<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hello,<div>I’d like to know how this would interact with the change proposed by Dimitris for the VATEL thing.</div><div>In my case I did put on hold my own proposed change (regulation of use of QGIS for organization validation) until the doc was in RFC format, and I wonder if we should do the same for other proposed changes, as I guess the order of the ballots is important here.</div><div>Best,</div><div>Pedro<br id="lineBreakAtBeginningOfMessage"><div><br><blockquote type="cite"><div>On 19 Jan 2024, at 13:27, Inigo Barreira via Servercert-wg <servercert-wg@cabforum.org> wrote:</div><br class="Apple-interchange-newline"><div><meta charset="UTF-8"><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Hi all,<o:p></o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><o:p> </o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">As per yesterday´s SCWG call, I´ve also updated the BRs with the new section numbers of the EVG. Only 2 sections have been affected and therefore updated.<o:p></o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;">Section 3.2.2.4.7<o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;">EVG 11.14.3<span class="Apple-converted-space"> </span><span style="font-family: Wingdings;">à</span><span class="Apple-converted-space"> </span>3.2.2.14.3<o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;">Section 7.1.2.7.5<o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;">EVG 9.2<span class="Apple-converted-space"> </span><span style="font-family: Wingdings;">à</span><span class="Apple-converted-space"> </span>7.1.4.2<o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"><o:p> </o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">You can find all the information in the PR 440,<span class="Apple-converted-space"> </span></span><span style="font-size: 11pt;"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_servercert_pull_440_commits&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=4yDjCByZihcF66OPg0-LImW7hEJ3BRBPpguv_Dh5h0I&e=" style="color: blue; text-decoration: underline;"><span lang="EN-GB">EVGs based on RFC3647 by barrini · Pull Request #440 · cabforum/servercert (github.com)</span></a></span><span lang="EN-GB" style="font-size: 11pt;"><o:p></o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">First, I had to update the current version of the BRs I was working with (2.0.0) to the current one (2.0.2) and then make the changes to the newest one.<o:p></o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"><o:p> </o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Regards<o:p></o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"><o:p> </o:p></span></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 11pt;">De:</span></b><span style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;">Inigo.Barreira@sectigo.com</a>><br><b>Enviado el:</b><span class="Apple-converted-space"> </span>viernes, 15 de diciembre de 2023 12:42<br><b>Para:</b><span class="Apple-converted-space"> </span>Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;">Inigo.Barreira@sectigo.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg@cabforum.org</a>>; Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;">dzacharo@harica.gr</a>>; Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com" style="color: blue; text-decoration: underline;">Bruce.Morton@entrust.com</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;">tim.hollebeek@digicert.com</a>><br><b>Asunto:</b><span class="Apple-converted-space"> </span>RE: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></span></div></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Hi everyone<o:p></o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><o:p> </o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">As per last week discussion during the SCWG, we agreed to follow section 6 of the RFC 3647 for the new EVG format.<o:p></o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">With that in mind, I´ve updated the correspondent PR (#440) to reflect it that way, so:<o:p></o:p></span></div><ul type="disc" style="margin-bottom: 0cm; margin-top: 0cm;"><li class="MsoListParagraph" style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Changed section 1.1 name from scope to overview<o:p></o:p></span></li><li class="MsoListParagraph" style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Created a new section 3.2.1 for possession of the private key<o:p></o:p></span></li><li class="MsoListParagraph" style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Moved all the other stuff of the old section 11 to a “new” section 3.2.2 for organization identity.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Also created the remaining ones, 3.2.3, 3.2.4, etc.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Update section 8 removing section 8.1 and renumbering the others and putting the self audits under 8.1 and leaving section 8.7 for readiness audits because don´t know where it can fit better (this section does not exist in RFC 3647 section 6)<o:p></o:p></span></li><li class="MsoListParagraph" style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Checked all links<o:p></o:p></span></li></ul><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"><o:p> </o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">In any case, see the comparison here:<span class="Apple-converted-space"> </span></span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_servercert_compare_90a98dc7c1131eaab01af411968aa7330d315b9b...238ff99fbe04f2aa24f2c58910d8133f2283f11e&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=Fkxi2puIea-XluHGWRpA2fMQdGTdESWl6jTcxt-Mh2I&e=" style="color: blue; text-decoration: underline;"><span lang="EN-GB">Comparing 90a98dc7c1131eaab01af411968aa7330d315b9b...238ff99fbe04f2aa24f2c58910d8133f2283f11e · cabforum/servercert (github.com)</span></a><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">If you´re ok with this change, we can move forward a propose the ballot for which I´ll need 2 endorsers.</span><span lang="EN-GB" style="font-size: 11pt;"><o:p></o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"><o:p> </o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Regards<o:p></o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"><o:p> </o:p></span></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 11pt;">De:</span></b><span style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg-bounces@cabforum.org</a>><span class="Apple-converted-space"> </span><b>En nombre de<span class="Apple-converted-space"> </span></b>Inigo Barreira via Servercert-wg<br><b>Enviado el:</b><span class="Apple-converted-space"> </span>jueves, 7 de diciembre de 2023 13:08<br><b>Para:</b><span class="Apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;">dzacharo@harica.gr</a>>; Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com" style="color: blue; text-decoration: underline;">Bruce.Morton@entrust.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg@cabforum.org</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;">tim.hollebeek@digicert.com</a>><br><b>Asunto:</b><span class="Apple-converted-space"> </span>Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></span></div></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="border: 1pt solid black; padding: 2pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif; line-height: 12pt; background: rgb(250, 250, 3);"><span style="">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><o:p> </o:p></span></div><div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Hi there,<o:p></o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><o:p> </o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">See the comparing one.