<div dir="ltr">Great - thanks.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 5, 2023 at 10:06 AM Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
Hi Ben,<br>
<br>
I saw your comments with proposed language, and here are my
thoughts, in-line:<br>
<br>
<div>On 4/1/2023 8:50 μ.μ., Ben Wilson
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi Dimitris, <br>
</div>
<div><br>
</div>
<div>I have submitted two comments that I think need to be
resolved.</div>
<div><br>
</div>
<div>I think the first "1" should be written as:</div>
<div><br>
</div>
<div>
The Subscriber requests in writing, <em><strong>without
giving a reason required to be specified by this section
4.9.1.1,</strong></em> that the CA revoke the ..."
</div>
<div><br>
</div>
</div>
</blockquote>
<br>
I prefer your <a href="https://github.com/cabforum/servercert/pull/405/files#r1061778056" target="_blank">earlier
comment</a> which says<br>
<br>
"1. The Subscriber requests in writing, <em><strong>without giving
a reason,</strong></em> that the CA revoke the ..."<br>
<br>
I believe this language is simpler as long as this option is
available to Subscribers that just want to revoke a certificate and
don't want to suggest a specific reason. I assume this is still
allowed.<br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>Number 10 in the second list should be written as:</div>
<div><br>
</div>
<div>
"10. Revocation is required by the CA's Certificate Policy
and/or Certification Practice Statement <em><strong>for a
reason that is not otherwise required to be specified by
this section 4.9.1.1</strong></em> ..." <br>
</div>
</div>
</blockquote>
<br>
+1<br>
<br>
If you are ok with the first option, I will update the PR.<br>
<br>
Thanks!<br>
Dimitris.<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Ben<br>
</div>
<span><span></span></span>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Nov 22, 2022 at 1:12
AM Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> I created <a href="https://github.com/cabforum/servercert/pull/405/files" target="_blank">https://github.com/cabforum/servercert/pull/405/files</a>
which includes some elements from your proposal and MRSP
language. <br>
<br>
I also did a comparison of BRs section 4.9.1.1 revocation
use cases that are already mentioned in MRSP section 6.1.1
(attached). There are only a few revocation use cases
mentioned in MRSP that are not explicitly described in
4.9.1.1 so we could try adding those to 4.9.1.1 for full
consistency.<br>
<br>
This proposal:<br>
<ul>
<li>explains the expectations for each reasonCode</li>
<li>preserves the existing 5 revocation use cases for 24h
and the 11 cases for 5-day that CAs/auditors are already
familiar with, and adds an explicit reasonCode per MRSP.<br>
</li>
</ul>
This presentation format is already familiar to CAs, less
ambiguous, and IMO minimizes the risk of implementing
incorrectly.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<div>On 17/11/2022 5:46 μ.μ., Ben Wilson wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Sounds good. Thanks, Dimitris.</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Nov 16, 2022
at 11:23 PM Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <br>
<br>
<div>On 15/11/2022 6:11 μ.μ., Ben Wilson wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">That could simplify it, but
Mozilla's CRL Reason Code rules would still
supersede that section.<br>
</div>
</blockquote>
<br>
I don't see it as "superseding" but differently
"presented". Mozilla chose that particular
presentation format without taking into
consideration the time limits for revocation. <a href="https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md#611-end-entity-tls-certificate-crlrevocation-reasons" target="_blank">MRSP </a>only
mentions the reasons and expectations for using such
reasons. The BRs are more explicit in the use cases
and it's more important for the CA to know which
cases must be revoked within 24 hours and which ones
must be revoked within 5 days. It's a better
"starting point" for CAs, and that's that they are
used to follow. <br>
<br>
I believe we can successfully update 4.9.1.1 to
aligned with MRSP section 6.1 without changing the
current presentation format of revocation use cases
in the BRs. If you are open to the idea, I can work
with you on a more concrete proposal and see how it
looks.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<blockquote type="cite"><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Nov
15, 2022 at 2:22 AM Dimitris Zacharopoulos
(HARICA) via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>On 15/11/2022 1:02 π.μ., Ben Wilson via
Servercert-wg wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Thanks.</div>
<div><br>
</div>
<div>Any additional thoughts,
recommendations, etc.?</div>
</div>
</blockquote>
<br>
Hi Ben,<br>
<br>
I assume that the use cases described within
the parenthesis under 4.9.1.1 are "examples"
which means that the "i.e." should be
replaced with "e.g.". <br>
<br>
I am not very much in favor of the breakown
of subsections for each revocation
reasonCode which repeats the language
"SHOULD revoke within 24 hours and SHALL
revoke within 5 days" in various cases, and
gets especially confusing when the
Subscriber requests in writing, which can
apply to several reasonCodes.<br>
<br>
The previous attempt keeping the existing
structure that CAs/Auditors are already
familiar with, seems like a better approach.
