<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Language updated in
<a class="moz-txt-link-freetext" href="https://github.com/cabforum/servercert/pull/405/commits/0a07e046326101ef3b57572daebd3cf45ff4840f">https://github.com/cabforum/servercert/pull/405/commits/0a07e046326101ef3b57572daebd3cf45ff4840f</a>.<br>
<br>
I don't see any other unresolved comments. Ben, please do one last
review in case I missed something.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 5/1/2023 7:24 μ.μ., Ben Wilson
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+1gtaY2SRQxHUL9DD-1wSMiCSRkUtPWXisdEp8b8FwzTBvevQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Great - thanks.<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Jan 5, 2023 at 10:06
AM Dimitris Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr" moz-do-not-send="true"
class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> Hi Ben,<br>
<br>
I saw your comments with proposed language, and here are my
thoughts, in-line:<br>
<br>
<div>On 4/1/2023 8:50 μ.μ., Ben Wilson wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi Dimitris, <br>
</div>
<div><br>
</div>
<div>I have submitted two comments that I think need to
be resolved.</div>
<div><br>
</div>
<div>I think the first "1" should be written as:</div>
<div><br>
</div>
<div> The Subscriber requests in writing, <em><strong>without
giving a reason required to be specified by this
section 4.9.1.1,</strong></em> that the CA revoke
the ..." </div>
<div><br>
</div>
</div>
</blockquote>
<br>
I prefer your <a
href="https://github.com/cabforum/servercert/pull/405/files#r1061778056"
target="_blank" moz-do-not-send="true">earlier comment</a>
which says<br>
<br>
"1. The Subscriber requests in writing, <em><strong>without
giving a reason,</strong></em> that the CA revoke the
..."<br>
<br>
I believe this language is simpler as long as this option is
available to Subscribers that just want to revoke a
certificate and don't want to suggest a specific reason. I
assume this is still allowed.<br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>Number 10 in the second list should be written as:</div>
<div><br>
</div>
<div> "10. Revocation is required by the CA's
Certificate Policy and/or Certification Practice
Statement <em><strong>for a reason that is not
otherwise required to be specified by this section
4.9.1.1</strong></em> ..." <br>
</div>
</div>
</blockquote>
<br>
+1<br>
<br>
If you are ok with the first option, I will update the PR.<br>
<br>
Thanks!<br>
Dimitris.<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Ben<br>
</div>
<span><span></span></span> </div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Nov 22, 2022
at 1:12 AM Dimitris Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> I created <a
href="https://github.com/cabforum/servercert/pull/405/files"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/cabforum/servercert/pull/405/files</a>
which includes some elements from your proposal and
MRSP language. <br>
<br>
I also did a comparison of BRs section 4.9.1.1
revocation use cases that are already mentioned in
MRSP section 6.1.1 (attached). There are only a few
revocation use cases mentioned in MRSP that are not
explicitly described in 4.9.1.1 so we could try
adding those to 4.9.1.1 for full consistency.<br>
<br>
This proposal:<br>
<ul>
<li>explains the expectations for each reasonCode</li>
<li>preserves the existing 5 revocation use cases
for 24h and the 11 cases for 5-day that
CAs/auditors are already familiar with, and adds
an explicit reasonCode per MRSP.<br>
</li>
</ul>
This presentation format is already familiar to CAs,
less ambiguous, and IMO minimizes the risk of
implementing incorrectly.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<div>On 17/11/2022 5:46 μ.μ., Ben Wilson wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Sounds good. Thanks, Dimitris.</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Nov
16, 2022 at 11:23 PM Dimitris Zacharopoulos
(HARICA) <<a
href="mailto:dzacharo@harica.gr"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> <br>
<br>
<div>On 15/11/2022 6:11 μ.μ., Ben Wilson
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">That could simplify it, but
Mozilla's CRL Reason Code rules would
still supersede that section.<br>
</div>
</blockquote>
<br>
I don't see it as "superseding" but
differently "presented". Mozilla chose that
particular presentation format without
taking into consideration the time limits
for revocation. <a
href="https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md#611-end-entity-tls-certificate-crlrevocation-reasons"
target="_blank" moz-do-not-send="true">MRSP
</a>only mentions the reasons and
expectations for using such reasons. The BRs
are more explicit in the use cases and it's
more important for the CA to know which
cases must be revoked within 24 hours and
which ones must be revoked within 5 days.