<o:p></o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_servercert_compare_90a98dc7c1131eaab01af411968aa7330d315b9b...13b4f85a494fefa52510512a2fb3c4d7c77a7a36&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=SAlnT_XxVC5MVdb-AWK-2-2ft5iK_-91Uh8zev3Au44&e=" style="color: blue; text-decoration: underline;"><span lang="EN-GB">Comparing 90a98dc7c1131eaab01af411968aa7330d315b9b...13b4f85a494fefa52510512a2fb3c4d7c77a7a36 · cabforum/servercert (github.com)</span></a><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;">Regards<span lang="EN-GB" style="font-size: 11pt;"><o:p></o:p></span></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"><o:p> </o:p></span></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 11pt;">De:</span></b><span style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;">dzacharo@harica.gr</a>><br><b>Enviado el:</b><span class="Apple-converted-space"> </span>lunes, 4 de diciembre de 2023 22:18<br><b>Para:</b><span class="Apple-converted-space"> </span>Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com" style="color: blue; text-decoration: underline;">Bruce.Morton@entrust.com</a>>; Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;">Inigo.Barreira@sectigo.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg@cabforum.org</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;">tim.hollebeek@digicert.com</a>><br><b>Asunto:</b><span class="Apple-converted-space"> </span>Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></span></div></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="border: 1pt solid black; padding: 2pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif; line-height: 12pt; background: rgb(250, 250, 3);"><span style="">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><o:p> </o:p></span></div><div><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><o:p> </o:p></p><div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;">On 4/12/2023 9:22 μ.μ., Bruce Morton wrote:<o:p></o:p></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">I thought an intriguing promise of doing documents in Github and in the same format is that we would see the requirements in the same section, which would allow for better management. Also, the proposal Paul brought forward for the BR of BRs would work much better if we use the same sections. I guess I am encouraging the move of EV from a non-standard format to a sort of standard RFC 3647 format would be to help provide document alignment.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">+1 to Dimitris original suggestion.</span><o:p></o:p></div></blockquote><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><o:p> </o:p></span></div><ul type="disc" style="margin-bottom: 0cm;"><li class="MsoNormal" style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_code-2Dsigning_compare_main...importEVG&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=IH-hz12ss4KJRRKpXUPs_ykN-ftU1yP8_QWnqFumUpE&e=" style="color: blue; text-decoration: underline;">https://github.com/cabforum/code-signing/compare/main...importEVG</a><o:p></o:p></span></li></ul><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">This is currently WIP, maintaining the numbering of RFC 3647 section 6, and moving the EV Guidelines sections referenced by the CSBRs into new sections. We've done these conversions in the past and they worked pretty well, leading to consistently structured policy documents across the ecosystem.<br><br>It's not perfect but it tries to move requirements to where RFC 3647 and the BRs expect them to be. For example, section 11.14 of the EV Guidelines talks about re-use of existing documentation which fits into section 4.2.1 of the BRs.<br><br><br>Thanks,<br>Dimitris.<o:p></o:p></span></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Thanks, Bruce.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 11pt;">From:</span></b><span style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Servercert-wg<span class="Apple-converted-space"> </span><a href="mailto:servercert-wg-bounces@cabforum.org" style="color: blue; text-decoration: underline;"><servercert-wg-bounces@cabforum.org></a><span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Inigo Barreira via Servercert-wg<br><b>Sent:</b><span class="Apple-converted-space"> </span>Monday, December 4, 2023 2:15 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA)<span class="Apple-converted-space"> </span><a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;"><dzacharo@harica.gr></a>; Tim Hollebeek<span class="Apple-converted-space"> </span><a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;"><tim.hollebeek@digicert.com></a><br><b>Cc:</b><span class="Apple-converted-space"> </span>CA/B Forum Server Certificate WG Public Discussion List<span class="Apple-converted-space"> </span><a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;"><servercert-wg@cabforum.org></a><br><b>Subject:</b><span class="Apple-converted-space"> </span>[EXTERNAL] Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 1pt; color: white;">Dimitris, I think that we should focus on the EVG not on the CP/CPS. The CA´s CP/CPS will have that 3. 2. 1 section because it´s in the TLS BRs but that does not mean that the EVG must have also that section 3. 2. 1 (BTW, the section exist in the</span><o:p></o:p></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Dimitris,</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">I think that we should focus on the EVG not on the CP/CPS. The CA´s CP/CPS will have that 3.2.1 section because it´s in the TLS BRs but that does not mean that the EVG must have also that section 3.2.1 (BTW, the section exist in the TLS BRs but with no content). At the end of the day, every CA issuing TLS certs will have to follow the TLS BRs and EVGs and then accommodate their CP/CPSes according to both documents.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">I understand your point to be stricter in the implementation of that specific point but for every CA to change/update their current CP/CPS with the new EVG in the RFC 3647 format, would find it easier to where to make those changes/adjustments in their own CP/CPS if we can convert easily the current section 11 into 3.2 and not to start looking into different numbers to make that change.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Regards</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"> </span><o:p></o:p></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 11pt;">De:</span></b><span style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;">dzacharo@harica.gr</a>><br><b>Enviado el:</b><span class="Apple-converted-space"> </span>lunes, 4 de diciembre de 2023 20:02<br><b>Para:</b><span class="Apple-converted-space"> </span>Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;">tim.hollebeek@digicert.com</a>>; Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;">Inigo.Barreira@sectigo.com</a>><br><b>CC:</b><span class="Apple-converted-space"> </span>CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg@cabforum.org</a>><br><b>Asunto:</b><span class="Apple-converted-space"> </span>Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></div></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="border: 1pt solid black; padding: 2pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif; line-height: 12pt; background: rgb(250, 250, 3);"><span style="">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">FWIW, there are informational RFCs that include SHOULD requirements (I didn't check for other informational RFCs that might contain SHALL requirements). Take a look at<span class="Apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.com_v3_-5F-5Fhttps-3A_datatracker.ietf.org_doc_html_rfc8894-5F-5F-3B-21-21FJ-2DY8qCqXTj2-21cDhQeVwolbnJ6hdDSRwEKs2w1lDqgYkiUHc4ApuZ3kUIV3BDxbQ0XAAIsJDbSWbqRevehayXBz-5Foc-2DH9s1zZDBI0YJAc7w-24&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=eZUOnibdXAEm7TArY-4NlpNDvdpq2qrcI6Os5GzWvtY&e=" style="color: blue; text-decoration: underline;">RFC 8894</a>.