That's because CAs already have controls in
place to handle "specific revocation use
cases" as they are listed in the current
sections 4.9.1.1 and 4.9.1.2. All we need to
do now is map those known cases to a
specific RFC5280 reasonCode.<br>
<br>
If additional revocation use cases have been
documented in MRSP, we can add those in <a href="http://4.9.1.1/2" target="_blank">4.9.1.1/2</a> as
needed.<br>
<br>
What do others think? Should we try to
minimize the changes to 4.9.1.1 and 4.9.1.2
or do a complete restructuring?<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On
Thu, Nov 10, 2022 at 11:33 PM Roman
Fischer via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div lang="DE">
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif">Dear
Ben,</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">Thanks for your
effort to make it better
understandable. Even for me
as a non-native speaker it’s
now much clearer when to use
which reasonCode (but it’s
still very complex!).</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">Could the
section</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">** The
privilegeWithdrawn
reasonCode <span style="background:yellow">
does not need to be made
available</span> to the
Subscriber as a revocation
reason option, because the
use of this reasonCode is
determined by the CA and not
the Subscriber.</span><span style="font-size:11pt" lang="EN-US"></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">be reformulated
to use one of the RFC 2119
terms? Maybe your intention
was “SHALL NOT be made
available”?</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">Kind regards<br>
Roman Fischer, SwissSign</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US"> </span></p>
<div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-US">
Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ben
Wilson via Servercert-wg<br>
<b>Sent:</b> Freitag, 11.
November 2022 00:53<br>
<b>To:</b> CA/B Forum
Server Certificate WG
Public Discussion List
<<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b> Re:
[Servercert-wg] Proposal
to Incorporate Mozilla's
CRL Revocation Reason Code
Requirements into the BRs</span></p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">All,</p>
</div>
<div>
<p class="MsoNormal">Here is
another iteration of a
proposal to incorporate
Mozilla's CRL reason code
requirements into the
Baseline Requirements. </p>
</div>
<div>
<p class="MsoNormal">I am
open to your suggestions
and recommendations on how
to make this better. </p>
</div>
<div>
<p class="MsoNormal">I'll
put another draft in
GitHub again after I
receive feedback.</p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben</p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Tue,
Sep 20, 2022 at 10:16 PM
Ben Wilson via
Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:</p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal">Hi
Corey,</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">See
responses below.</p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On
Wed, Sep 14, 2022 at
11:38 AM Corey
Bonnell <<a href="mailto:Corey.Bonnell@digicert.com" target="_blank">Corey.Bonnell@digicert.com</a>> wrote:</p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Hi
Ben,</span></p>
<p class="MsoNormal"><span lang="EN-US">It
appears the
ballot text
has potential
divergences
from the
published
MRSP:</span></p>
<p class="MsoNormal"><span lang="EN-US">
</span></p>
</div>
</div>
</div>
</blockquote>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">1.
This ballot
prohibits
other
CRLReasons
from appearing
in CRLs. This
is
meaningfully
different from
MRSP, where
the new
requirements
are applicable
solely to
revocations
that occur on
or after the
effective
date.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> I
think this can be
fixed with some
language changes.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">2.
There is no
requirement to
document
reason codes
in the
Subscriber
Agreement,
whereas there
is in MRSP. Is
this change
intentional?</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Not
exactly an
intentional
elimination of the
requirement, but I
can make the ballot
consistent with the
MRSP with some
language changes as
well. My idea was to
suggest that CAs
could incorporate
the necessary
information "by
reference" so that
the CRL reason code
explanations
wouldn't have to
appear fully in
Subscriber
Agreements or Terms
of Use.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">3.
Regarding
24-hour
revocation
reason #5: it
appears that
privilegeWithdrawn
is now
allowed.
According to
MRSP, only
superseded is
appropriate
for this case.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">For
consistency, I'll
change this to
superseded only. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">4.
Regarding
5-day
revocation
reason #9:
this is not a
scenario
listed in
MRSP. In other
words, this
revocation
scenario must
be denoted as
“unspecified”
as the
CRLReason
under MRSP.
