<div dir="ltr">Hi Aaron,<br><div><br></div><div>I think this concern might already be addressed in <a href="https://github.com/ryancdickson/staging/commit/2ab659ca36ab0f72318c5b9bec1121cd389f1035" target="_blank">this</a> commit (where I was responding to a comment from Wayne), which is part of an updated <a href="https://github.com/ryancdickson/staging/tree/make-ocsp-optional-updates" target="_blank">branch</a> that I plan on <a href="https://github.com/ryancdickson/staging/pull/3" target="_blank">merging</a> into the <a href="https://github.com/ryancdickson/staging/tree/make-ocsp-optional" target="_blank">initial effort</a> to kick off a second round of discussion (either tomorrow or early next week).</div><div><br></div><div>To further help prevent confusion, I <a href="https://github.com/ryancdickson/staging/commit/7012dafedd523d975d10a218f10998ef36f2c69c" target="_blank">collapsed</a> the separate crlDistributionPoints rows in the updated 7.1.2.7.6 into one, with a <a href="https://github.com/ryancdickson/staging/commit/0cb0ce3175e8863873b74f64d685b6495bafdc7e" target="_blank">note</a> indicating that the extension's presence is dependent upon the contents of Section 7.1.2.11.2 ("CRL Distribution Points").</div><div><br></div><div>In summary, the latest draft of the ballot text (not yet introduced for discussion):</div><div><ul><li>1.2.2 ("Relevant Dates"): Indicates that effective 3/15/2024, CAs must generate and publish CRLs (as described in the updated 4.9.7).  [unchanged from original draft]</li><li>7.1.2.7.6 ("Subscriber Certificate Extensions"): Indicates CRLDP must not be marked critical and points to 7.1.2.11.2 ("CRL Distribution Points) for additional context. [changed from original draft]</li><li>7.1.2.11.2 ("CRL Distribution Points"): Indicates that the crlDistributionPoints extension MUST be present in Subordinate CA Certificates and Subscriber Certificates that 1) are not Short-Lived Subscriber Certificates or 2) do not include an Authority Information Access extension with an id-ad-ocsp accessMethod. [changed from original draft]</li></ul></div><div><br></div><div>If you disagree, please let me know!</div><div><br></div><div>Thanks,</div><div>Ryan</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 9, 2023 at 8:09 PM Aaron Gable <<a href="mailto:aaron@letsencrypt.org" target="_blank">aaron@letsencrypt.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Ryan,<div><br></div><div>In reviewing this ballot, I've noticed another aspect of it that I believe is unintended.</div><div><br></div><div>The ballot amends Section 1.2.2 Relevant Dates to say that "CAs MUST generate and publish CRLs" effective 2024-03-15.</div><div><br></div><div>However, it also amends 7.1.2.7.6 Subscriber Certificate Extensions to say that the crlDistributionPoints extension MUST be included in all non-Short-Lived Subscriber Certificates. This section was introduced in ballot SC-062, and (as noted in Section 7.1 Certificate Profile) has an effective date of 2023-09-15.</div><div><br></div><div>Therefore this ballot would actually require CAs to include CRLDP URLs (and therefore to generate and publish CRLs) as soon as September of this year, which I do not believe is this ballot's intent.</div><div><br></div><div>Thanks,</div><div>Aaron</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 27, 2023 at 6:30 AM Ryan Dickson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><span id="m_1633025936915386642m_7547965735220321212m_2462434252557095076m_-6383364571823901497m_7401852970201303171m_-4028541157736474452m_1141137417536047257m_7546795996051449146m_922471231840273952m_-5370034051393612132m_-3704058443176571191m_6856352747390314615gmail-docs-internal-guid-3eae98c4-7fff-f84f-81c4-fddf5167a9fe"><font face="arial, sans-serif"><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Purpose of Ballot SC-063:</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">This Ballot proposes updates to the </span><span style="color:rgb(0,0,0);background-color:transparent;font-style:italic;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates</span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> related to making Online Certificate Status Protocol (OCSP) services </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">optional</span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> for CAs. This proposal does </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">not</span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> prohibit or otherwise restrict CAs who choose to continue supporting OCSP from doing so. If CAs continue supporting OCSP, the </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">same</span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> requirements apply as they exist today.</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif" style="color:rgb(34,34,34);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></font></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Additionally, this proposal introduces changes related to CRL requirements to include:</span></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Establishing a detailed CRL profile, consistent with the certificate profiles introduced in Version 2.0.0 of the Baseline Requirements.</span></p></li><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">CAs MUST generate and publish either:</span></p></li><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:circle;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">a full and complete CRL; OR </span></p></li><li dir="ltr" style="list-style-type:circle;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">partitioned CRLs (sometimes called “sharded” CRLs), that when aggregated, represent the equivalent of a full and complete CRL.</span></p></li></ul><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">CAs MUST include the corresponding HTTP URI for </span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">either</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> the full and complete </span><span style="background-color:transparent;font-style:italic;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">or</span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> partitioned/sharded CRL in the CRL Distribution Point extension of subscriber certificates.