<br><br>I agree that there seems to be some ambiguity in the REQUIRED CP/CPS structure but the entire reasoning behind using the "RFC 3647 format" was to align CP and CPS documents so that comparisons can be made across different CAs. If one CA reads that they must follow a 2-level structure based on section 4, and another CA reads that they must follow the structure of section 6 of the RFC, we're not meeting the goal for alignment and easy comparisons.<br><br>Digicert's CPS seems to follow the structure of section 6 of RFC 3647. Has anyone spotted a CPS claiming compliance with the TLS BRs that is not following the section 6 structure of 3647?<br><br>If all existing public CAs follow the structure of section 6 of 3647 in their CP/CPS documents, we can just clarify that the expectation is what Ben mentioned in<span class="Apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.com_v3_-5F-5Fhttps-3A_github.com_BenWilson-2DMozilla_pkipolicy_commit_1a94642cb95017cf382e4e93811db16a2342a806-5F-5F-3B-21-21FJ-2DY8qCqXTj2-21cDhQeVwolbnJ6hdDSRwEKs2w1lDqgYkiUHc4ApuZ3kUIV3BDxbQ0XAAIsJDbSWbqRevehayXBz-5Foc-2DH9s1zZDBIIavReJg-24&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=7yKm78aVhCw6xlE85YVTEd_kGz4SHJhZ83xtcshx1Ag&e=" style="color: blue; text-decoration: underline;">https://github.com/BenWilson-Mozilla/pkipolicy/commit/1a94642cb95017cf382e4e93811db16a2342a806</a>, so that we address this ambiguity. We probably don't even need an effective date if it causes no issue on existing CAs.<br><br>My point is that if we leave this open to interpretation, we can't compare CP/CPS sections across multiple CAs efficiently, and this defeats the whole purpose of the requirement to structure CP/CPS documents according to RFC 3647. We might as well abandon the idea of converting the EV Guidelines into that format.<br><br>I believe that the intent has always been to enforce a "stricter" alignment. But if indeed there are deviations, I'd support some stricter language to align CP/CPS documents according to section 6 of RFC 3647 even with a future effective date :)<br><br><br>Dimitris.</span><o:p></o:p></p><div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">On 4/12/2023 7:27 μ.μ., Tim Hollebeek wrote:</span><o:p></o:p></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Yeah, the fact that the section 6 outline goes deeper than the actual described format in section 4 is annoying, and you’re right, it’s probably the source of these disagreements. I always look at section 4, because it has the actual guidance about what sort of information should be considered for inclusion.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">This is what happens when people try to turn informational documents into normative requirements. You have to try to interpret what phrases like “are strongly advised to adhere”, which isn’t even a RFC 2119 SHOULD. And it can’t even be a SHOULD, because as an informational RFC, it is prohibited from having requirements, even SHOULDs! That’s why it’s written that way. Also, informational RFCs are not examined as closely for inconsistencies (because there are no requirements!) which is how divergences like section 4 vs 6 happen. It wasn’t intended to be used as a compliance document.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">I still think what Inigo did is perfectly fine, although there are lots of other perfectly fine solutions, too. What we need to be discussing is what’s best for us, not RFC 3647 requires, because RFC 3647 has infinite leeway. As Aaron and I have been pointing out, you’ll find lots of divergences at level three, and there’s even lots of additional content in level two, just because a lot of newer content doesn’t really have a good fit in RFC 3647.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Now, that said, we might want to be more strict in the future, and if we choose to do so, we can be. I just don’t want people overstating what the rules actually are, because a lot of people’s time has been wasted enforcing RFC 3647 in a way that is far stricter than was ever intended (one of the reasons I’m so vocal on this issue is because I got this point of view from one of the original authors).</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">-Tim</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="border-width: medium medium medium 1.5pt; border-style: none none none solid; border-color: currentcolor currentcolor currentcolor blue; border-image: none; padding: 0cm 0cm 0cm 4pt;"><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 11pt;">From:</span></b><span style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA)<span class="Apple-converted-space"> </span><a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;"><dzacharo@harica.gr></a><br><b>Sent:</b><span class="Apple-converted-space"> </span>Saturday, December 2, 2023 5:26 AM<br><b>To:</b><span class="Apple-converted-space"> </span>Tim Hollebeek<span class="Apple-converted-space"> </span><a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;"><tim.hollebeek@digicert.com></a>; Inigo Barreira<span class="Apple-converted-space"> </span><a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;"><Inigo.Barreira@sectigo.com></a><br><b>Cc:</b><span class="Apple-converted-space"> </span>CA/B Forum Server Certificate WG Public Discussion List<span class="Apple-converted-space"> </span><a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;"><servercert-wg@cabforum.org></a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></div></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">We still have a disagreement so please allow me one more attempt to clarify my position because it seems you didn't check the links included in my previous post. I will copy some of that text here for convenience.</span><o:p></o:p></p><div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">On 1/12/2023 11:31 μ.μ., Tim Hollebeek wrote:</span><o:p></o:p></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">No.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">IETF has both Normative and Informative RFCs. While it is true that compliance with a Normative RFC is voluntary, if you do choose to comply, the RFC has requirements stated in RFC 2119 standards language that make it clear what the compliance rules are. Informative RFCs like 3647 do not have any normative requirements at all. They merely contain information.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">“all sections of the RFC 3647 framework” is fine, this covers the sections enumerated in RFC 3647 section 4, which includes the TOP TWO levels of an outline in numbered form, e.g. the requirements for section 3.2 are described in RFC 3647 section 4.3.2. There is no RFC 3647 section 4.3.2.1, which proves my point. RFC 3647 only has a two level outline structure.