Therefore, it
is not
possible to
satisfy both
the proposed
BR text and
MRSP.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">That's
probably the
approach to take -
thanks. Another
possibility is to
move this revocation
reason down to
4.9.1.2 - CAs should
revoke the
intermediate CA
certificate(s)
rather than all end
entity certificates.
</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">5.
Regarding
5-day
revocation
reason #10:
this appears
to be like
scenario #7,
but it is
different in
that
revocation may
be required
even if
there’s no
violation of
the CP/CPS. I
don’t think
this scenario
is enumerated
in MRSP, so it
is not
possible to
specify a
reason code
that satisfies
both MRSP and
this ballot
for this
scenario.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Kathleen
and I think that
this reason is in
the MRSP under the
section for the
superseded CRLReason
- "the CA operator
has revoked the
certificate for
compliance reasons
such as the
certificate does not
comply with this
policy, the
CA/Browser Forum's
Baseline
Requirements, or the
CA operator’s CP or
CPS". </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">More
generally, the
Defined Term
“Certificate”
should be used
throughout the
ballot for
consistency.</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Agreed.
Thanks.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span></p>
<p class="MsoNormal"><span lang="EN-US">Corey</span></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thanks,</p>
</div>
<div>
<p class="MsoNormal">Ben
</p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div style="border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm;border-color:currentcolor">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US">
Servercert-wg
<<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf
Of </b>Ben
Wilson via
Servercert-wg<br>
<b>Sent:</b>
Tuesday,
September 13,
2022 11:37 PM<br>
<b>To:</b> Ben
Wilson <<a href="mailto:bwilson@mozilla.com" target="_blank">bwilson@mozilla.com</a>>; CA/B Forum
Server
Certificate WG
Public
Discussion
List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b>
Re:
[Servercert-wg]
Proposal to
Incorporate
Mozilla's CRL
Revocation
Reason Code
Requirements
into the BRs</span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Here
is the most
current
comparison:</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fbbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=6U2qShXXY%2FWlUn2vWCqq0YB8yQAQxEiQXejzc6pCawE%3D&reserved=0" target="_blank">https://github.com/cabforum/servercert/compare/bbca71465ed8a8a76383086039f52c750009286a..1699612e5157423f607d67cc8ab9dc3a1d52b318</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
Mon, Sep 12,
2022 at 11:00
AM Ben Wilson
<<a href="mailto:bwilson@mozilla.com" target="_blank">bwilson@mozilla.com</a>>
wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Here
is another
edit that
tries to make
minimal
changes to BR
section
4.9.1.1.</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="http://goog_144053405" target="_blank"><br>
</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2F94a07d08855cf489a2bdddff7d8a9490969d5d06&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=h0d4CsixQeyG7GMzM2nqO3ScDRRM1EomVg%2BuwI3lBIc%3D&reserved=0" target="_blank">https://github.com/BenWilson-Mozilla/servercert/commit/94a07d08855cf489a2bdddff7d8a9490969d5d06</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
Mon, Sep 12,
2022 at 9:51
AM Ben Wilson
via
Servercert-wg
<<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,
Dimitris. I'll
work on that
approach and
get something
back to you
soon.</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
Mon, Sep 12,
2022 at 2:56
AM Dimitris
Zacharopoulos
(HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>> wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<p class="MsoNormal"><span lang="EN-US">Hi
Ben,<br>
<br>
After a quick
reading, I
noticed that
the
subsections
are not
symmetrical
and a bit
inconsistent.