</span></p></li><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">CRLs MUST be updated and reissued once daily.</span></p></li></ul><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif" style="color:rgb(34,34,34);font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><br></font></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Finally, the proposal revisits the concept of a “short-lived” certificate, introduced in </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap"><a href="https://cabforum.org/2015/11/11/ballot-153-short-lived-certificates/" target="_blank">Ballot 153</a></span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">. </span><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">As described in this ballot, short-lived certificates (sometimes called “short-term certificates” in ETSI </span><a href="https://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.04_60/en_31941201v010404p.pdf" style="color:rgb(17,85,204);text-decoration-line:none" target="_blank"><span style="color:rgb(74,110,224);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">specifications</span></a><span style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">) are:</span></p><ul style="margin-top:0px;margin-bottom:0px"><li><span id="m_1633025936915386642m_7547965735220321212m_2462434252557095076m_-6383364571823901497m_7401852970201303171m_-4028541157736474452m_1141137417536047257m_7546795996051449146m_922471231840273952m_-5370034051393612132m_-3704058443176571191m_6856352747390314615gmail-docs-internal-guid-3eae98c4-7fff-f84f-81c4-fddf5167a9fe"><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-weight:700;vertical-align:baseline;white-space:pre-wrap">optional</span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">. CAs will </span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">not</span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> be required to issue short-lived certificates. For TLS certificates that do not meet the definition of a short-lived certificate introduced in this proposed update, the current maximum validity period of 398 days remains applicable. </span></span></li><li><b>constrained to an initial maximum validity period of ten (10) days.</b><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> The proposal stipulates that short-lived certificates issued on or after 15 March 2026 must not have a Validity Period greater than seven (7) days.</span></li><li><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-weight:700;vertical-align:baseline;white-space:pre-wrap">not required to contain a CRLDP or OCSP pointer and are not required to be revoked</span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">. The primary mechanism of certificate invalidation for these short-lived certificates would be through certificate expiry. CAs may </span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">optionally</span><span style="background-color:transparent;color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> revoke short-lived certificates. The initial maximum certificate validity is aligned with the existing maximum values for CRL “nextUpdate” and OCSP response validity allowed by the BRs today. </span><br></li></ul><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"></font><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Additional background, justification, and considerations are outlined </span><a href="https://docs.google.com/document/d/180T6cDSWPy54Rb5d6R4zN7MuLEMShaZ4IRLQgdPqE98/edit" style="text-decoration-line:none" target="_blank"><span style="color:rgb(74,110,224);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">here</span></a><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">.</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br><br></font></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">The following motion has been proposed by Ryan Dickson and Chris Clements of Google (Chrome Root Program) and endorsed by </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Kiran Tummala</span><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> of Microsoft and </span><span style="color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Tim Callan</span><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap"> of Sectigo.</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">— Motion Begins —</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” (“Baseline Requirements”), based on Version 2.0.0.</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">MODIFY the Baseline Requirements as specified in the following Redline: </span></p></font><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><a href="https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..6ff4a7b332f46a8a54cc36e16d1299373d31efe9" target="_blank">https://github.com/cabforum/servercert/compare/a0360b61e73476959220dc328e3b68d0224fa0b3..6ff4a7b332f46a8a54cc36e16d1299373d31efe9</a> </p><font face="arial, sans-serif"><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">— Motion Ends —</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Discussion (14+ days)</span></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Start time: 2023-04-27 13:30:00 UTC</span></p></li><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">End time: Not before 2023-05-11 13:30:00 UTC</span></p></li></ul><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"><br></font></p><p dir="ltr" style="line-height:1.656;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,0,0);font-weight:700;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Vote for approval (7 days)</span></p><p dir="ltr" style="line-height:1.9872;margin-top:0pt;margin-bottom:0pt"><font face="arial, sans-serif"></font></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">Start time: TBD</span></p></li><li dir="ltr" style="list-style-type:disc;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap;margin-left:11pt"><p dir="ltr" role="presentation" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre-wrap">End time: TBD</span></p></li></ul></font></span></div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote></div>
</blockquote></div>