</span><o:p></o:p></div></blockquote><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><br>I think I might have a hint on our disconnect. RFC 3647 has an indicative Table of Contents in Chapter 6 (<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.com_v3_-5F-5Fhttps-3A_datatracker.ietf.org_doc_html_rfc3647-2Asection-2D6-5F-5F-3BIw-21-21FJ-2DY8qCqXTj2-21cDhQeVwolbnJ6hdDSRwEKs2w1lDqgYkiUHc4ApuZ3kUIV3BDxbQ0XAAIsJDbSWbqRevehayXBz-5Foc-2DH9s1zZDBKp-5FQdGmg-24&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=cp3VExDM2DhLCKZSB-C46rsVM45LgWuB6qsMlwtjSHY&e=" style="color: blue; text-decoration: underline;">https://datatracker.ietf.org/doc/html/rfc3647#section-6</a>) outlining the proposed CP/CPS sections and subsections using 3 levels.<br><br>Here is the text of the opening paragraph of that section (emphasis added):<br><br></span><o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> This section contains a recommended outline for a set of provisions,<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> intended to serve as a checklist or (with some further development) a<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> standard template for use by CP or CPS writers. Such a common<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> outline will facilitate:<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> <o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> (a) Comparison of two certificate policies during cross-<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> certification or other forms of interoperation (for the purpose<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> of equivalency mapping).<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> <o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> (b) Comparison of a CPS with a CP to ensure that the CPS faithfully<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> implements the policy.<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> <o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> (c) Comparison of two CPSs.<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> <o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"><b> In order to comply with the RFC, the drafters of a compliant CP or</b><o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"><b> CPS are strongly advised to adhere to this outline.</b> While use of an<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> alternate outline is discouraged, it may be accepted if a proper<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> justification is provided for the deviation and a mapping table is<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> provided to readily discern where each of the items described in this<o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"> outline is provided.<o:p></o:p></pre></blockquote><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><br>The reason the CA/B Forum BRs were structured according to this outline was to assist with comparisons between CP/CPS documents of different CAs, making the review of these documents easier.<br><br>That's why you see sections like 1.5.4 "CPS approval procedures" in the BRs as an empty section with "No Stipulation". There are many such sections in the BRs, all coming from section 6 of RFC 3647.<br><br>I hope this is clearer now.<br><br></span><o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">BR Section 2.2 needs to be re-written, as there are no materials required by RFC 3647 (because RFC 3647 contains no requirements). It needs to say something like “structured in accordance with RFC 3647 and MUST include all sections of the outline described in section 4” or something like that. What it says right now doesn’t capture the intent that you correctly summarized.</span><o:p></o:p></div></blockquote><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><br>During the last couple of years reviewing CP/CPS documents, I saw some uniformity at least in Publicly Trusted CAs, and they all seem to follow the BRs structure which comes from the outline of section 6 of RFC 3647. However, it's not a bad idea to further clarify BR section 2.2 to better meet the expectations.<br><br></span><o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">The MSRP language is better, I think I may have made all of these same points when it was being drafted, which is why it says “section and subsection” (two levels) and uses “structured according to” and not “complies with the requirements of”.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">But anyway, this is all background that supports what I’ve been saying all along: BR 3.2 is a RFC 3647 section. BR 3.2.1 *<b>is not</b>* a RFC 3647 required section, nor is it even a section that is even mentioned in RFC 3647. If you don’t believe me, please go to RFC 3647, Section 4.3.2.1 and read what it says. OH, WAIT, IT DOESN’T EXIST!<span class="Apple-converted-space"> </span></span><span style="font-size: 11pt; font-family: "Segoe UI Emoji", sans-serif;">😊</span><o:p></o:p></div></blockquote><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><br>To my point, BR 3.2.1 IS an RFC 3647 required section as it is explicitly mentioned in the outline of section 6 of RFC 3647:<br><br></span><o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";">3.2.1 Method to prove possession of private key<o:p></o:p></pre></blockquote><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><br>Details about the contents of that section can be found in the first bullet of<span class="Apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.com_v3_-5F-5Fhttps-3A_datatracker.ietf.org_doc_html_rfc3647-2Asection-2D4.3.2-5F-5F-3BIw-21-21FJ-2DY8qCqXTj2-21cDhQeVwolbnJ6hdDSRwEKs2w1lDqgYkiUHc4ApuZ3kUIV3BDxbQ0XAAIsJDbSWbqRevehayXBz-5Foc-2DH9s1zZDBIL19sP-5Fw-24&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=VVgYrcQHYItvxshaRW05i_oEkdLisu_m-OdTzlBeXn8&e=" style="color: blue; text-decoration: underline;">section 4.3.2 of RFC 3647</a>.<span class="Apple-converted-space"> </span><br><br>Does that make more sense?<br><br>Dimitris.<br><br></span><o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">-Tim</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="border-width: medium medium medium 1.5pt; border-style: none none none solid; border-color: currentcolor currentcolor currentcolor blue; border-image: none; padding: 0cm 0cm 0cm 4pt;"><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 11pt;">From:</span></b><span style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA)<span class="Apple-converted-space"> </span><a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;"><dzacharo@harica.gr></a><br><b>Sent:</b><span class="Apple-converted-space"> </span>Friday, December 1, 2023 1:04 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Tim Hollebeek<span class="Apple-converted-space"> </span><a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;"><tim.hollebeek@digicert.com></a>; Inigo Barreira<span class="Apple-converted-space"> </span><a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;"><Inigo.Barreira@sectigo.com></a><br><b>Cc:</b><span class="Apple-converted-space"> </span>CA/B Forum Server Certificate WG Public Discussion List<span class="Apple-converted-space"> </span><a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;"><servercert-wg@cabforum.org></a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></div></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Hi Tim,<br><br>None of the IETF standards set policy unless they are invited by some policy authority :) The BRs set such policy and "import" some documents, such as RFC 5280, 3647 and others.