<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-ligatures:none;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Well, yes, um, that was me <span style='font-family:"Segoe UI Emoji",sans-serif'>😊</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>There wasn’t an obvious place for contact information for CAs to fit, so I suggested section 1.5 when it was discussed on MDSP. That suggestion migrated into the BRs as part of the root program requirement consolidation effort. You’re right that it’s outside of the “suggestions” for the official content of that section.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>A similar example is section 1.2, which says:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>“This subcomponent provides any applicable names or other identifiers,<o:p></o:p></p><p class=MsoNormal> including ASN.1 object identifiers, *<b>for the document</b>*. An example of<o:p></o:p></p><p class=MsoNormal> such a document name would be the US Federal Government Policy for<o:p></o:p></p><p class=MsoNormal> Secure E-mail.”<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>BR Section 1.2 does not contain the name of the document (“Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates”) and it does not contain any other OIDs or identifiers *<b>for the document</b>*. The expected content would have been something like:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>----<o:p></o:p></p><p class=MsoNormal>This document is the CA/Browser Forum TLS requirements, known as “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates”, version blah.blah. This version of the document can be referenced by name and version, by the URI x://y.z.z/y, or by the OID cabf.requirements.baseline.tls.blah.bah.<o:p></o:p></p><p class=MsoNormal>----<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>That sort of title and version information is what was intended for that section.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>We, instead, have a bunch of OIDs that are intended for indicating compliance with the document (which is related, but not the same thing as OIDs identifying the document itself). And then we have the version history and relevant dates in that section, which again, is fine, because we’re following an outline, and not a normative list of requirements about what MAY / MUST / SHALL NOT / ONLY IF YOU ASK NICELY / OVER MY DEAD BODY appear in each section.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>And I’ve even heard of auditors who have insisted that every single OID the CA uses in its operations must be documented in section 1.2. This is a very perverse and difficult to understand misreading of the non-normative text that appears in the informative RFC 3647, but I’ve heard of auditors threatening audit findings over it (¯\_(<span style='font-family:"MS Gothic"'>ツ</span>)_/¯). There are other, better places for documenting OIDs that are used in certificates. For example, almost anywhere in section 7.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Aaron Gable <aaron@letsencrypt.org> <br><b>Sent:</b> Friday, December 1, 2023 12:28 PM<br><b>To:</b> Tim Hollebeek <tim.hollebeek@digicert.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br><b>Cc:</b> Dimitris Zacharopoulos <dzacharo@harica.gr>; Inigo Barreira <Inigo.Barreira@sectigo.com><br><b>Subject:</b> Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>It's also worth noting that the Baseline Requirements also diverge from RFC 3647 in this way: for example, Section 1.5 of RFC 3647 is concerned with the contact information of the group <i>administering the CP/CPS</i>, while Section 1.5(.2) of the BRs is concerned with contact information of the group <i>operating the CA</i>. So trying to cleave too closely to the bulleted descriptions inside RFC 3647 is unhelpful, imo.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>For whatever it's worth, I think that Section 11 of the current EVGs could be renumbered wholesale to become Section 3.2, retaining its subsections as-is, with few or no issues.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Aaron<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Fri, Dec 1, 2023 at 8:51 AM Tim Hollebeek via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>This is unfortunately wrong. There are lots of misconceptions about RFC 3647 “compliance”.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The first point is that RFC 3647 is an INFORMATIONAL RFC. You can see this right at the top, where it says “Category: Informational”. This means that it contains no requirements and it’s impossible to be out of compliance with it. This is why I put quotes around “compliance”. Any requirements around it need to come from elsewhere, for example, a root program requirement that requires a particular document to be in RFC 3647 format. But that’s vague and informal, because 3647 doesn’t have requirements, it just has an outline and suggested contents. It’s not 100% precise what “MUST be in RFC 3647 format” means, and we need to just acknowledge that (specifying it precisely would be a colossal waste of time).<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>So what does “RFC 3647 format” mean? RFC 3647’s outline only covers the first two levels. So “Section 3.2: Initial Identity Validation” is a RFC 3647 section header, and most reasonable interpretations of “RFC 3647 format” would require it to exist with that or a substantially similar name and contents.