It's a better "starting point" for CAs, and
that's that they are used to follow. <br>
<br>
I believe we can successfully update 4.9.1.1
to aligned with MRSP section 6.1 without
changing the current presentation format of
revocation use cases in the BRs. If you are
open to the idea, I can work with you on a
more concrete proposal and see how it looks.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<blockquote type="cite"><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On
Tue, Nov 15, 2022 at 2:22 AM Dimitris
Zacharopoulos (HARICA) via
Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<div>On 15/11/2022 1:02 π.μ., Ben
Wilson via Servercert-wg wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Thanks.</div>
<div><br>
</div>
<div>Any additional thoughts,
recommendations, etc.?</div>
</div>
</blockquote>
<br>
Hi Ben,<br>
<br>
I assume that the use cases
described within the parenthesis
under 4.9.1.1 are "examples" which
means that the "i.e." should be
replaced with "e.g.". <br>
<br>
I am not very much in favor of the
breakown of subsections for each
revocation reasonCode which repeats
the language "SHOULD revoke within
24 hours and SHALL revoke within 5
days" in various cases, and gets
especially confusing when the
Subscriber requests in writing,
which can apply to several
reasonCodes.<br>
<br>
The previous attempt keeping the
existing structure that CAs/Auditors
are already familiar with, seems
like a better approach. That's
because CAs already have controls in
place to handle "specific revocation
use cases" as they are listed in the
current sections 4.9.1.1 and
4.9.1.2. All we need to do now is
map those known cases to a specific
RFC5280 reasonCode.<br>
<br>
If additional revocation use cases
have been documented in MRSP, we can
add those in <a
href="http://4.9.1.1/2"
target="_blank"
moz-do-not-send="true">4.9.1.1/2</a>
as needed.<br>
<br>
What do others think? Should we try
to minimize the changes to 4.9.1.1
and 4.9.1.2 or do a complete
restructuring?<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr"
class="gmail_attr">On Thu, Nov
10, 2022 at 11:33 PM Roman
Fischer via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<div lang="DE">
<div>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif">Dear
Ben,</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US">Thanks
for your effort to
make it better
understandable. Even
for me as a
non-native speaker
it’s now much
clearer when to use
which reasonCode
(but it’s still very
complex!).</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US">Could
the section</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
lang="EN-US">** The
privilegeWithdrawn
reasonCode <span
style="background:yellow">
does not need to
be made available</span>
to the Subscriber as
a revocation reason
option, because the
use of this
reasonCode is
determined by the CA
and not the
Subscriber.</span><span
style="font-size:11pt" lang="EN-US"></span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US">be
reformulated to use
one of the RFC 2119
terms? Maybe your
intention was “SHALL
NOT be made
available”?</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US">Kind
regards<br>
Roman Fischer,
SwissSign</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US"> </span></p>
<div
style="border-color:rgb(225,225,225)
currentcolor
currentcolor;border-style:solid
none
none;border-width:1pt
medium
medium;padding:3pt 0cm
0cm">
<p class="MsoNormal"><b><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US">From:</span></b><span
style="font-size:11pt;font-family:"Calibri",sans-serif"
lang="EN-US">
Servercert-wg <<a
href="mailto:servercert-wg-bounces@cabforum.org" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ben
Wilson via
Servercert-wg<br>
<b>Sent:</b>
Freitag, 11.
November 2022
00:53<br>
<b>To:</b> CA/B
Forum Server
Certificate WG
Public Discussion
List <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b>
Re:
[Servercert-wg]
Proposal to
Incorporate
Mozilla's CRL
Revocation Reason
Code Requirements
into the BRs</span></p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">All,</p>
</div>
<div>
<p class="MsoNormal">Here
is another
iteration of a
proposal to
incorporate
Mozilla's CRL
reason code
requirements into
the Baseline
Requirements. </p>
</div>
<div>
<p class="MsoNormal">I
am open to your
suggestions and
recommendations on
how to make this
better. </p>
</div>
<div>
<p class="MsoNormal">I'll
put another draft
in GitHub again
after I receive
feedback.</p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben</p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On
Tue, Sep 20, 2022
at 10:16 PM Ben
Wilson via
Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>> wrote:</p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm
0cm
6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p
class="MsoNormal">Hi
Corey,</p>
</div>
<div>
<p
class="MsoNormal"> </p>
</div>
<div>
<p
class="MsoNormal">See
responses
below.</p>
</div>
<p
class="MsoNormal"> </p>
<div>
<div>
<p
class="MsoNormal">On
Wed, Sep 14,
2022 at 11:38
AM Corey
Bonnell <<a
href="mailto:Corey.Bonnell@digicert.com" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">Corey.Bonnell@digicert.com</a>> wrote:</p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Hi
Ben,</span></p>
<p
class="MsoNormal"><span
lang="EN-US">It
appears the
ballot text
has potential
divergences
from the
published
MRSP:</span></p>
<p
class="MsoNormal"><span
lang="EN-US">
</span></p>
</div>
</div>
</div>
</blockquote>
<blockquote
style="border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">1.