<br><br>The BRs in section 1.1 state:<br><br><br></span><o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">These Requirements do not address all of the issues relevant to the issuance and management of Publicly-Trusted Certificates. In accordance with RFC 3647 and to facilitate a comparison of other certificate policies and CPSs (e.g. for policy mapping), this document includes all sections of the RFC 3647 framework. However, rather than beginning with a "no stipulation" comment in all empty sections, the CA/Browser Forum is leaving such sections initially blank until a decision of "no stipulation" is made</span><o:p></o:p></div></blockquote><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><br>In addition, section 2.2 states (emphasis added):<br><br><br></span><o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">The Certificate Policy and/or Certification Practice Statement MUST be structured in accordance with RFC 3647 and<span class="Apple-converted-space"> </span><b>MUST include all material required by RFC 3647</b>.</span><o:p></o:p></div></blockquote><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><br>If you go back to the discussions when the CA/B Forum decide to align with the "RFC 3647 format", we agreed to include each and every section of the outline as a minimum set.<br><br>MRSP states in section 3.3 (5) (again, emphasis added):<br><br><br></span><o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">5. all CPs, CPSes, and combined CP/CPSes MUST be structured according to RFC 3647 and MUST:<br><br> - include<span class="Apple-converted-space"> </span><b>at least every section and subsection defined in RFC 3647</b>;<br> - only use the words "No Stipulation" to mean that the particular document imposes no requirements related to that section; and<br> - contain no sections that are blank and have no subsections;</span><o:p></o:p></div></blockquote><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><br>So, with all that considered, when we visit<span class="Apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.com_v3_-5F-5Fhttps-3A_datatracker.ietf.org_doc_html_rfc3647-2Asection-2D6-5F-5F-3BIw-21-21FJ-2DY8qCqXTj2-21cDhQeVwolbnJ6hdDSRwEKs2w1lDqgYkiUHc4ApuZ3kUIV3BDxbQ0XAAIsJDbSWbqRevehayXBz-5Foc-2DH9s1zZDBKp-5FQdGmg-24&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=cp3VExDM2DhLCKZSB-C46rsVM45LgWuB6qsMlwtjSHY&e=" style="color: blue; text-decoration: underline;">section 6 of RFC 3647</a><span class="Apple-converted-space"> </span>("the outline"), the expectation is to include each and every section and subsection of the outline (up to three levels).<br><br>CAs are free to add MORE sections and subsections as they desire, just like the BRs have done, but we can't escape or "hijack" an existing RFC 3647 section number. The outline contains a specific section labeled as "3.2.1 Method to prove possession of private key". That means we cannot re-use the number 3.2.1 for something else.<br><br>I hope this sounds reasonable to people.<br><br>Dimitris.<br><br></span><o:p></o:p></p><div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">On 1/12/2023 6:51 μ.μ., Tim Hollebeek wrote:</span><o:p></o:p></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">This is unfortunately wrong. There are lots of misconceptions about RFC 3647 “compliance”.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">The first point is that RFC 3647 is an INFORMATIONAL RFC. You can see this right at the top, where it says “Category: Informational”. This means that it contains no requirements and it’s impossible to be out of compliance with it. This is why I put quotes around “compliance”. Any requirements around it need to come from elsewhere, for example, a root program requirement that requires a particular document to be in RFC 3647 format. But that’s vague and informal, because 3647 doesn’t have requirements, it just has an outline and suggested contents. It’s not 100% precise what “MUST be in RFC 3647 format” means, and we need to just acknowledge that (specifying it precisely would be a colossal waste of time).</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">So what does “RFC 3647 format” mean? RFC 3647’s outline only covers the first two levels. So “Section 3.2: Initial Identity Validation” is a RFC 3647 section header, and most reasonable interpretations of “RFC 3647 format” would require it to exist with that or a substantially similar name and contents.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Section 3.2.1, on the other hand, is not an RFC 3647 section. It’s common to have a third level of headers that mirror the “bullet points” in the suggested content for the section, but those are just unordered bullet lists in RFC 3647. Claiming that section 3.2.1 of a document in RFC 3647 must describe private key protection goes beyond what RFC 3647 says. Section 3.2 just “contains the following elements”, so private key protection is just one of several topics that one might discuss in section 3.2. It could be section 3.2.1, but it could be elsewhere in 3.2, and it’s perfectly fine for 3.2.1 to not exist, have different content, etc.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Figuring out where section 11.1 goes is not trivial, but at first glance, section 3.2 is not an unreasonable choice, and I can understand why Inigo made it. And there isn’t a compliance reason why it can’t be section 3.2.1, if that’s what we want.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Of course, we could convert the recommended bulleted sections to a numbered list of subsections (we often do elsewhere), in which case section 3.2.1 could be “Private Key Protection” with contents “No Stipulation”. If we do that, I suggest we follow the rest of the bullets as well.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Either way works.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">-Tim</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="border-width: medium medium medium 1.5pt; border-style: none none none solid; border-color: currentcolor currentcolor currentcolor blue; border-image: none; padding: 0cm 0cm 0cm 4pt;"><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 11pt;">From:</span></b><span style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Dimitris Zacharopoulos<span class="Apple-converted-space"> </span><a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;"><dzacharo@harica.gr></a><br><b>Sent:</b><span class="Apple-converted-space"> </span>Friday, December 1, 2023 10:48 AM<br><b>To:</b><span class="Apple-converted-space"> </span>Inigo Barreira<span class="Apple-converted-space"> </span><a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;"><Inigo.Barreira@sectigo.com></a><br><b>Cc:</b><span class="Apple-converted-space"> </span>Tim Hollebeek<span class="Apple-converted-space"> </span><a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;"><tim.hollebeek@digicert.com></a>; CA/B Forum Server Certificate WG Public Discussion List<span class="Apple-converted-space"> </span><a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;"><servercert-wg@cabforum.org></a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></div></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt; font-family: Arial, sans-serif;">We MUST comply with RFC 3647 which means that we must include sections that are listed in the outline of 3647, and if we have nothing to say, we leave it empty. We can't "hijack" the numbering just because we have no requirements to describe.