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Section 3.2.1, on the other hand, is not an RFC 3647 section. It’s common to have a third level of headers that mirror the “bullet points” in the suggested content for the section, but those are just unordered bullet lists in RFC 3647. Claiming that section 3.2.1 of a document in RFC 3647 must describe private key protection goes beyond what RFC 3647 says. Section 3.2 just “contains the following elements”, so private key protection is just one of several topics that one might discuss in section 3.2. It could be section 3.2.1, but it could be elsewhere in 3.2, and it’s perfectly fine for 3.2.1 to not exist, have different content, etc.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Figuring out where section 11.1 goes is not trivial, but at first glance, section 3.2 is not an unreasonable choice, and I can understand why Inigo made it. And there isn’t a compliance reason why it can’t be section 3.2.1, if that’s what we want.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Of course, we could convert the recommended bulleted sections to a numbered list of subsections (we often do elsewhere), in which case section 3.2.1 could be “Private Key Protection” with contents “No Stipulation”. If we do that, I suggest we follow the rest of the bullets as well.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Either way works.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-Tim<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Dimitris Zacharopoulos <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>> <br><b>Sent:</b> Friday, December 1, 2023 10:48 AM<br><b>To:</b> Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" target="_blank">Inigo.Barreira@sectigo.com</a>><br><b>Cc:</b> Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" target="_blank">tim.hollebeek@digicert.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br><b>Subject:</b> Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Arial",sans-serif'>We MUST comply with RFC 3647 which means that we must include sections that are listed in the outline of 3647, and if we have nothing to say, we leave it empty. We can't "hijack" the numbering just because we have no requirements to describe. <br><br>That's my interpretation of the RFC 3647 compliance. Perhaps others can chime in and state their opinion. <br><br><br>Thanks, </span><o:p></o:p></p></div><div><p><span style='font-family:"Arial",sans-serif'>DZ.</span><o:p></o:p></p></div><div><div><p><span style='font-family:"Arial",sans-serif'>Dec 1, 2023 14:50:23 Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" target="_blank">Inigo.Barreira@sectigo.com</a>>:</span><o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 2.25pt;padding:0in 0in 0in 8.0pt;margin-left:0in;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=ES>Thanks Dimitris.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>I think that strictly speaking, in RFC 3647 this section is the 4.3.2 Initial Identity Validation and the first bullet is about proving the possession of the private key, but there´s no specific section other than the general approach that we´ve implemented.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>That said, the current EVG does not include anything about the possession of the private key because that´s covered in the TLS BRs so that section does not exist in the EVGs and therefore I didn´t know how to avoid/implement it.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>I decided to continue with the normal numbering for an easy checking, so all 11 section is moved into section 3.2 and the rest of the sub-numbers do not change (so 11.1 would be 3.2.1, 11.1.1 would be 3.2.1.1, etc.)</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>I understand your point but I think we can´t create a section 3.2.1 for private key possession because there´s no such a text in the EVGs (and don´t think we should add anything new, even a NA for that) and don´t know which other sections we can create under 3.2 that can break the current equivalence, which again was done for an easy comparison. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>So, what would you suggest to “comply” with that? I don´t have a clear idea.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>Regards</span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=ES>De:</span></b><span lang=ES> Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>> <br><b>Enviado el:</b> jueves, 30 de noviembre de 2023 13:16<br><b>Para:</b> Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" target="_blank">Inigo.Barreira@sectigo.com</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" target="_blank">tim.hollebeek@digicert.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br><b>Asunto:</b> Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></p></div></div><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.0pt;background:#FAFA03'><span lang=ES style='font-size:10.0pt;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span lang=ES>Inigo,<br><br>As I am working to migrate the EV Guidelines into the EV Code Signing Baseline Requirements I took a look at the mapping you provided for the EV Guidelines and noticed that you are proposing migration of EVG section 11.1 into section 3.2.1. This particular section is labeled "Method to prove possession of private key" in RFC 3647 so I don't think it is appropriate. I think it's best to create new subsections under 3.2.