<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
Dear Members,<br>
<br>
While ballot SC-063 focuses on OCSP and short-lived certificates, it
also affects the requirements for CRL. I just want to highlight
these changes because they may not be very clear to Members.<br>
<ul>
<li>Issuing CRLs from all intermediate CAs becomes mandatory for
all cases, regardless if these CAs issue "short-lived"
Subscriber Certificates or not. This is not required today in
the BRs but it is a requirement by at least two Root Store
programs.</li>
<li>The current BRs state that if a CA that issues Subscriber
Certificates, produces CRLs, they need to re-issue those CRLs at
least once every 7 days. The ballot changes that frequency to 24
hours.</li>
</ul>
<p>For a CA that actively issues/revokes Subscriber Certificates,
this frequency makes sense. However, for CAs that are being
"phased-out" or no certificates are revoked, perhaps it doesn't.</p>
<p>The goal of issuing a CRL is to signal Relying Parties that a
Subscriber Certificate should no longer be trusted. Issuance of
that CRL should happen as soon as a certificate is marked
"revoked" by the CA. With that said, even 24h seems to be a long
time, considering that Apple implies (via their <a
moz-do-not-send="true"
href="https://www.apple.com/certificateauthority/ca_program.html">Root
Store Policy</a>) that they check for new CRLs every 4 hours.</p>
<p>Wouldn't it be better if Relying Parties were able to easily
check that a CRL has not changed and keep the information of the
previous one (cache), rather than downloading a new CRL, parsing
it only to discover that the contents are exactly the same as the
previous one?</p>
<p>We already have a requirement in section 4.9.7 that triggers the
issuance of a CRL within 24 hours if a Subordinate CA Certificates
is revoked, otherwise the frequency to issue such a CRL is once
every 12 months. <br>
</p>
<p>If people agree, I would like to keep the language for "online
CAs" to issue CRLs at least once every 7 days but issue and
publish within 4 hours if a Subscriber Certificate is revoked.
That approach would propagate the "revocation message" sooner to
Relying Parties and would also remove the unnecessary "cost" of
issuing CRLs unnecessarily (i.e. if no revocations take place).<br>
</p>
Thoughts?<br>
<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 27/4/2023 4:30 μ.μ., Ryan Dickson
via Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:01000187c2e882b9-74e69f4e-03ef-49b8-b368-7dc65a99155f-000000@email.amazonses.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr"><span
id="gmail-docs-internal-guid-3eae98c4-7fff-f84f-81c4-fddf5167a9fe"><font
face="arial, sans-serif">
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Purpose of Ballot SC-063:</span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">This Ballot proposes updates to the </span><span style="color:rgb(0,0,0);background-color:transparent;font-style:italic;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates</span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> related to making Online Certificate Status Protocol (OCSP) services </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">optional</span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> for CAs. This proposal does </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">not</span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> prohibit or otherwise restrict CAs who choose to continue supporting OCSP from doing so. If CAs continue supporting OCSP, the </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">same</span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> requirements apply as they exist today.</span></p>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font
style="color:rgb(34,34,34);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"
face="arial, sans-serif"><br>
</font></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Additionally, this proposal introduces changes related to CRL requirements to include:</span></p>
<ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Establishing a detailed CRL profile, consistent with the certificate profiles introduced in Version 2.0.0 of the Baseline Requirements.</span></p></li>
<li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">CAs MUST generate and publish either:</span></p></li>
<ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:circle;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">a full and complete CRL; OR </span></p></li>
<li dir="ltr" style="list-style-type:circle;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">partitioned CRLs (sometimes called “sharded” CRLs), that when aggregated, represent the equivalent of a full and complete CRL.</span></p></li>
</ul>
<li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">CAs MUST include the corresponding HTTP URI for </span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">either</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> the full and complete </span><span style="background-color:transparent;font-style:italic;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">or</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> partitioned/sharded CRL in the CRL Distribution Point extension of subscriber certificates.</span></p></li>
<li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">CRLs MUST be updated and reissued once daily.</span></p></li>
</ul>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font
style="color:rgb(34,34,34);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"
face="arial, sans-serif"><br>
</font></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Finally, the proposal revisits the concept of a “short-lived” certificate, introduced in </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap"><a href="https://cabforum.org/2015/11/11/ballot-153-short-lived-certificates/" moz-do-not-send="true">Ballot 153</a></span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">. </span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">As described in this ballot, short-lived certificates (sometimes called “short-term certificates” in ETSI </span><a
