                openssl-blacklist package version 0.5-3
                                (see addendum), or an equivalent
                                program."</div>
                            </div>
                            <div>
                              <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
                                font-size:12pt; color:rgb(0,0,0)">
                                <br>
                              </div>
                              <hr tabindex="-1" style="display:inline-block; width:98%">
                              <div id="x_x_x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri,
                                  sans-serif" color="#000000"><b>From:</b>
                                  Servercert-wg
                                  <a class="x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org" moz-do-not-send="true">
<servercert-wg-bounces@cabforum.org></a> on behalf of Jacob
                                  Hoffman-Andrews via Servercert-wg
                                  <a class="x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org" moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
                                  <b>Sent:</b> 12 December 2020 02:21<br>
                                  <b>To:</b> Christopher Kemmerer <a class="x_x_moz-txt-link-rfc2396E" href="mailto:chris@ssl.com" moz-do-not-send="true">
                                    <chris@ssl.com></a>; CA/B
                                  Forum Server Certificate WG Public
                                  Discussion List <a class="x_x_moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org" moz-do-not-send="true">
                                    <servercert-wg@cabforum.org></a><br>
                                  <b>Subject:</b> Re: [Servercert-wg]
                                  SCXX Ballot proposal: Debian Weak keys</font>
                                <div> </div>
                              </div>
                              <div>
                                <div style="background-color:#FAFA03;
                                  width:100%; border-style:solid;
                                  border-color:#000000;
                                  border-width:1pt; padding:2pt;
                                  font-size:10pt; line-height:12pt;
                                  font-family:'Calibri'; color:Black;
                                  text-align:left">
                                  <span style="color:000000">CAUTION:</span>
                                  This email originated from outside of
                                  the organization. Do not click links
                                  or open attachments unless you
                                  recognize the sender and know the
                                  content is safe.</div>
                                <br>
                                <div>
                                  <div dir="ltr">Thanks for your
                                    continued efforts to improve this
                                    part of the BRs! Let's Encrypt is in
                                    theory interested in endorsing, but
                                    I think it still needs a bit of
                                    work. Thanks for incorporating my
                                    most recent comments on endianness
                                    and word size vs 11 platforms.<br>
                                    <br>
                                    Goals: We want CAs to consistently
                                    not issue certificates for weak keys
                                    in general, and also in the specific
                                    case of Debian and ROCA keys. We
                                    want the definition of Debian and
                                    ROCA keys to be clear and actionable
                                    for as long as possible - say, at
                                    least twenty years.<br>
                                    <br>
                                    We have three ways to specify Debian
                                    and ROCA keys: With a list, with a
                                    tool, or with an algorithm*. The
                                    original revision of this ballot
                                    proposed to use a list (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fpipermail%2Fservercert-wg%2F2020-April%2F001821.html&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775288099%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=xFOw4fjPqczmZcHn3X3CdOESu%2BQ6kQCYIs5oYqqxPMA%3D&reserved=0" originalsrc="https://lists.cabforum.org/pipermail/servercert-wg/2020-April/001821.html" shash="VIX1qIgLdkIphcFjrJlY/yyoADZkRWOwbr/J2NzcWPA54pxC+RiPM8s93RI83MSHwriPwo5IQW7Ezxax/mDhUwP/Z66LfBmCogIOtDWVOn3gAuP4V9zJKXp1XQt2mpAytH9rUzKtqpOUbeG7qdo4+bv6rMNa23LpIP4CJnzgxdo=" moz-do-not-send="true">https://lists.cabforum.org/pipermail/servercert-wg/2020-April/001821.html</a>).
                                    There were two objections:<br>
                                    <br>
                                     - The list (openssl-blacklist) is
                                    subject to change or removal.<br>
                                     - The list only covers 2048 and
                                    4096 bit keys.<br>
                                    <br>
                                    The current draft proposes
                                    specifying a tool for ROCA (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcrocs-muni%2Froca&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775298061%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PLsxrncyLhb4LmeUnmzT6G7T1BSpa7mRuORVWTVokHQ%3D&reserved=0" originalsrc="https://github.com/crocs-muni/roca" shash="tEUe0exsmKAGR3pXoh19xmgO3FyNk+jq0Ru95fbsRwE3sp4bJtPpeVskcAGyg4p9mLDCuH9dedyS1zVEINsqjpvT36BXgDiyCI+pj2lbyWz+2gcZuX2Lm/8TCstRJAgERV0SWV08kl7g4fxFe7vSaPr0vEdFOlLwJLqhlCKlNw4=" moz-do-not-send="true">https://github.com/crocs-muni/roca</a>)
                                    and an algorithm for Debian keys.<br>
                                    <br>
                                    The ROCA tool is subject to change
                                    or removal, just like the
                                    openssl-blacklist package. I propose
                                    we instead specify ROCA detection in
                                    terms of the paper (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrocs.fi.muni.cz%2Fpublic%2Fpapers%2Frsa_ccs17&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775298061%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hlXCg6ivQHbuPkfYpjEuEN7qT64N6DfjL0GnBFz1ZhI%3D&reserved=0" originalsrc="https://crocs.fi.muni.cz/public/papers/rsa_ccs17" shash="UZK47qpUn2RLAPPQv9jjrwoWhokh0Kb8YUqGAoxHR4Kzyz/QnW6XpdxhEpAc072Qj2isUVmlxgLudR1TCmUDILj5c1eVrvtvs6gYTQ1V4AK/6ACkL+OZGlDlNGmhqpp8ZbBthCc+qhKNjPPMPqSXQCtfCZCFNIqBVfqOnuxGNJ4=" moz-do-not-send="true">https://crocs.fi.muni.cz/public/papers/rsa_ccs17</a>)
                                    and ask for permission from the
                                    authors to archive an unchanging
                                    copy as an addendum to the BRs.<br>
                                    <br>
                                    For Debian keys, what looks like an
                                    algorithm specification is actually
                                    a tool + algorithm specification.