<br><br>Thanks,<br>Dimitris.</span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=ES>On 8/9/2023 7:54 μ.μ., Inigo Barreira wrote:</span><o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=ES>Hi all, </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=ES> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>Attached you´ll find the EVG v1.8.0 with comments in all sections indicating where those sections, and the content, have been moved into the new EVG RFC3647 format. So, with this document, plus the redlined version, I hope you can have now a clearer view of the changes done.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>Let me know if you need anything else to clarify the new version.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>Regards</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=ES>De:</span></b><span lang=ES> Inigo Barreira <a href="mailto:Inigo.Barreira@sectigo.com" target="_blank"><Inigo.Barreira@sectigo.com></a> <br><b>Enviado el:</b> martes, 29 de agosto de 2023 17:06<br><b>Para:</b> Tim Hollebeek <a href="mailto:tim.hollebeek@digicert.com" target="_blank"><tim.hollebeek@digicert.com></a>; Dimitris Zacharopoulos (HARICA) <a href="mailto:dzacharo@harica.gr" target="_blank"><dzacharo@harica.gr></a>; CA/B Forum Server Certificate WG Public Discussion List <a href="mailto:servercert-wg@cabforum.org" target="_blank"><servercert-wg@cabforum.org></a><br><b>Asunto:</b> RE: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=ES> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>Thanks Dimitris and Tim.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>I did something of that internally but didn´t reflect on the document, so will try to reproduce to have it clearer.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>OTOH, and as indicated in the PR, the whole section 11 has been placed in section 3.2 keeping the rest of the numbering. So, for example:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>EVG EVG3647</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>11.1 3.2.1</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>11.1.1 3.2.1.1</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>11.1.2 3.2.1.2</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>11.1.3 3.2.1.3</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>11.2 3.2.2</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>11.2.1 3.2.2.1</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>….. …. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>11.13 3.2.13</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>11.14 3.2.14</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>11.14.1 3.2.14.1</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>11.14.2 3.2.14.2</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>11.14.3 3.2.14.3</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>Hope this can clarify the main difficult that I found in the document, where to place it and how.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>Regards</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-GB>De:</span></b><span lang=EN-GB> Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" target="_blank">tim.hollebeek@digicert.com</a>> <br><b>Enviado el:</b> martes, 29 de agosto de 2023 16:59<br><b>Para:</b> Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>>; Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" target="_blank">Inigo.Barreira@sectigo.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br><b>Asunto:</b> RE: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.0pt;background:#FAFA03'><span style='font-size:10.0pt;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> </span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Yes, exactly. I would like to see a list that shows that EVG-classic section 1.4 is now in EVG-3647 section 4.1. Then I can look at where the new text landed, see how the conversion was handled, we can all verify that nothing was lost or left out, etc.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Without that, anyone attempting to review the document is forced to recreate the mapping just to figure out where everything went and that nothing was missed or put in the wrong place. Redlines are not sufficient when large amounts of text are moving around to different places.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I’m saying this because from my spot-checking, the conversion appears to be pretty good, and I’d like to be able to do a final verification that it’s mostly correct so I can endorse.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-Tim<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Dimitris Zacharopoulos (HARICA) <<span lang=ES><a href="mailto:dzacharo@harica.gr" target="_blank"><span lang=EN-US>dzacharo@harica.gr</span></a></span>> <br><b>Sent:</b> Tuesday, August 29, 2023 7:58 AM<br><b>To:</b> Inigo Barreira <<span lang=ES><a href="mailto:Inigo.Barreira@sectigo.com" target="_blank"><span lang=EN-US>Inigo.Barreira@sectigo.com</span></a></span>>; CA/B Forum Server Certificate WG Public Discussion List <<span lang=ES><a href="mailto:servercert-wg@cabforum.org" target="_blank"><span lang=EN-US>servercert-wg@cabforum.org</span></a></span>>; Tim Hollebeek <<span lang=ES><a href="mailto:tim.hollebeek@digicert.com" target="_blank"><span lang=EN-US>tim.hollebeek@digicert.com</span></a></span>><br><b>Subject:</b> Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>Hi Inigo,<br><br>You can take some guidance from previous successful efforts to convert existing documents into RFC 3647 format. The latest attempt was in the Code Signing BRs conversion in May 2022. Check out the mapping document and the comments in the <span lang=ES><a href="https://lists.cabforum.org/pipermail/cscwg-public/2022-May/000795.html" target="_blank"><span lang=EN-US>ballot discussion period</span></a></span>.