<span class="Apple-converted-space"> </span><br><br>That's my interpretation of the RFC 3647 compliance. Perhaps others can chime in and state their opinion.<br><br><br>Thanks,<span class="Apple-converted-space"> </span></span><o:p></o:p></div></div><div><p><span style="font-family: Arial, sans-serif;">DZ.</span><o:p></o:p></p></div><div><div><p><span style="font-family: Arial, sans-serif;">Dec 1, 2023 14:50:23 Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;">Inigo.Barreira@sectigo.com</a>>:</span><o:p></o:p></p></div><blockquote style="border-width: medium medium medium 2.25pt; border-style: none none none solid; border-color: currentcolor currentcolor currentcolor rgb(204, 204, 204); border-image: none; padding: 0cm 0cm 0cm 8pt; margin: 5pt 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Thanks Dimitris.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">I think that strictly speaking, in RFC 3647 this section is the 4.3.2 Initial Identity Validation and the first bullet is about proving the possession of the private key, but there´s no specific section other than the general approach that we´ve implemented.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">That said, the current EVG does not include anything about the possession of the private key because that´s covered in the TLS BRs so that section does not exist in the EVGs and therefore I didn´t know how to avoid/implement it.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">I decided to continue with the normal numbering for an easy checking, so all 11 section is moved into section 3.2 and the rest of the sub-numbers do not change (so 11.1 would be 3.2.1, 11.1.1 would be 3.2.1.1, etc.)</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">I understand your point but I think we can´t create a section 3.2.1 for private key possession because there´s no such a text in the EVGs (and don´t think we should add anything new, even a NA for that) and don´t know which other sections we can create under 3.2 that can break the current equivalence, which again was done for an easy comparison.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">So, what would you suggest to “comply” with that? I don´t have a clear idea.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Regards</span><o:p></o:p></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 11pt;">De:</span></b><span style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;">dzacharo@harica.gr</a>><br><b>Enviado el:</b><span class="Apple-converted-space"> </span>jueves, 30 de noviembre de 2023 13:16<br><b>Para:</b><span class="Apple-converted-space"> </span>Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;">Inigo.Barreira@sectigo.com</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;">tim.hollebeek@digicert.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg@cabforum.org</a>><br><b>Asunto:</b><span class="Apple-converted-space"> </span>Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></div></div></div><div style="border: 1pt solid black; padding: 2pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif; line-height: 12pt; background: rgb(250, 250, 3);"><span style="">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></div></div><div><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Inigo,<br><br>As I am working to migrate the EV Guidelines into the EV Code Signing Baseline Requirements I took a look at the mapping you provided for the EV Guidelines and noticed that you are proposing migration of EVG section 11.1 into section 3.2.1. This particular section is labeled "Method to prove possession of private key" in RFC 3647 so I don't think it is appropriate. I think it's best to create new subsections under 3.2.<br><br>Thanks,<br>Dimitris.</span><o:p></o:p></p><div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">On 8/9/2023 7:54 μ.μ., Inigo Barreira wrote:</span><o:p></o:p></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Hi all,<span class="Apple-converted-space"> </span></span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Attached you´ll find the EVG v1.8.0 with comments in all sections indicating where those sections, and the content, have been moved into the new EVG RFC3647 format. So, with this document, plus the redlined version, I hope you can have now a clearer view of the changes done.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Let me know if you need anything else to clarify the new version.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Regards</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"> </span><o:p></o:p></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 11pt;">De:</span></b><span style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Inigo Barreira<span class="Apple-converted-space"> </span><a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;"><Inigo.Barreira@sectigo.com></a><br><b>Enviado el:</b><span class="Apple-converted-space"> </span>martes, 29 de agosto de 2023 17:06<br><b>Para:</b><span class="Apple-converted-space"> </span>Tim Hollebeek<span class="Apple-converted-space"> </span><a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;"><tim.hollebeek@digicert.com></a>; Dimitris Zacharopoulos (HARICA)<span class="Apple-converted-space"> </span><a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;"><dzacharo@harica.gr></a>; CA/B Forum Server Certificate WG Public Discussion List<span class="Apple-converted-space"> </span><a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;"><servercert-wg@cabforum.org></a><br><b>Asunto:</b><span class="Apple-converted-space"> </span>RE: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></div></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Thanks Dimitris and Tim.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">I did something of that internally but didn´t reflect on the document, so will try to reproduce to have it clearer.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">OTOH, and as indicated in the PR, the whole section 11 has been placed in section 3.2 keeping the rest of the numbering. So, for example:</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">EVG EVG3647</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">11.1 3.2.1</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">11.1.1 3.2.1.1</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">11.1.2 3.2.1.2</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">11.1.3 3.2.1.3</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">11.2 3.2.2</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">11.2.1 3.2.2.1</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">….. …. </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">11.13 3.2.13</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">11.14 3.2.14</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">11.14.1 3.2.14.1</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">11.14.2 3.2.14.2</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">11.14.3 3.2.14.3</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Hope this can clarify the main difficult that I found in the document, where to place it and how.