This ballot
prohibits
other
CRLReasons
from appearing
in CRLs. This
is
meaningfully
different from
MRSP, where
the new
requirements
are applicable
solely to
revocations
that occur on
or after the
effective
date.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p
class="MsoNormal"> </p>
</div>
<div>
<p
class="MsoNormal"> I
think this can
be fixed with
some language
changes.</p>
</div>
<div>
<p
class="MsoNormal"> </p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">2.
There is no
requirement to
document
reason codes
in the
Subscriber
Agreement,
whereas there
is in MRSP. Is
this change
intentional?</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p
class="MsoNormal"> </p>
</div>
<div>
<p
class="MsoNormal">Not
exactly an
intentional
elimination of
the
requirement,
but I can make
the ballot
consistent
with the MRSP
with some
language
changes as
well. My idea
was to suggest
that CAs could
incorporate
the necessary
information
"by reference"
so that the
CRL reason
code
explanations
wouldn't have
to appear
fully in
Subscriber
Agreements or
Terms of Use.</p>
</div>
<div>
<p
class="MsoNormal"> </p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">3.
Regarding
24-hour
revocation
reason #5: it
appears that
privilegeWithdrawn
is now
allowed.
According to
MRSP, only
superseded is
appropriate
for this case.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p
class="MsoNormal"> </p>
</div>
<div>
<p
class="MsoNormal">For
consistency,
I'll change
this to
superseded
only. </p>
</div>
<div>
<p
class="MsoNormal"> </p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">4.
Regarding
5-day
revocation
reason #9:
this is not a
scenario
listed in
MRSP. In other
words, this
revocation
scenario must
be denoted as
“unspecified”
as the
CRLReason
under MRSP.
Therefore, it
is not
possible to
satisfy both
the proposed
BR text and
MRSP.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p
class="MsoNormal"> </p>
</div>
<div>
<p
class="MsoNormal">That's
probably the
approach to
take -
thanks.
Another
possibility is
to move this
revocation
reason down to
4.9.1.2 - CAs
should revoke
the
intermediate
CA
certificate(s)
rather than
all end entity
certificates.
</p>
</div>
<div>
<p
class="MsoNormal"> </p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">5.
Regarding
5-day
revocation
reason #10:
this appears
to be like
scenario #7,
but it is
different in
that
revocation may
be required
even if
there’s no
violation of
the CP/CPS. I
don’t think
this scenario
is enumerated
in MRSP, so it
is not
possible to
specify a
reason code
that satisfies
both MRSP and
this ballot
for this
scenario.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p
class="MsoNormal"> </p>
</div>
<div>
<p
class="MsoNormal">Kathleen
and I think
that this
reason is in
the MRSP under
the section
for the
superseded
CRLReason -
"the CA
operator has
revoked the
certificate
for compliance
reasons such
as the
certificate
does not
comply with
this policy,
the CA/Browser
Forum's
Baseline
Requirements,
or the CA
operator’s CP
or CPS". </p>
</div>
<div>
<p
class="MsoNormal"> </p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<p
class="MsoNormal"><span
lang="EN-US">More
generally, the
Defined Term
“Certificate”
should be used
throughout the
ballot for
consistency.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p
class="MsoNormal"> </p>
</div>
<div>
<p
class="MsoNormal">Agreed.
