<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
I created <a class="moz-txt-link-freetext" href="https://github.com/cabforum/servercert/pull/405/files">https://github.com/cabforum/servercert/pull/405/files</a>
which includes some elements from your proposal and MRSP language. <br>
<br>
I also did a comparison of BRs section 4.9.1.1 revocation use cases
that are already mentioned in MRSP section 6.1.1 (attached). There
are only a few revocation use cases mentioned in MRSP that are not
explicitly described in 4.9.1.1 so we could try adding those to
4.9.1.1 for full consistency.<br>
<br>
This proposal:<br>
<ul>
<li>explains the expectations for each reasonCode</li>
<li>preserves the existing 5 revocation use cases for 24h and the
11 cases for 5-day that CAs/auditors are already familiar with,
and adds an explicit reasonCode per MRSP.<br>
</li>
</ul>
This presentation format is already familiar to CAs, less ambiguous,
and IMO minimizes the risk of implementing incorrectly.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<div class="moz-cite-prefix">On 17/11/2022 5:46 μ.μ., Ben Wilson
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+1gtaZmGF0qP4d2mmR+oK3QE4jwwEh4qoFpmLG0LCNQjXAB4g@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>Sounds good. Thanks, Dimitris.</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Nov 16, 2022 at 11:23
PM Dimitris Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr" moz-do-not-send="true"
class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <br>
<br>
<div>On 15/11/2022 6:11 μ.μ., Ben Wilson wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">That could simplify it, but Mozilla's CRL
Reason Code rules would still supersede that section.<br>
</div>
</blockquote>
<br>
I don't see it as "superseding" but differently "presented".
Mozilla chose that particular presentation format without
taking into consideration the time limits for revocation. <a
href="https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md#611-end-entity-tls-certificate-crlrevocation-reasons"
target="_blank" moz-do-not-send="true">MRSP </a>only
mentions the reasons and expectations for using such
reasons. The BRs are more explicit in the use cases and it's
more important for the CA to know which cases must be
revoked within 24 hours and which ones must be revoked
within 5 days. It's a better "starting point" for CAs, and
that's that they are used to follow. <br>
<br>
I believe we can successfully update 4.9.1.1 to aligned with
MRSP section 6.1 without changing the current presentation
format of revocation use cases in the BRs. If you are open
to the idea, I can work with you on a more concrete proposal
and see how it looks.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<blockquote type="cite"><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Nov 15, 2022
at 2:22 AM Dimitris Zacharopoulos (HARICA) via
Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<div>On 15/11/2022 1:02 π.μ., Ben Wilson via
Servercert-wg wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Thanks.</div>
<div><br>
</div>
<div>Any additional thoughts, recommendations,
etc.?</div>
</div>
</blockquote>
<br>
Hi Ben,<br>
<br>
I assume that the use cases described within the
parenthesis under 4.9.1.1 are "examples" which means
that the "i.e." should be replaced with "e.g.". <br>
<br>
I am not very much in favor of the breakown of
subsections for each revocation reasonCode which
repeats the language "SHOULD revoke within 24 hours
and SHALL revoke within 5 days" in various cases,
and gets especially confusing when the Subscriber
requests in writing, which can apply to several
reasonCodes.<br>
<br>
The previous attempt keeping the existing structure
that CAs/Auditors are already familiar with, seems
like a better approach. That's because CAs already
have controls in place to handle "specific
revocation use cases" as they are listed in the
current sections 4.9.1.1 and 4.9.1.2. All we need to
do now is map those known cases to a specific
RFC5280 reasonCode.<br>
<br>
If additional revocation use cases have been
documented in MRSP, we can add those in <a
href="http://4.9.1.1/2" target="_blank"
moz-do-not-send="true">4.9.1.1/2</a> as needed.<br>
<br>
What do others think? Should we try to minimize the
changes to 4.9.1.1 and 4.9.1.2 or do a complete
restructuring?<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Nov
10, 2022 at 11:33 PM Roman Fischer via
Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<div lang="DE">
<div>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif">Dear
Ben,</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US">Thanks for your effort
to make it better understandable.