<br><br>For each existing section/paragraph, it would be nice to have a comment describing where that existing language will land in the converted document (destination). This will allow all existing text to be accounted for.<br><br>During this process, you might encounter duplicate or redundant text which needs to be flagged accordingly. You might also get into some uncertainty as to which RFC3647 section is a best fit for existing text that might require additional discussion. <br><br>I hope this helps.<br><br><br>Dimitris.<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On 29/8/2023 12:42 μ.μ., Inigo Barreira via Servercert-wg wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>Hi Tim,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>See attached redlined and current versions. I just used what Martijn suggested yesterday but let me know if this is what you were looking for.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB>Regards</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>De:</b> Tim Hollebeek <span lang=ES><a href="mailto:tim.hollebeek@digicert.com" target="_blank"><span lang=EN-US><tim.hollebeek@digicert.com></span></a></span> <br><b>Enviado el:</b> lunes, 28 de agosto de 2023 19:49<br><b>Para:</b> Inigo Barreira <span lang=ES><a href="mailto:Inigo.Barreira@sectigo.com" target="_blank"><span lang=EN-US><Inigo.Barreira@sectigo.com></span></a></span>; CA/B Forum Server Certificate WG Public Discussion List <span lang=ES><a href="mailto:servercert-wg@cabforum.org" target="_blank"><span lang=EN-US><servercert-wg@cabforum.org></span></a></span><br><b>Asunto:</b> RE: SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.0pt;background:#FAFA03'><span style='font-size:10.0pt;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks for doing this Inigo … I know re-organizations like this are a lot of work and fall very much in the category of “important but not fun”. So thanks for taking an initial stab at this.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Is there a mapping that shows where all the original text ended up? I think that’s going to be essential for people to be able to review this. I did some spot checking, and your conversion looks pretty good, but I wasn’t able to do a more detailed review without a mapping.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>-Tim<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Servercert-wg <<span lang=ES><a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank"><span lang=EN-US>servercert-wg-bounces@cabforum.org</span></a></span>> <b>On Behalf Of </b>Inigo Barreira via Servercert-wg<br><b>Sent:</b> Monday, August 28, 2023 5:20 AM<br><b>To:</b> CA/B Forum Server Certificate WG Public Discussion List <<span lang=ES><a href="mailto:servercert-wg@cabforum.org" target="_blank"><span lang=EN-US>servercert-wg@cabforum.org</span></a></span>><br><b>Subject:</b> [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hello,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The current Extended Validation Guidelines (EVGs) are written in a non-standardized format. For many years it has been discussed to convert this document into the RFC 3647 format and follow the standardized model for this type of documents. <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Given that this has been known for several years, I have prepared the following ballot text, which converts the EVGs into the RFC 3647 format:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=ES><a href="https://url.avanan.click/v2/___https:/github.com/cabforum/servercert/pull/440___.YXAzOmRpZ2ljZXJ0OmE6bzoyOGIxNWVhZGVmZDlkZTM0NjQzZTA3YTlmYTA2MzM5YTo2OmExZWM6NGZmMGEzM2U0ZWZjOTU4MTM1NWRkNjU3ZDE5YjU3Y2YxNzg1NWU0ZTVjYzkzY2NjM2M0MWU5MzEyYzJmZTQ0NzpoOkY" target="_blank" title="Protected by Avanan: https://github.com/cabforum/servercert/pull/440"><span lang=EN-GB>EVGs based on RFC3647 by barrini · Pull Request #440 · cabforum/servercert (github.com)</span></a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I am currently seeking two endorsers as well as any feedback on the ballot content itself (wording, effective dates, etc.).<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><pre>_______________________________________________<o:p></o:p></pre><pre>Servercert-wg mailing list<o:p></o:p></pre><pre><span lang=ES><a href="mailto:Servercert-wg@cabforum.org" target="_blank"><span lang=EN-US>Servercert-wg@cabforum.org</span></a></span><o:p></o:p></pre><pre><span lang=ES><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank"><span lang=EN-US>https://lists.cabforum.org/mailman/listinfo/servercert-wg</span></a></span><o:p></o:p></pre></blockquote><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></blockquote></div></blockquote></div></div></div></div><p class=MsoNormal>_______________________________________________<br>Servercert-wg mailing list<br><a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></p></div></blockquote></div></div></div></body></html>