Thanks.</p>
</div>
<div>
<p
class="MsoNormal"> </p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<p
class="MsoNormal"><span
lang="EN-US">Thanks,</span></p>
<p
class="MsoNormal"><span
lang="EN-US">Corey</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p
class="MsoNormal"> </p>
</div>
<div>
<p
class="MsoNormal">Thanks,</p>
</div>
<div>
<p
class="MsoNormal">Ben
</p>
</div>
<blockquote
style="border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204);border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div
style="border-style:solid
none
none;border-width:1pt
medium
medium;padding:3pt
0cm
0cm;border-color:currentcolor">
<p
class="MsoNormal"><b><span
lang="EN-US">From:</span></b><span
lang="EN-US">
Servercert-wg
<<a
href="mailto:servercert-wg-bounces@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf
Of </b>Ben
Wilson via
Servercert-wg<br>
<b>Sent:</b>
Tuesday,
September 13,
2022 11:37 PM<br>
<b>To:</b> Ben
Wilson <<a
href="mailto:bwilson@mozilla.com" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">bwilson@mozilla.com</a>>; CA/B Forum
Server
Certificate WG
Public
Discussion
List <<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b>
Re:
[Servercert-wg]
Proposal to
Incorporate
Mozilla's CRL
Revocation
Reason Code
Requirements
into the BRs</span></p>
</div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Here
is the most
current
comparison:</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"><a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fbbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6U2qShXXY%2FWlUn2vWCqq0YB8yQAQxEiQXejzc6pCawE%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://github.com/cabforum/servercert/compare/bbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318</a></span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
Mon, Sep 12,
2022 at 11:00
AM Ben Wilson
<<a
href="mailto:bwilson@mozilla.com"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">bwilson@mozilla.com</a>>
wrote:</span></p>
</div>
<blockquote
style="border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt
4.8pt;border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204)">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Here
is another
edit that
tries to make
minimal
changes to BR
section
4.9.1.1.</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"><a
href="http://goog_144053405" target="_blank" moz-do-not-send="true"><br>
</a></span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"><a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2F94a07d08855cf489a2bdddff7d8a9490969d5d06&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=h0d4CsixQeyG7GMzM2nqO3ScDRRM1EomVg%2BuwI3lBIc%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://github.com/BenWilson-Mozilla/servercert/commit/94a07d08855cf489a2bdddff7d8a9490969d5d06</a></span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
Mon, Sep 12,
2022 at 9:51
AM Ben Wilson
via
Servercert-wg
<<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote
style="border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt
4.8pt;border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204)">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Thanks,
Dimitris. I'll
work on that
approach and
get something
back to you
soon.</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
Mon, Sep 12,
2022 at 2:56
AM Dimitris
Zacharopoulos
(HARICA) <<a
href="mailto:dzacharo@harica.gr" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">dzacharo@harica.gr</a>> wrote:</span></p>
</div>
<blockquote
style="border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt
4.8pt;border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204)">
<div>
<p
class="MsoNormal"><span
lang="EN-US">Hi
Ben,<br>
<br>
After a quick
reading, I
noticed that
the
subsections
are not
symmetrical
and a bit
inconsistent.
For example,
some of them
contain the
statement "the
CA SHOULD
revoke a
certificate
within 24
hours and MUST
revoke a
Certificate
within 5
days", some do
not.<br>
<br>
Other
examples:</span></p>
<ul
type="disc">
<li
class="MsoNormal">
<span
lang="EN-US">4.9.1.1.1,
is labeled
"Subscriber-Requested
Revocation",
however there
are other
subsections
that are also
"Subscriber-Requested". This separation seems confusing.</span></li>
<li
class="MsoNormal">
<span
lang="EN-US">4.9.1.1.4
is about
unreliable
validation but
most of the
remaining
subsections
are titled
after the RFC
5280
revocation
reasons.</span></li>
</ul>
<p
class="MsoNormal"
style="margin-bottom:12pt"><span lang="EN-US">Finally, it's not very