For example,
some of them
contain the
statement "the
CA SHOULD
revoke a
certificate
within 24
hours and MUST
revoke a
Certificate
within 5
days", some do
not.<br>
<br>
Other
examples:</span></p>
<ul type="disc">
<li class="MsoNormal">
<span lang="EN-US">4.9.1.1.1,
is labeled
"Subscriber-Requested
Revocation",
however there
are other
subsections
that are also
"Subscriber-Requested". This separation seems confusing.</span></li>
<li class="MsoNormal">
<span lang="EN-US">4.9.1.1.4
is about
unreliable
validation but
most of the
remaining
subsections
are titled
after the RFC
5280
revocation
reasons.</span></li>
</ul>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US">Finally, it's not very
clear when the
"unspecified
(0)" reason
must be used
because of
section
4.9.1.1.8
(Other
Circumstances)
which doesn't
point to a
revocation
reason.<br>
<br>
>From my
perspective,
I'm not sure
if breaking
down each
subsection is
more helpful
for reading
the revocation
requirements
than the
current
listing. I
understand
there is a
desire to copy
the MRSP
language as
much as
possible but
perhaps we
need to
consider a
less
"intrusive"
set of changes
to a section
that CAs
already have a
difficult time
reading and
implementing.<br>
<br>
IMO we either
need to
describe the
revocation
scenario and
point to the
RFC 5280
revocation
reason (closer
to what the
BRs have
today), or
start with the
RFC 5280
revocation
reasons and
enumerate the
revocation
scenarios
(closer to
what MRSP has
today). I find
it confusing
to mix the two
approaches.<br>
<br>
<br>
Thanks,<br>
Dimitris.</span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On
12/9/2022 6:32
π.μ., Ben
Wilson wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">For
review - here
is another
proposal that
takes BR
section
4.9.1.1 and
puts the
24-hour and
5-day
revocation
times into
subsections
that match the
CRL reason
codes. </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2Fb185a28fcc20d5853747e4506103823e3dc7c282&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=opmFVkFFcOqc3DWpy%2BwP%2B79ihMxBOPnZE34AGDSKjWY%3D&reserved=0" target="_blank">https://github.com/BenWilson-Mozilla/servercert/commit/b185a28fcc20d5853747e4506103823e3dc7c282</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
Thu, Sep 8,
2022 at 12:05
PM Dimitris
Zacharopoulos
(HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>> wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US">Good point.<br>
<br>
s/<i>expected/shall
use/<br>
<br>
</i></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On
8/9/2022 8:26
μ.μ., Tim
Hollebeek
wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<p class="MsoNormal"><span lang="EN-US">I
would prefer
standard 2119
language
instead of an
“expectation”. There are no documented rules for what it means for a
CRLReason to
be expected to
be a certain
value.</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">-Tim</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div style="border-style:none none none solid;border-width:medium medium medium 1.5pt;padding:0cm 0cm 0cm 4pt;border-color:currentcolor currentcolor currentcolor blue">
<div>
<div style="border-style:solid none none;border-width:1pt medium medium;padding:3pt 0cm 0cm;border-color:currentcolor">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US">
Servercert-wg
<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf
Of </b>Dimitris
Zacharopoulos
(HARICA) via
Servercert-wg<br>
<b>Sent:</b>
Thursday,
September 8,
2022 3:21 AM<br>
<b>To:</b> Ben
Wilson <a href="mailto:bwilson@mozilla.com" target="_blank"><bwilson@mozilla.com></a>;
CA/B Forum
Server
Certificate WG
Public
Discussion
List <a href="mailto:servercert-wg@cabforum.org" target="_blank"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b>
Re:
[Servercert-wg]
Proposal to
Incorporate
Mozilla's CRL
Revocation
Reason Code
Requirements
into the BRs</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US"> </span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On
7/9/2022 8:22
μ.μ., Ben
Wilson wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Good
suggestion. I
can re-work a
proposal that
re-writes BR
sec. 4.9.1.1
to re-group
the revocation
reasons into
the reason
codes that
should be
used. Is that
what you were
thinking? </span></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"><br>
Yes. We should
also try to
keep the
current BRs
prioritization.
The section
begins with
the cases
where the
Certificate(s)
need to be
revoked within
24h and then
moves to the
5-day
revocation
cases.<br>
<br>
We could walk
this list down
making sure
that all
Mozilla cases
are listed
(add the ones
that are not)
and add the
expected
revocationReason
for each case.