Even for me as a non-native speaker
it’s now much clearer when to use
which reasonCode (but it’s still
very complex!).</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US">Could the section</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">**
The privilegeWithdrawn reasonCode <span
style="background:yellow"> does
not need to be made available</span>
to the Subscriber as a revocation
reason option, because the use of
this reasonCode is determined by the
CA and not the Subscriber.</span><span
style="font-size:11pt" lang="EN-US"></span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US">be reformulated to use
one of the RFC 2119 terms? Maybe
your intention was “SHALL NOT be
made available”?</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US">Kind regards<br>
Roman Fischer, SwissSign</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US"> </span></p>
<div
style="border-color:rgb(225,225,225)
currentcolor
currentcolor;border-style:solid none
none;border-width:1pt medium
medium;padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US">From:</span></b><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US"> Servercert-wg <<a
href="mailto:servercert-wg-bounces@cabforum.org" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ben Wilson
via Servercert-wg<br>
<b>Sent:</b> Freitag, 11. November
2022 00:53<br>
<b>To:</b> CA/B Forum Server
Certificate WG Public Discussion
List <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b> Re:
[Servercert-wg] Proposal to
Incorporate Mozilla's CRL
Revocation Reason Code
Requirements into the BRs</span></p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">All,</p>
</div>
<div>
<p class="MsoNormal">Here is another
iteration of a proposal to
incorporate Mozilla's CRL reason
code requirements into the
Baseline Requirements. </p>
</div>
<div>
<p class="MsoNormal">I am open to
your suggestions and
recommendations on how to make
this better. </p>
</div>
<div>
<p class="MsoNormal">I'll put
another draft in GitHub again
after I receive feedback.</p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben</p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Tue, Sep 20,
2022 at 10:16 PM Ben Wilson via
Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:</p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none
none none solid;border-width:medium
medium medium 1pt;padding:0cm 0cm
0cm
6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal">Hi Corey,</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">See
responses below.</p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Wed,
Sep 14, 2022 at 11:38 AM
Corey Bonnell <<a
href="mailto:Corey.Bonnell@digicert.com"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">Corey.Bonnell@digicert.com</a>>
wrote:</p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium 1pt;padding:0cm
0cm 0cm
6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span
lang="EN-US">Hi Ben,</span></p>
<p class="MsoNormal"><span
lang="EN-US">It
appears the ballot
text has potential
divergences from the
published MRSP:</span></p>
<p class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
</div>
</div>
</blockquote>
<blockquote
style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium 1pt;padding:0cm
0cm 0cm
6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span
lang="EN-US">1. This
ballot prohibits
other CRLReasons
from appearing in
CRLs. This is
meaningfully
different from MRSP,
where the new
requirements are
applicable solely to
revocations that
occur on or after
the effective date.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> I think
this can be fixed with some
language changes.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium 1pt;padding:0cm
0cm 0cm
6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span
lang="EN-US">2.
There is no
requirement to
document reason
codes in the
Subscriber
Agreement, whereas
there is in MRSP. Is
this change
intentional?</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Not
exactly an intentional
elimination of the
requirement, but I can make
the ballot consistent with
the MRSP with some language
changes as well. My idea was
to suggest that CAs could
incorporate the necessary
information "by reference"
so that the CRL reason code
explanations wouldn't have
to appear fully in
Subscriber Agreements or
Terms of Use.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium 1pt;padding:0cm
0cm 0cm
6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span
lang="EN-US">3.
Regarding 24-hour
revocation reason
#5: it appears that
privilegeWithdrawn
is now allowed.
According to MRSP,
only superseded is
appropriate for this
case.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">For
consistency, I'll change
this to superseded only. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium 1pt;padding:0cm
0cm 0cm
6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span
lang="EN-US">4.
Regarding 5-day
revocation reason
#9: this is not a
scenario listed in
MRSP. In other
words, this
revocation scenario
must be denoted as
“unspecified” as the
CRLReason under
MRSP. Therefore, it
is not possible to
satisfy both the
proposed BR text and
MRSP.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">That's
probably the approach to
take - thanks. Another
possibility is to move this
revocation reason down to
4.9.1.2 - CAs should revoke
the intermediate CA
certificate(s) rather than
all end entity certificates.
</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium 1pt;padding:0cm
0cm 0cm
6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span
lang="EN-US">5.
Regarding 5-day
revocation reason
#10: this appears to
be like scenario #7,
but it is different
in that revocation
may be required even
if there’s no
violation of the
CP/CPS. I don’t
think this scenario
is enumerated in
MRSP, so it is not
possible to specify
a reason code that
satisfies both MRSP
and this ballot for
this scenario.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Kathleen
and I think that this reason
is in the MRSP under the
section for the superseded
CRLReason - "the CA
operator has revoked the
certificate for compliance
reasons such as the
certificate does not comply
with this policy, the
CA/Browser Forum's Baseline
Requirements, or the CA
operator’s CP or CPS". </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium 1pt;padding:0cm
0cm 0cm
6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
lang="EN-US">More
generally, the
Defined Term
“Certificate” should
be used throughout
the ballot for
consistency.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Agreed.