clear when the
"unspecified
(0)" reason
must be used
because of
section
4.9.1.1.8
(Other
Circumstances)
which doesn't
point to a
revocation
reason.<br>
<br>
>From my
perspective,
I'm not sure
if breaking
down each
subsection is
more helpful
for reading
the revocation
requirements
than the
current
listing. I
understand
there is a
desire to copy
the MRSP
language as
much as
possible but
perhaps we
need to
consider a
less
"intrusive"
set of changes
to a section
that CAs
already have a
difficult time
reading and
implementing.<br>
<br>
IMO we either
need to
describe the
revocation
scenario and
point to the
RFC 5280
revocation
reason (closer
to what the
BRs have
today), or
start with the
RFC 5280
revocation
reasons and
enumerate the
revocation
scenarios
(closer to
what MRSP has
today). I find
it confusing
to mix the two
approaches.<br>
<br>
<br>
Thanks,<br>
Dimitris.</span></p>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
12/9/2022 6:32
π.μ., Ben
Wilson wrote:</span></p>
</div>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">For
review - here
is another
proposal that
takes BR
section
4.9.1.1 and
puts the
24-hour and
5-day
revocation
times into
subsections
that match the
CRL reason
codes. </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"><a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2Fb185a28fcc20d5853747e4506103823e3dc7c282&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=opmFVkFFcOqc3DWpy%2BwP%2B79ihMxBOPnZE34AGDSKjWY%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282</a></span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
Thu, Sep 8,
2022 at 12:05
PM Dimitris
Zacharopoulos
(HARICA) <<a
href="mailto:dzacharo@harica.gr" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">dzacharo@harica.gr</a>> wrote:</span></p>
</div>
<blockquote
style="border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt
4.8pt;border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204)">
<div>
<p
class="MsoNormal"
style="margin-bottom:12pt"><span lang="EN-US">Good point.<br>
<br>
s/<i>expected/shall
use/<br>
<br>
</i></span></p>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
8/9/2022 8:26
μ.μ., Tim
Hollebeek
wrote:</span></p>
</div>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<p
class="MsoNormal"><span
lang="EN-US">I
would prefer
standard 2119
language
instead of an
“expectation”. There are no documented rules for what it means for a
CRLReason to
be expected to
be a certain
value.</span></p>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<p
class="MsoNormal"><span
lang="EN-US">-Tim</span></p>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div
style="border-style:none
none none
solid;border-width:medium
medium medium
1.5pt;padding:0cm 0cm 0cm 4pt;border-color:currentcolor currentcolor
currentcolor
blue">
<div>
<div
style="border-style:solid
none
none;border-width:1pt
medium
medium;padding:3pt
0cm
0cm;border-color:currentcolor">
<p
class="MsoNormal"><b><span
lang="EN-US">From:</span></b><span
lang="EN-US">
Servercert-wg
<a
href="mailto:servercert-wg-bounces@cabforum.org"
target="_blank" moz-do-not-send="true"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf
Of </b>Dimitris
Zacharopoulos
(HARICA) via
Servercert-wg<br>
<b>Sent:</b>
Thursday,
September 8,
2022 3:21 AM<br>
<b>To:</b> Ben
Wilson <a
href="mailto:bwilson@mozilla.com"
target="_blank" moz-do-not-send="true"><bwilson@mozilla.com></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List <a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b>
Re:
[Servercert-wg]
Proposal to
Incorporate
Mozilla's CRL
Revocation
Reason Code
Requirements
into the BRs</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<p
class="MsoNormal"
style="margin-bottom:12pt"><span lang="EN-US"> </span></p>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
7/9/2022 8:22
μ.μ., Ben
Wilson wrote:</span></p>
</div>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Good
suggestion. I
can re-work a
proposal that
re-writes BR
sec. 4.9.1.1
to re-group
the revocation
reasons into
the reason
codes that
should be
used. Is that
what you were
thinking? </span></p>
</div>
</div>
</blockquote>
<p
class="MsoNormal"><span
lang="EN-US"><br>
Yes. We should
also try to
keep the
current BRs
prioritization.
The section
begins with
the cases
where the
Certificate(s)
need to be
revoked within
24h and then
moves to the
5-day
revocation
cases.<br>
<br>
We could walk
this list down
making sure
that all
Mozilla cases
are listed
(add the ones
that are not)
and add the
expected
revocationReason
for each case.