href="https://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.04_60/en_31941201v010404p.pdf"
style="color:rgb(17,85,204);text-decoration-line:none"
moz-do-not-send="true"><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">specifications</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">) are:</span></p>
<ul style="margin-top:0px;margin-bottom:0px">
<li><span
id="gmail-docs-internal-guid-3eae98c4-7fff-f84f-81c4-fddf5167a9fe"><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-weight:700;vertical-align:baseline;white-space:pre-wrap">optional</span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">. CAs will </span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">not</span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> be required to issue short-lived certificates. For TLS certificates that do not meet the definition of a short-lived certificate introduced in this proposed update, the current maximum validity period of 398 days remains applicable. </span></span></li>
<li><b>constrained to an initial maximum validity period
of ten (10) days.</b><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> The proposal stipulates that short-lived certificates issued on or after 15 March 2026 must not have a Validity Period greater than seven (7) days.</span></li>
<li><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-weight:700;vertical-align:baseline;white-space:pre-wrap">not required to contain a CRLDP or OCSP pointer and are not required to be revoked</span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">. The primary mechanism of certificate invalidation for these short-lived certificates would be through certificate expiry. CAs may </span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">optionally</span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> revoke short-lived certificates. The initial maximum certificate validity is aligned with the existing maximum values for CRL “nextUpdate” and OCSP response validity allowed by the BRs today. </span><br>
</li>
</ul>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font
face="arial, sans-serif"><br>
</font></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Additional background, justification, and considerations are outlined </span><a
href="https://docs.google.com/document/d/180T6cDSWPy54Rb5d6R4zN7MuLEMShaZ4IRLQgdPqE98/edit"
style="text-decoration-line:none" moz-do-not-send="true"><span style="color:rgb(74,110,224);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">here</span></a><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">.</span></p>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font
face="arial, sans-serif"><br>
<br>
</font></p>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">The following motion has been proposed by Ryan Dickson and Chris Clements of Google (Chrome Root Program) and endorsed by </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Kiran Tummala</span><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> of Microsoft and </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Tim Callan</span><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> of Sectigo.</span></p>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font
face="arial, sans-serif"><br>
</font></p>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">— Motion Begins —</span></p>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font
face="arial, sans-serif"><br>
</font></p>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 2.0.0.</span></p>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font
face="arial, sans-serif"><br>
</font></p>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">MODIFY the Baseline Requirements as specified in the following Redline: </span></p>
</font>
<p dir="ltr"
style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><a
href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..6ff4a7b332f46a8a54cc36e16d1299373d31efe9"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..6ff4a7b332f46a8a54cc36e16d1299373d31efe9</a> </p>
<font face="arial, sans-serif">
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font
face="arial, sans-serif"><br>
</font></p>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">— Motion Ends —</span></p>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font
face="arial, sans-serif"><br>
</font></p>
<p dir="ltr"
style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:</span></p>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font
face="arial, sans-serif"><br>
</font></p>
<p dir="ltr"
style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Discussion (14+ days)</span></p>
<ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre;margin-left:11pt"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Start time: 2023-04-27 13:30:00 UTC</span></p></li>
<li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre;margin-left:11pt"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">End time: Not before 2023-05-11 13:30:00 UTC</span></p></li>
</ul>
<p dir="ltr"
style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font
face="arial, sans-serif"><br>
</font></p>
<p dir="ltr"
style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Vote for approval (7 days)</span></p>
<ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre;margin-left:11pt"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Start time: TBD</span></p></li>
<li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre;margin-left:11pt"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">End time: TBD</span></p></li>
</ul>
</font></span></div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>