Thanks.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium 1pt;padding:0cm
0cm 0cm
6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
lang="EN-US">Thanks,</span></p>
<p class="MsoNormal"><span
lang="EN-US">Corey</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben </p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium 1pt;padding:0cm
0cm 0cm
6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span
lang="EN-US"> </span></p>
<div
style="border-style:solid
none
none;border-width:1pt
medium
medium;padding:3pt 0cm
0cm;border-color:currentcolor">
<p class="MsoNormal"><b><span
lang="EN-US">From:</span></b><span
lang="EN-US">
Servercert-wg <<a
href="mailto:servercert-wg-bounces@cabforum.org" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ben
Wilson via
Servercert-wg<br>
<b>Sent:</b>
Tuesday, September
13, 2022 11:37 PM<br>
<b>To:</b> Ben
Wilson <<a
href="mailto:bwilson@mozilla.com"
target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">bwilson@mozilla.com</a>>;
CA/B Forum Server
Certificate WG
Public Discussion
List <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b>
Re:
[Servercert-wg]
Proposal to
Incorporate
Mozilla's CRL
Revocation Reason
Code Requirements
into the BRs</span></p>
</div>
<p class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span
lang="EN-US">Here
is the most
current
comparison:</span></p>
</div>
<div>
<p class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span
lang="EN-US"><a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fbbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6U2qShXXY%2FWlUn2vWCqq0YB8yQAQxEiQXejzc6pCawE%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://github.com/cabforum/servercert/compare/bbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318</a></span></p>
</div>
<div>
<p class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span
lang="EN-US">On
Mon, Sep 12,
2022 at 11:00 AM
Ben Wilson <<a
href="mailto:bwilson@mozilla.com" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">bwilson@mozilla.com</a>> wrote:</span></p>
</div>
<blockquote
style="border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm
0cm 6pt;margin:5pt
0cm 5pt
4.8pt;border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204)">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Here
is another
edit that
tries to make
minimal
changes to BR
section
4.9.1.1.</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"><a
href="http://goog_144053405" target="_blank" moz-do-not-send="true"><br>
</a></span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"><a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2F94a07d08855cf489a2bdddff7d8a9490969d5d06&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=h0d4CsixQeyG7GMzM2nqO3ScDRRM1EomVg%2BuwI3lBIc%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://github.com/BenWilson-Mozilla/servercert/commit/94a07d08855cf489a2bdddff7d8a9490969d5d06</a></span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
Mon, Sep 12,
2022 at 9:51
AM Ben Wilson
via
Servercert-wg
<<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote
style="border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm
0cm 0cm
6pt;margin:5pt
0cm 5pt
4.8pt;border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204)">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Thanks,
Dimitris. I'll
work on that
approach and
get something
back to you
soon.</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
Mon, Sep 12,
2022 at 2:56
AM Dimitris
Zacharopoulos
(HARICA) <<a
href="mailto:dzacharo@harica.gr" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">dzacharo@harica.gr</a>> wrote:</span></p>
</div>
<blockquote
style="border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt
4.8pt;border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204)">
<div>
<p
class="MsoNormal"><span
lang="EN-US">Hi
Ben,<br>
<br>
After a quick
reading, I
noticed that
the
subsections
are not
symmetrical
and a bit
inconsistent.