For example:</span></p>
<p><i><span
lang="EN-US">The
CA SHALL
revoke a
Certificate
within 24
hours if one
or more of the
following
occurs:</span></i><span
lang="EN-US"></span></p>
<ol type="1"
start="1">
<li
class="MsoNormal">
<i><span
lang="EN-US">The
Subscriber
requests in
writing that
the CA revoke
the
Certificate
(expected
CRLReason:<b>unspecified</b>);</span></i><span
lang="EN-US"></span></li>
<li
class="MsoNormal">
<i><span
lang="EN-US">The
Subscriber
notifies the
CA that the
original
certificate
request was
not authorized
and does not
retroactively
grant
authorization
(expected
CRLReason:</span></i><b><i><span
style="font-family:"Calibri",sans-serif" lang="EN-US">privilegeWithdrawn</span></i></b><i><span
lang="EN-US">);</span></i><span
lang="EN-US"></span></li>
<li
class="MsoNormal">
<i><span
lang="EN-US">The
CA obtains
evidence that
the
Subscriber's
Private Key
corresponding
to the Public
Key in the
Certificate
suffered a Key
Compromise
(expected
CRLReason:<b>keyCompromise</b>);</span></i><span
lang="EN-US"></span></li>
<li
class="MsoNormal">
<i><span
lang="EN-US">The
CA is made
aware of a
demonstrated
or proven
method that
can easily
compute the
Subscriber's
Private Key
based on the
Public Key in
the
Certificate
(such as a
Debian weak
key, see </span></i><span
lang="EN-US"><a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FV7HivQUf9v8s2xTxi1rVgVbg7XfH9TtU4RjlKL0T6c%3D&reserved=0"
target="_blank" moz-do-not-send="true"><i>https://wiki.debian.org/SSLkeys</i></a><i>)
(expected
CRLReason:<b>keyCompromise</b>);</i></span></li>
<li
class="MsoNormal">
<i><span
lang="EN-US">The
CA obtains
evidence that
the validation
of domain
authorization
or control for
any
Fully-Qualified
Domain Name or
IP address in
the
Certificate
should not be
relied upon
(expected
CRLReason: </span></i><b><i><span
style="font-family:"Calibri",sans-serif" lang="EN-US">superseded</span></i></b><i><span
lang="EN-US">).</span></i><span
lang="EN-US"></span></li>
</ol>
<p
class="MsoNormal"
style="margin-bottom:12pt"><span lang="EN-US">and so on.<br>
<br>
Does that
work?<br>
<br>
Dimitris.</span></p>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Thanks,</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
Wed, Sep 7,
2022 at 6:01
AM Dimitris
Zacharopoulos
(HARICA) via
Servercert-wg
<<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote
style="border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt
4.8pt;border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204)">
<div>
<p
class="MsoNormal"
style="margin-bottom:12pt"><span lang="EN-US">Hi Ben,<br>
<br>
I believe the
proposal, as
written,
causes
confusion in
regards to
4.9.1.1. Some
of the reasons
described in
your proposal
are already
mentioned in
4.9.1.1.
Perhaps we
should work
some more to
"unify" the
two sections.<br>
<br>
My proposal
would be to
update 4.9.1.1
and include
the expected
CRLReason
after each
case.<br>
<br>
<br>
Thoughts?<br>
Dimitris.</span></p>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
6/9/2022 8:13
μ.μ., Ben
Wilson via
Servercert-wg
wrote:</span></p>
</div>
<blockquote
style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">All,</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">I'm
looking for
one more
endorser.</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Thanks,</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">On
Fri, Jul 29,
2022 at 12:40
PM Ben Wilson
via
Servercert-wg
<<a
href="mailto:servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote
style="border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt
4.8pt;border-color:currentcolor
currentcolor
currentcolor
rgb(204,204,204)">
<div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">All,</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">I
have created a
proposal in
Github to
incorporate
Mozilla's CRL
Revocation
Reason Code
requirements
into the
Baseline
Requirements.
</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">See
<a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F377&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D4KPoI9FuCxKdr9yp378P8kEzjJq9wX%2FUEj%2F0SDufv4%3D&reserved=0"
target="_blank" moz-do-not-send="true">
https://github.com/cabforum/servercert/issues/377</a></span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"><a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2F52a480803beff1f96d61c4b6d76570ac7adff4d5&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LOfjUsptzgpQxI1k6K8oUgU0aj2LDncd48ZzuXe86Hs%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5</a></span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">I'm
looking for
comments,
suggestions,
and two
endorsers.</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Thanks,</span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<div>
<p
class="MsoNormal"><span
lang="EN-US">Ben</span></p>
</div>
</div>
<p
class="MsoNormal"><span
lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
<p
class="MsoNormal"
style="margin-bottom:12pt"><span lang="EN-US"> </span></p>
<pre><span lang="EN-US">_______________________________________________</span></pre>
<pre><span lang="EN-US">Servercert-wg mailing list</span></pre>
<pre><span lang="EN-US"><a href="mailto:Servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a></span></pre>
<pre><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></pre>
</blockquote>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
<p
class="MsoNormal"><span
lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
</blockquote>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
</div>
</blockquote>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
</blockquote>
</div>
</blockquote>
<p
class="MsoNormal"><span
lang="EN-US"> </span></p>
</div>
</blockquote>
</div>
<p
class="MsoNormal"><span
lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0"
target="_blank" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688965625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rOfjT8%2B0oEL1XaQtLBTQ5EQOkSK3lJR0AbU1lVyZF68%3D&reserved=0"
target="_blank"
moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></p>
</blockquote>
</div>
</div>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</div>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Servercert-wg mailing list
<a href="mailto:Servercert-wg@cabforum.org" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a
href="mailto:Servercert-wg@cabforum.org"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>