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Regards</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"> </span><o:p></o:p></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span lang="EN-GB" style="font-size: 11pt;">De:</span></b><span lang="EN-GB" style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;">tim.hollebeek@digicert.com</a>><br><b>Enviado el:</b><span class="Apple-converted-space"> </span>martes, 29 de agosto de 2023 16:59<br><b>Para:</b><span class="Apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;">dzacharo@harica.gr</a>>; Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;">Inigo.Barreira@sectigo.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg@cabforum.org</a>><br><b>Asunto:</b><span class="Apple-converted-space"> </span>RE: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></div></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"> </span><o:p></o:p></div><div style="border: 1pt solid black; padding: 2pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif; line-height: 12pt; background: rgb(250, 250, 3);"><span style="">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 12pt; font-family: "Times New Roman", serif;"> </span><o:p></o:p></div><div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Yes, exactly. I would like to see a list that shows that EVG-classic section 1.4 is now in EVG-3647 section 4.1. Then I can look at where the new text landed, see how the conversion was handled, we can all verify that nothing was lost or left out, etc.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Without that, anyone attempting to review the document is forced to recreate the mapping just to figure out where everything went and that nothing was missed or put in the wrong place. Redlines are not sufficient when large amounts of text are moving around to different places.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">I’m saying this because from my spot-checking, the conversion appears to be pretty good, and I’d like to be able to do a final verification that it’s mostly correct so I can endorse.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">-Tim</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="border-width: medium medium medium 1.5pt; border-style: none none none solid; border-color: currentcolor currentcolor currentcolor blue; border-image: none; padding: 0cm 0cm 0cm 4pt;"><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 11pt;">From:</span></b><span style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;"><span lang="EN-US">dzacharo@harica.gr</span></a>><br><b>Sent:</b><span class="Apple-converted-space"> </span>Tuesday, August 29, 2023 7:58 AM<br><b>To:</b><span class="Apple-converted-space"> </span>Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;"><span lang="EN-US">Inigo.Barreira@sectigo.com</span></a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;"><span lang="EN-US">servercert-wg@cabforum.org</span></a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;"><span lang="EN-US">tim.hollebeek@digicert.com</span></a>><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></div></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Hi Inigo,<br><br>You can take some guidance from previous successful efforts to convert existing documents into RFC 3647 format. The latest attempt was in the Code Signing BRs conversion in May 2022. Check out the mapping document and the comments in the<span class="Apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.com_v3_-5F-5Fhttps-3A_lists.cabforum.org_pipermail_cscwg-2Dpublic_2022-2DMay_000795.html-5F-5F-3B-21-21FJ-2DY8qCqXTj2-21cDhQeVwolbnJ6hdDSRwEKs2w1lDqgYkiUHc4ApuZ3kUIV3BDxbQ0XAAIsJDbSWbqRevehayXBz-5Foc-2DH9s1zZDBLzwUxa3A-24&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=TGjiVAjhtCpZQCCjIYU8mS3GeEAe0BeKPM0KSCsbZZU&e=" style="color: blue; text-decoration: underline;"><span lang="EN-US">ballot discussion period</span></a>.<br><br>For each existing section/paragraph, it would be nice to have a comment describing where that existing language will land in the converted document (destination). This will allow all existing text to be accounted for.<br><br>During this process, you might encounter duplicate or redundant text which needs to be flagged accordingly. You might also get into some uncertainty as to which RFC3647 section is a best fit for existing text that might require additional discussion.<br><br>I hope this helps.<br><br><br>Dimitris.</span><o:p></o:p></p><div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">On 29/8/2023 12:42 μ.μ., Inigo Barreira via Servercert-wg wrote:</span><o:p></o:p></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Hi Tim,</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">See attached redlined and current versions. I just used what Martijn suggested yesterday but let me know if this is what you were looking for.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;">Regards</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span lang="EN-GB" style="font-size: 11pt;"> </span><o:p></o:p></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 11pt;">De:</span></b><span style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Tim Hollebeek<span class="Apple-converted-space"> </span><a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;"><span lang="EN-US"><tim.hollebeek@digicert.com></span></a><br><b>Enviado el:</b><span class="Apple-converted-space"> </span>lunes, 28 de agosto de 2023 19:49<br><b>Para:</b><span class="Apple-converted-space"> </span>Inigo Barreira<span class="Apple-converted-space"> </span><a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;"><span lang="EN-US"><Inigo.Barreira@sectigo.com></span></a>; CA/B Forum Server Certificate WG Public Discussion List<span class="Apple-converted-space"> </span><a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;"><span lang="EN-US"><servercert-wg@cabforum.org></span></a><br><b>Asunto:</b><span class="Apple-converted-space"> </span>RE: SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></div></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="border: 1pt solid black; padding: 2pt;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif; line-height: 12pt; background: rgb(250, 250, 3);"><span style="">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Thanks for doing this Inigo … I know re-organizations like this are a lot of work and fall very much in the category of “important but not fun”. So thanks for taking an initial stab at this.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Is there a mapping that shows where all the original text ended up? I think that’s going to be essential for people to be able to review this. I did some spot checking, and your conversion looks pretty good, but I wasn’t able to do a more detailed review without a mapping.