For example,
some of them
contain the
statement "the
CA SHOULD
revoke a
certificate
within 24
hours and MUST
revoke a
Certificate
within 5
days", some do
not.<br>
<br>
Other
examples:</span></p>
<ul
type="disc">
<li
class="MsoNormal">
<span
lang="EN-US">4.9.1.1.1,
is labeled
"Subscriber-Requested
Revocation",
however there
are other
subsections
that are also
"Subscriber-Requested". This separation seems confusing.</span></li>
<li
class="MsoNormal">
<span
lang="EN-US">4.9.1.1.4
is about
unreliable
validation but
most of the
remaining
subsections
are titled
after the RFC
5280
revocation
reasons.</span></li>
</ul>
<p
class="MsoNormal"
style="margin-bottom:12pt"><span lang="EN-US">Finally, it's not very
clear when the
"unspecified
(0)" reason
must be used
because of
section
4.9.1.1.8
(Other
Circumstances)
which doesn't
point to a
revocation
reason.<br>
<br>
>From my
perspective,
I'm not sure
if breaking
down each
subsection is
more helpful
for reading
the revocation
requirements
than the
current
listing. I
understand
there is a
desire to copy
the MRSP
language as
much as
possible but
perhaps we
need to
consider a
less
"intrusive"
set of changes
to a section
that CAs
already have a
difficult time
reading and
implementing.<br>
<br>
IMO we either
need to
describe the
revocation
scenario and
point to the
RFC 5280
revocation
reason (closer
to what the
BRs have
today), or
start with the
RFC 5280
revocation
reasons and
enumerate the
revocation
scenarios
(closer to
what MRSP has
today). I find
it confusing
to mix the two
approaches.<br>
<br>
<br>
Thanks,<br>
Dimitris.</span></p>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
12/9/2022 6:32
π.μ., Ben
Wilson wrote:</span></p>
</div>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">For
review - here
is another
proposal that
takes BR
section
4.9.1.1 and
puts the
24-hour and
5-day
revocation
times into
subsections
that match the
CRL reason
codes. </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"><a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2Fb185a28fcc20d5853747e4506103823e3dc7c282&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=opmFVkFFcOqc3DWpy%2BwP%2B79ihMxBOPnZE34AGDSKjWY%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282</a></span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
Thu, Sep 8,
2022 at 12:05
PM Dimitris
Zacharopoulos
(HARICA) <<a
href="mailto:dzacharo@harica.gr" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">dzacharo@harica.gr</a>> wrote:</span></p>
</div>
<blockquote
style="border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt
4.8pt;border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204)">
<div>
<p
class="MsoNormal"
style="margin-bottom:12pt"><span lang="EN-US">Good point.<br>
<br>
s/<i>expected/shall
use/<br>
<br>
</i></span></p>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
8/9/2022 8:26
μ.μ., Tim
Hollebeek
wrote:</span></p>
</div>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<p
class="MsoNormal"><span
lang="EN-US">I
would prefer
standard 2119
language
instead of an
“expectation”. There are no documented rules for what it means for a
CRLReason to
be expected to
be a certain
value.</span></p>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<p
class="MsoNormal"><span
lang="EN-US">-Tim</span></p>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div
style="border-style:none
none none
solid;border-width:medium
medium medium
1.5pt;padding:0cm 0cm 0cm 4pt;border-color:currentcolor currentcolor
currentcolor
blue">
<div>
<div
style="border-style:solid
none
none;border-width:1pt
medium
medium;padding:3pt
0cm
0cm;border-color:currentcolor">
<p
class="MsoNormal"><b><span
lang="EN-US">From:</span></b><span
lang="EN-US">
Servercert-wg
<a
href="mailto:servercert-wg-bounces@cabforum.org"
target="_blank" moz-do-not-send="true"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf
Of </b>Dimitris
Zacharopoulos
(HARICA) via
Servercert-wg<br>
<b>Sent:</b>
Thursday,
September 8,
2022 3:21 AM<br>
<b>To:</b> Ben
Wilson <a
href="mailto:bwilson@mozilla.com"
target="_blank" moz-do-not-send="true"><bwilson@mozilla.com></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List <a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b>
Re:
[Servercert-wg]
Proposal to
Incorporate
Mozilla's CRL
Revocation
Reason Code
Requirements
into the BRs</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<p
class="MsoNormal"
style="margin-bottom:12pt"><span lang="EN-US"> </span></p>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
7/9/2022 8:22
μ.μ., Ben
Wilson wrote:</span></p>
</div>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Good
suggestion. I
can re-work a
proposal that
re-writes BR
sec. 4.9.1.1
to re-group
the revocation
reasons into
the reason
codes that
should be
used. Is that
what you were
thinking? </span></p>
</div>
</div>
</blockquote>
<p
class="MsoNormal"><span
lang="EN-US"><br>
Yes. We should
also try to
keep the
current BRs
prioritization.
The section
begins with
the cases
where the
Certificate(s)
need to be
revoked within
24h and then
moves to the
5-day
revocation
cases.<br>
<br>
We could walk
this list down
making sure
that all
Mozilla cases
are listed
(add the ones
that are not)
and add the
expected
revocationReason
for each case.
