<div dir="ltr">Hi Ryan,<div><br></div><div>Thanks so much for pushing this ballot forward. I'm looking forward to this set of changes.</div><div><br></div><div>I've left a few editorial comments on the GitHub PR itself (<a href="https://github.com/cabforum/servercert/pull/414">https://github.com/cabforum/servercert/pull/414</a>), but I figured for my more substantive discussion items, it would be better to do those on-list.</div><div><br></div><div>1. What does it mean to "support on-line revocation checking via OCSP"?</div><div><br></div><div>In particular, what if a given certificate does not contain an OCSP URL, but someone could manually construct an OCSP request for that certificate to the CA's *previous* OCSP URL, and get a response -- does that count as "support"? This is relevant due to the need to transition from supporting OCSP to not supporting OCSP. A CA cannot simply stop including OCSP URLs in their certs and turn off their OCSP service at the same time; the service needs to continue running until after the last cert with its URL embedded expires. If that service were incidentally capable of providing OCSP responses even for certificates that do not embed its URL, what requirements would apply to it?</div><div><br></div><div>2. The prohibition on "indirect CRLs".</div><div><br></div><div>While I totally agree that we should not have CA Foo issuing CRLs which cover certificates issued by CA Bar, the prohibition on indirect CRLs seems to have a negative side-effect: it means that CAs cannot use "delegated CRL issuers". This may not be a real loss; I believe that CAs have generally found that Delegated OCSP Signers cause more trouble than they're worth, and the same is likely true for Delegated CRL Issuers. But Let's Encrypt has been considering the possibility of using delegated signers in order to keep separate sets of issuing intermediates in each secure site, but still have every site capable of providing revocation information on behalf of all issuing intermediates.</div><div><br></div><div>I don't recall discussing this particular provision in previous discussion (and I can't find it in minutes for meetings I missed), so can we hear a little bit more about the motivations behind this requirement?</div><div><br></div><div>3. Required inclusion of CRL Distribution Point URLs.</div><div><br></div><div>In this morning's meeting, we discussed the potential costs of requiring CAs to update their CRLs daily. Let's Encrypt already re-issued our CRLs every few hours, so this does not concern me.</div><div><br></div><div>However, those CRLs are only discoverable via CCADB. No HTTP client or meddling router can download them, because they simply aren't aware that they exist. As soon as the CRL URLs are included directly in end-entity certificates, I'm certain that a number of certificate consumers will begin executing old codepaths and downloading them directly.</div><div><br></div><div>During normal operation, Let's Encrypt's CRLs total to (order-of-magnitude) 50MB every issuance cycle. They're updated once every few hours, and downloaded on a similar cadence. That's trivially sustainable, and significantly cheaper than serving OCSP. But if hundreds of thousands of clients begin downloading those CRLs directly, it's going to be a very different story.</div><div><br></div><div>So I'd love to hear from other CAs a) how many certificates you have which embed a CRLDP, and b) how many requests-per-second you receive for that CRLDP as a result.<br></div><div><br></div><div>Thanks again!</div><div>Aaron</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 27, 2023 at 6:30 AM Ryan Dickson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span id="m_-5321387420847829804gmail-docs-internal-guid-3eae98c4-7fff-f84f-81c4-fddf5167a9fe"><font face="arial, sans-serif"><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Purpose of Ballot SC-063:</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">This Ballot proposes updates to the </span><span style="color:rgb(0,0,0);background-color:transparent;font-style:italic;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates</span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> related to making Online Certificate Status Protocol (OCSP) services </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">optional</span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> for CAs. This proposal does </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">not</span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> prohibit or otherwise restrict CAs who choose to continue supporting OCSP from doing so. If CAs continue supporting OCSP, the </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">same</span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> requirements apply as they exist today.</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif" style="color:rgb(34,34,34);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></font></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Additionally, this proposal introduces changes related to CRL requirements to include:</span></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Establishing a detailed CRL profile, consistent with the certificate profiles introduced in Version 2.0.0 of the Baseline Requirements.</span></p></li><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">CAs MUST generate and publish either:</span></p></li><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:circle;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">a full and complete CRL; OR </span></p></li><li dir="ltr" style="list-style-type:circle;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">partitioned CRLs (sometimes called “sharded” CRLs), that when aggregated, represent the equivalent of a full and complete CRL.</span></p></li></ul><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">CAs MUST include the corresponding HTTP URI for </span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">either</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> the full and complete </span><span style="background-color:transparent;font-style:italic;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">or</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> partitioned/sharded CRL in the CRL Distribution Point extension of subscriber certificates.</span></p></li><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">CRLs MUST be updated and reissued once daily.</span></p></li></ul><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif" style="color:rgb(34,34,34);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></font></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Finally, the proposal revisits the concept of a “short-lived” certificate, introduced in </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap"><a href="https://cabforum.org/2015/11/11/ballot-153-short-lived-certificates/" target="_blank">Ballot 153</a></span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">. </span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">As described in this ballot, short-lived certificates (sometimes called “short-term certificates” in ETSI </span><a href="https://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.04_60/en_31941201v010404p.pdf" style="color:rgb(17,85,204);text-decoration-line:none" target="_blank"><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">specifications</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">) are:</span></p><ul style="margin-top:0px;margin-bottom:0px"><li><span id="m_-5321387420847829804gmail-docs-internal-guid-3eae98c4-7fff-f84f-81c4-fddf5167a9fe"><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-weight:700;vertical-align:baseline;white-space:pre-wrap">optional</span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">. CAs will </span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">not</span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> be required to issue short-lived certificates. For TLS certificates that do not meet the definition of a short-lived certificate introduced in this proposed update, the current maximum validity period of 398 days remains applicable. </span></span></li><li><b>constrained to an initial maximum validity period of ten (10) days.</b><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> The proposal stipulates that short-lived certificates issued on or after 15 March 2026 must not have a Validity Period greater than seven (7) days.</span></li><li><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-weight:700;vertical-align:baseline;white-space:pre-wrap">not required to contain a CRLDP or OCSP pointer and are not required to be revoked</span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">. The primary mechanism of certificate invalidation for these short-lived certificates would be through certificate expiry. CAs may </span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">optionally</span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> revoke short-lived certificates. The initial maximum certificate validity is aligned with the existing maximum values for CRL “nextUpdate” and OCSP response validity allowed by the BRs today. </span><br></li></ul><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"></font><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Additional background, justification, and considerations are outlined </span><a href="https://docs.google.com/document/d/180T6cDSWPy54Rb5d6R4zN7MuLEMShaZ4IRLQgdPqE98/edit" style="text-decoration-line:none" target="_blank"><span style="color:rgb(74,110,224);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">here</span></a><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">.</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br><br></font></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">The following motion has been proposed by Ryan Dickson and Chris Clements of Google (Chrome Root Program) and endorsed by </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Kiran Tummala</span><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> of Microsoft and </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Tim Callan</span><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> of Sectigo.</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">— Motion Begins —</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 2.0.0.</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">MODIFY the Baseline Requirements as specified in the following Redline: </span></p></font><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><a href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..6ff4a7b332f46a8a54cc36e16d1299373d31efe9" target="_blank">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..6ff4a7b332f46a8a54cc36e16d1299373d31efe9</a> </p><font face="arial, sans-serif"><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">— Motion Ends —</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Discussion (14+ days)</span></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Start time: 2023-04-27 13:30:00 UTC</span></p></li><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">End time: Not before 2023-05-11 13:30:00 UTC</span></p></li></ul><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Vote for approval (7 days)</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"></font></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Start time: TBD</span></p></li><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">End time: TBD</span></p></li></ul></font></span></div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote></div>