                                    The tool is "OpenSSL 0.9.8c-1 up to
                                    versions before 0.9.8g-9 on
                                    Debian-based operating systems" (per
                                    CVE-2008-01666 -
                                    <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2008-0166&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775308014%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3nkkxPXnSB0g0ETZf0Xwja9q%2BXFzMZZj%2Bws3v1%2Br0Uw%3D&reserved=0" originalsrc="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0166" shash="kJH9wH6aRyMvkJuvf4B/BBP4xS8W3pIj5HfkapQcKBgCTCkx/M3W/AvbT+1lsLmF3Ep2x4pDTFpr3rCx3eFw8xng26ciPngRzVUTT+GCutrDFlpRYy5MTYCxsvq1E1xXrYXxPto7pL34tyxLdcKl8wPXwM8ikjTd3olVbZgDaYs=" moz-do-not-send="true">
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0166</a>). To ensure
                                    an unchanging copy of that, we
                                    should archive 3 copies of Debian,
                                    for the 3 word size + endianness
                                    combinations.<br>
                                    <br>
                                    The algorithm also needs an
                                    additional line: "v) using the
                                    command 'openssl req -nodes -subj /
                                    -newkey rsa:<Public Key
                                    length>'" (adapted from
                                    <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsources.debian.org%2Fdata%2Fmain%2Fo%2Fopenssl-blacklist%2F0.5-3%2Fexamples%2Fgen_certs.sh&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775308014%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=teetqlGwiM2Mqdlq%2FVPMlFG0Spld8zDZKN5S2yZwMWo%3D&reserved=0" originalsrc="https://sources.debian.org/data/main/o/openssl-blacklist/0.5-3/examples/gen_certs.sh" shash="C//wi1k1sPVYbYeNUmY5+AD78UhuJNR3EstdnRZtK3D3ajcJmUhHOIm+zhSBTogdYF+Rbe7czrvO6D+DeRl0Po1DXGBSDoMHBBLdkIkbtanepQSTvro1qXHa4rbbmtKX8gt+0AEF4c86Aa8uWK+SsurtldgyqUuFvYYJuH7R/k4=" moz-do-not-send="true">
https://sources.debian.org/data/main/o/openssl-blacklist/0.5-3/examples/gen_certs.sh</a>).
                                    Other tools that linked OpenSSL,
                                    like openvpn and openssh, generated
                                    different sets of keys. We can
                                    include or exclude openvpn and
                                    openssh keys, but should thoroughly
                                    specify.<br>
                                    <br>
                                    Lastly, I think we should archive
                                    openssl-blacklist, and include in
                                    the BRs: "A CA may reject the full
                                    set of Debian weak keys by rejecting
                                    this superset of the Debian weak
                                    keys:<br>
                                    <br>
                                     - All RSA public keys with modulus
                                    lengths other than 2048 or 4096, and<br>
                                     - All RSA public keys with
                                    exponents other than 65537, and<br>
                                     - All RSA public keys that are
                                    detected as vulnerable by the
                                    openssl-vulnkey program in the
                                    openssl-blacklist package version
                                    0.5-3 (see addendum), or an
                                    equivalent program."<br>
                                    <br>
                                    My reasoning: Given the difficulty
                                    of correctly setting up old Debian
                                    versions and generating weak keys
                                    for sizes that are not part of
                                    openssl-blacklist, I expect most CAs
                                    will choose this path. Given that,
                                    we should just say what we mean: the
                                    pregenerated list is fine if you
                                    restrict key sizes, but you don't
                                    *have* to restrict key sizes, so
                                    long as you have an alternate method
                                    to ensure you're not issuing for
                                    Debian weak keys at other sizes.<br>
                                    <br>
                                    *I'm considering specifying an
                                    algorithm to be functionally
                                    equivalent to specifying an
                                    "outcome," though I recognize this
                                    may be too hand-wavy.<br>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                      <br>
                      <fieldset class="x_x_mimeAttachmentHeader"></fieldset>
                      <pre class="x_x_moz-quote-pre">_______________________________________________
Servercert-wg mailing list
<a class="x_x_moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org" moz-do-not-send="true">Servercert-wg@cabforum.org</a>
<a class="x_x_moz-txt-link-freetext" href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=04%7C01%7Crob%40sectigo.com%7Cbd27eeb2c4f24212be2b08d8b8bbbb21%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637462464775317973%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=qEPVkrIlD6zA64SasU8geXH7NjuD4BEJMconRfegI9U%3D&reserved=0" originalsrc="https://lists.cabforum.org/mailman/listinfo/servercert-wg" shash="jnUX6KkCtfFEklkrvqIWAet5mysNkpG5lEY2ZUqsVrGIiyNIIn7R7TRWGmenzRcl9MTnaIKxTSnZGdQRLILPl3fRIzsRnHwqRsfUos1DUHyoWppTWNZFRXaF1JnFkZ0Inq6PykAkolW95Y8EXtjrV97ShdJDw8jRrhXSJcHSTTc=" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
                    </blockquote>
                    <br>
                  </div>
                </div>
              </div>
            </blockquote>
            <br>
          </div>
        </div>
      </div>
    </blockquote>
  </body>
</html>