For example:</span></p>
<p><i><span
lang="EN-US">The
CA SHALL
revoke a
Certificate
within 24
hours if one
or more of the
following
occurs:</span></i><span
lang="EN-US"></span></p>
<ol type="1"
start="1">
<li
class="MsoNormal">
<i><span
lang="EN-US">The
Subscriber
requests in
writing that
the CA revoke
the
Certificate
(expected
CRLReason:<b>unspecified</b>);</span></i><span
lang="EN-US"></span></li>
<li
class="MsoNormal">
<i><span
lang="EN-US">The
Subscriber
notifies the
CA that the
original
certificate
request was
not authorized
and does not
retroactively
grant
authorization
(expected
CRLReason:</span></i><b><i><span
style="font-family:"Calibri",sans-serif" lang="EN-US">privilegeWithdrawn</span></i></b><i><span
lang="EN-US">);</span></i><span
lang="EN-US"></span></li>
<li
class="MsoNormal">
<i><span
lang="EN-US">The
CA obtains
evidence that
the
Subscriber's
Private Key
corresponding
to the Public
Key in the
Certificate
suffered a Key
Compromise
(expected
CRLReason:<b>keyCompromise</b>);</span></i><span
lang="EN-US"></span></li>
<li
class="MsoNormal">
<i><span
lang="EN-US">The
CA is made
aware of a
demonstrated
or proven
method that
can easily
compute the
Subscriber's
Private Key
based on the
Public Key in
the
Certificate
(such as a
Debian weak
key, see </span></i><span
lang="EN-US"><a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FV7HivQUf9v8s2xTxi1rVgVbg7XfH9TtU4RjlKL0T6c%3D&reserved=0"
target="_blank" moz-do-not-send="true"><i>https://wiki.debian.org/SSLkeys</i></a><i>)
(expected
CRLReason:<b>keyCompromise</b>);</i></span></li>
<li
class="MsoNormal">
<i><span
lang="EN-US">The
CA obtains
evidence that
the validation
of domain
authorization
or control for
any
Fully-Qualified
Domain Name or
IP address in
the
Certificate
should not be
relied upon
(expected
CRLReason: </span></i><b><i><span
style="font-family:"Calibri",sans-serif" lang="EN-US">superseded</span></i></b><i><span
lang="EN-US">).</span></i><span
lang="EN-US"></span></li>
</ol>
<p
class="MsoNormal"
style="margin-bottom:12pt"><span lang="EN-US">and so on.<br>
<br>
Does that
work?<br>
<br>
Dimitris.</span></p>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Thanks,</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
Wed, Sep 7,
2022 at 6:01
AM Dimitris
Zacharopoulos
(HARICA) via
Servercert-wg
<<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote
style="border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt
4.8pt;border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204)">
<div>
<p
class="MsoNormal"
style="margin-bottom:12pt"><span lang="EN-US">Hi Ben,<br>
<br>
I believe the
proposal, as
written,
causes
confusion in
regards to
4.9.1.1. Some
of the reasons
described in
your proposal
are already
mentioned in
4.9.1.1.
Perhaps we
should work
some more to
"unify" the
two sections.<br>
<br>
My proposal
would be to
update 4.9.1.1
and include
the expected
CRLReason
after each
case.<br>
<br>
<br>
Thoughts?<br>
Dimitris.</span></p>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
6/9/2022 8:13
μ.μ., Ben
Wilson via
Servercert-wg
wrote:</span></p>
</div>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">All,</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">I'm
looking for
one more
endorser.</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Thanks,</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
Fri, Jul 29,
2022 at 12:40
PM Ben Wilson
via
Servercert-wg
<<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote
style="border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt
4.8pt;border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204)">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">All,</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">I
have created a
proposal in
Github to
incorporate
Mozilla's CRL
Revocation
Reason Code
requirements
into the
Baseline
Requirements.
</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">See
<a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F377&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D4KPoI9FuCxKdr9yp378P8kEzjJq9wX%2FUEj%2F0SDufv4%3D&reserved=0"
target="_blank" moz-do-not-send="true">
https://github.com/cabforum/servercert/issues/377</a></span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"><a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2F52a480803beff1f96d61c4b6d76570ac7adff4d5&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LOfjUsptzgpQxI1k6K8oUgU0aj2LDncd48ZzuXe86Hs%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5</a></span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">I'm
looking for
comments,
suggestions,
and two
endorsers.</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Thanks,</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
<p
class="MsoNormal"
style="margin-bottom:12pt"><span lang="EN-US"> </span></p>
<pre><span lang="EN-US">_______________________________________________</span></pre>
<pre><span lang="EN-US">Servercert-wg mailing list</span></pre>
<pre><span lang="EN-US"><a href="mailto:Servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a></span></pre>
<pre><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></pre>
</blockquote>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<p
class="MsoNormal"><span
lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
</blockquote>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
</div>
</blockquote>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
</blockquote>
</div>
</blockquote>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
</blockquote>
</div>
<p
class="MsoNormal"><span
lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Servercert-wg mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688965625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rOfjT8%2B0oEL1XaQtLBTQ5EQOkSK3lJR0AbU1lVyZF68%3D&reserved=0"
target="_blank"
moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></p>
</blockquote>
</div>
</div>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</div>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Servercert-wg mailing list
<a href="mailto:Servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>