For example:</span></p>
<p><i><span lang="EN-US">The
CA SHALL
revoke a
Certificate
within 24
hours if one
or more of the
following
occurs:</span></i><span lang="EN-US"></span></p>
<ol type="1" start="1">
<li class="MsoNormal">
<i><span lang="EN-US">The
Subscriber
requests in
writing that
the CA revoke
the
Certificate
(expected
CRLReason:<b>unspecified</b>);</span></i><span lang="EN-US"></span></li>
<li class="MsoNormal">
<i><span lang="EN-US">The
Subscriber
notifies the
CA that the
original
certificate
request was
not authorized
and does not
retroactively
grant
authorization
(expected
CRLReason:</span></i><b><i><span style="font-family:"Calibri",sans-serif" lang="EN-US">privilegeWithdrawn</span></i></b><i><span lang="EN-US">);</span></i><span lang="EN-US"></span></li>
<li class="MsoNormal">
<i><span lang="EN-US">The
CA obtains
evidence that
the
Subscriber's
Private Key
corresponding
to the Public
Key in the
Certificate
suffered a Key
Compromise
(expected
CRLReason:<b>keyCompromise</b>);</span></i><span lang="EN-US"></span></li>
<li class="MsoNormal">
<i><span lang="EN-US">The
CA is made
aware of a
demonstrated
or proven
method that
can easily
compute the
Subscriber's
Private Key
based on the
Public Key in
the
Certificate
(such as a
Debian weak
key, see </span></i><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.debian.org%2FSSLkeys&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FV7HivQUf9v8s2xTxi1rVgVbg7XfH9TtU4RjlKL0T6c%3D&reserved=0" target="_blank"><i>https://wiki.debian.org/SSLkeys</i></a><i>)
(expected
CRLReason:<b>keyCompromise</b>);</i></span></li>
<li class="MsoNormal">
<i><span lang="EN-US">The
CA obtains
evidence that
the validation
of domain
authorization
or control for
any
Fully-Qualified
Domain Name or
IP address in
the
Certificate
should not be
relied upon
(expected
CRLReason: </span></i><b><i><span style="font-family:"Calibri",sans-serif" lang="EN-US">superseded</span></i></b><i><span lang="EN-US">).</span></i><span lang="EN-US"></span></li>
</ol>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US">and so on.<br>
<br>
Does that
work?<br>
<br>
Dimitris.</span></p>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
Wed, Sep 7,
2022 at 6:01
AM Dimitris
Zacharopoulos
(HARICA) via
Servercert-wg
<<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US">Hi Ben,<br>
<br>
I believe the
proposal, as
written,
causes
confusion in
regards to
4.9.1.1. Some
of the reasons
described in
your proposal
are already
mentioned in
4.9.1.1.
Perhaps we
should work
some more to
"unify" the
two sections.<br>
<br>
My proposal
would be to
update 4.9.1.1
and include
the expected
CRLReason
after each
case.<br>
<br>
<br>
Thoughts?<br>
Dimitris.</span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On
6/9/2022 8:13
μ.μ., Ben
Wilson via
Servercert-wg
wrote:</span></p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">All,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">I'm
looking for
one more
endorser.</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">On
Fri, Jul 29,
2022 at 12:40
PM Ben Wilson
via
Servercert-wg
<<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>>
wrote:</span></p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0cm 0cm 0cm 6pt;margin:5pt 0cm 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">All,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">I
have created a
proposal in
Github to
incorporate
Mozilla's CRL
Revocation
Reason Code
requirements
into the
Baseline
Requirements.
</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">See
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fissues%2F377&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D4KPoI9FuCxKdr9yp378P8kEzjJq9wX%2FUEj%2F0SDufv4%3D&reserved=0" target="_blank">
https://github.com/cabforum/servercert/issues/377</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FBenWilson-Mozilla%2Fservercert%2Fcommit%2F52a480803beff1f96d61c4b6d76570ac7adff4d5&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LOfjUsptzgpQxI1k6K8oUgU0aj2LDncd48ZzuXe86Hs%3D&reserved=0" target="_blank">https://github.com/BenWilson-Mozilla/servercert/commit/52a480803beff1f96d61c4b6d76570ac7adff4d5</a></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">I'm
looking for
comments,
suggestions,
and two
endorsers.</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Thanks,</span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Ben</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
<p class="MsoNormal" style="margin-bottom:12pt"><span lang="EN-US"> </span></p>
<pre><span lang="EN-US">_______________________________________________</span></pre>
<pre><span lang="EN-US">Servercert-wg mailing list</span></pre>
<pre><span lang="EN-US"><a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a></span></pre>
<pre><span lang="EN-US"><a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></pre>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<p class="MsoNormal"><span lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><span lang="EN-US">_______________________________________________<br>
Servercert-wg
mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688809839%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=iis%2B0QIl3jXlnwoZxV15jIUE%2FGB%2FtJyHdECcBBoSrcQ%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></span></p>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Croman.fischer%40swisssign.com%7Ce95c13967f6d4cffa0db08dac376a9d2%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638037211688965625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rOfjT8%2B0oEL1XaQtLBTQ5EQOkSK3lJR0AbU1lVyZF68%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></p>
</blockquote>
</div>
</div>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</div>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Servercert-wg mailing list
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote></div>