</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">-Tim</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="border-width: medium medium medium 1.5pt; border-style: none none none solid; border-color: currentcolor currentcolor currentcolor blue; border-image: none; padding: 0cm 0cm 0cm 4pt;"><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0cm 0cm;"><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 11pt;">From:</span></b><span style="font-size: 11pt;"><span class="Apple-converted-space"> </span>Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" style="color: blue; text-decoration: underline;"><span lang="EN-US">servercert-wg-bounces@cabforum.org</span></a>><span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Inigo Barreira via Servercert-wg<br><b>Sent:</b><span class="Apple-converted-space"> </span>Monday, August 28, 2023 5:20 AM<br><b>To:</b><span class="Apple-converted-space"> </span>CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;"><span lang="EN-US">servercert-wg@cabforum.org</span></a>><br><b>Subject:</b><span class="Apple-converted-space"> </span>[Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot</span><o:p></o:p></div></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Hello,</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">The current Extended Validation Guidelines (EVGs) are written in a non-standardized format. For many years it has been discussed to convert this document into the RFC 3647 format and follow the standardized model for this type of documents.<span class="Apple-converted-space"> </span></span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Given that this has been known for several years, I have prepared the following ballot text, which converts the EVGs into the RFC 3647 format:</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.com_v3_-5F-5Fhttps-3A_url.avanan.click_v2_-5F-5F-5Fhttps-3A_github.com_cabforum_servercert_pull_440-5F-5F-5F.YXAzOmRpZ2ljZXJ0OmE6bzoyOGIxNWVhZGVmZDlkZTM0NjQzZTA3YTlmYTA2MzM5YTo2OmExZWM6NGZmMGEzM2U0ZWZjOTU4MTM1NWRkNjU3ZDE5YjU3Y2YxNzg1NWU0ZTVjYzkzY2NjM2M0MWU5MzEyYzJmZTQ0NzpoOkY-5F-5F-3B-21-21FJ-2DY8qCqXTj2-21cDhQeVwolbnJ6hdDSRwEKs2w1lDqgYkiUHc4ApuZ3kUIV3BDxbQ0XAAIsJDbSWbqRevehayXBz-5Foc-2DH9s1zZDBKpiKVP6w-24&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=4LtAX3juZdnfOu4veRi4pBALPtRI-GZYgeAImFWYm9Y&e=" title="Protected by Avanan: https://github.com/cabforum/servercert/pull/440" style="color: blue; text-decoration: underline;"><span lang="EN-GB">EVGs based on RFC3647 by barrini · Pull Request #440 · cabforum/servercert (github.com)</span></a></span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">I am currently seeking two endorsers as well as any feedback on the ballot content itself (wording, effective dates, etc.).</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;">Thanks,</span><o:p></o:p></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div></div></div><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></p><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"><span>_______________________________________________</span><o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"><span>Servercert-wg mailing list</span><o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"><span><a href="mailto:Servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;"><span lang="EN-US">Servercert-wg@cabforum.org</span></a></span><o:p></o:p></pre><pre style="margin: 0cm; font-size: 10pt; font-family: "Courier New";"><span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.com_v3_-5F-5Fhttps-3A_lists.cabforum.org_mailman_listinfo_servercert-2Dwg-5F-5F-3B-21-21FJ-2DY8qCqXTj2-21cDhQeVwolbnJ6hdDSRwEKs2w1lDqgYkiUHc4ApuZ3kUIV3BDxbQ0XAAIsJDbSWbqRevehayXBz-5Foc-2DH9s1zZDBI3Tfxaxw-24&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=yeobGHenyzbD__BZjEynW1bSj_O1h07XqBgobkCMO5w&e=" style="color: blue; text-decoration: underline;"><span lang="EN-US">https://lists.cabforum.org/mailman/listinfo/servercert-wg</span></a></span><o:p></o:p></pre></blockquote><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div></div></div></blockquote></div></blockquote></div></div></blockquote><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div></div></blockquote><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div></div></blockquote><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><o:p></o:p></div></div><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><i><span style="font-size: 11pt;">Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains.<span class="Apple-converted-space"> </span><u>Please notify Entrust immediately and delete the message from your system.</u></span></i><span style="font-size: 11pt;"><o:p></o:p></span></div></blockquote><div style="margin: 0cm; font-size: 10pt; font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"><o:p> </o:p></span></div></div></div></div><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">Servercert-wg mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><a href="mailto:Servercert-wg@cabforum.org" style="color: blue; text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">Servercert-wg@cabforum.org</a><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=NI2v6X_p5sLdAuQxYnL49SedZwqRk1slWN8V5zVZkQs&e=" style="color: blue; text-decoration: underline; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=NI2v6X_p5sLdAuQxYnL49SedZwqRk1slWN8V5zVZkQs&e=</a></div></blockquote></div><br><div>
<meta charset="UTF-8"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><font style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; line-height: normal; text-align: start; text-indent: 0px;"><b><font color="#f62400" style="font-size: 11px;"><br class="Apple-interchange-newline">WISeKey SA<br></font></b></font><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; text-align: start; text-indent: 0px;"><font style="color: rgb(0, 0, 0); font-size: 12px; font-weight: normal; font-style: normal;"><span style="font-size: 11px;"><b>Pedro Fuentes<br></b>CSO - Trust Services Manager</span><br><font size="1">Office: + 41 (0) 22 594 30 00<br>Mobile: + 41 (0) </font></font><span style="color: rgb(0, 0, 0); font-size: x-small; font-weight: normal; font-style: normal;">791 274 790</span></div><div style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; text-align: start; text-indent: 0px;"><font style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px;"><font size="1">Address: </font></font><font size="1">Avenue Louis-Casaï 58 | </font><span style="font-size: x-small;">1216 Cointrin | Switzerland</span></div><div style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; text-align: start; text-indent: 0px;"><font><font size="1" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px;"><b>Stay connected with <a href="http://www.wisekey.com"><font color="#f62400">WISeKey</font></a><br></b></font></font><span style="caret-color: rgb(0, 0, 0); color: rgb(169, 169, 169); font-size: 10px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; orphans: 2; widows: 2;"><br></span></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; line-height: normal; text-align: start; text-indent: 0px;"><div style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal;"><span style="orphans: 2; widows: 2;"><font size="1" color="#78a600"><b>THIS IS A TRUSTED MAIL</b>: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks</font></span></div><div style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal;"><span style="orphans: 2; widows: 2; font-size: 9px;"><font color="#a9a9a9"><br></font></span></div><div style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal;"><div style="orphans: 2; widows: 2;"><font color="#a9a9a9" style="font-size: 9px;"><b>CONFIDENTIALITY: </b>This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender</font></div><div style="orphans: 2; widows: 2;"><font color="#a9a9a9" style="font-size: 9px;"><br></font></div><div style="orphans: 2; widows: 2;"><font color="#a9a9a9" style="font-size: 9px;"><b>DISCLAIMER: </b>WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.</font></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
<br></div></body></html>