<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hi guys,<div><br><div>I didn’t want to trigger any controversy. My question was more related to understand how a so impacting Pull Request like the one to convert to RFC format could be managed in GitHub with other PR related to the non-RFC version.</div><div><br></div><div>On my side, I prepared the PR#439 (<a href="https://github.com/cabforum/servercert/pull/439">https://github.com/cabforum/servercert/pull/439</a>) but I didn’t promote it as I guessed I’d have to redo it at some point based on the RFC version… but again maybe I’m not understanding how GH works…</div><div><br></div><div>Cheers!</div><div>Pedro</div><div><div><br><blockquote type="cite"><div>On 22 Jan 2024, at 19:49, Tim Hollebeek <tim.hollebeek@digicert.com> wrote:</div><br class="Apple-interchange-newline"><div><meta charset="UTF-8"><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Feel free to bring it up, but I still oppose it for all the reasons we discussed when we had this discussion the last time. Adding more mandatory details to the ballot process is not progress. We need to get back to improving the requirements, and not spending so much time on bylaws and administrivia. It’s already too hard for people not intimately familiar with the forum and ballot process to write ballots. Adding this would just make it even worse.<o:p></o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Instead of that, let’s discuss Pedro’s ballot, whether it’s a good idea, and how we get it or something else across the finish line, if it is.<o:p></o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">-Tim<o:p></o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="border-width: medium medium medium 1.5pt; border-style: none none none solid; border-color: currentcolor currentcolor currentcolor blue; border-image: none; padding: 0in 0in 0in 4pt;"><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0in 0in;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b>From:</b><span class="Apple-converted-space"> </span>Dimitris Zacharopoulos <<a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;">dzacharo@harica.gr</a>><span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>Saturday, January 20, 2024 12:21 AM<br><b>To:</b><span class="Apple-converted-space"> </span>Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;">tim.hollebeek@digicert.com</a>><br><b>Cc:</b><span class="Apple-converted-space"> </span>Pedro FUENTES <<a href="mailto:pfuentes@wisekey.com" style="color: blue; text-decoration: underline;">pfuentes@wisekey.com</a>>; Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;">Inigo.Barreira@sectigo.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg@cabforum.org</a>>; Bruce Morton <<a href="mailto:bruce.morton@entrust.com" style="color: blue; text-decoration: underline;">bruce.morton@entrust.com</a>><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [EXTERNAL]-Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></div></div></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-family: Arial, sans-serif;">Tim,<span class="Apple-converted-space"> </span><br><br>For conflicting sections in multiple simultaneous ballots, this is what we've done historically and consistently.<span class="Apple-converted-space"> </span><br><br>You are correct that the Bylaws use a "may" but I strongly recommended using the existing practice, otherwise the outcome is uncertain and risky. In fact, I would suggest we make this mandatory at the next Bylaws update. I will bring it up for discussion separately from this thread.<span class="Apple-converted-space"> </span><br><br><br>Thanks,<span class="Apple-converted-space"> </span><o:p></o:p></span></div></div><div><p><span style="font-family: Arial, sans-serif;">DZ.<o:p></o:p></span></p></div><div><div><p><span style="font-family: Arial, sans-serif;">Jan 19, 2024 23:57:14 Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;">tim.hollebeek@digicert.com</a>>:<o:p></o:p></span></p></div><blockquote style="border-width: medium medium medium 2.25pt; border-style: none none none solid; border-color: currentcolor currentcolor currentcolor rgb(204, 204, 204); border-image: none; padding: 0in 0in 0in 8pt; margin-left: 0in; margin-right: 0in;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Note that the language says “may”. Summarizing that as “needs to” is incorrect. It is intentionally weak, to avoid putting a burden on ballot proposers to completely and exhaustively specify their ballot’s interaction with another ballot they don’t control. The only requirement is to name and link to ballots that amends the same section (to help avoid merge errors).<o:p></o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">All of the stuff around holding and sequencing ballots, and describing possible deconfliction strategies, is useful and important stuff we do to keep the Forum working smoothly, and I would highly encourage people to pay close attention to those sorts of things, but we need to be clear on what actually are minimum requirements and what aren’t, because I don’t want to interfere with or unduly burden the rights of members to call for a proposed ballot at any time.<o:p></o:p></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">-Tim<o:p></o:p></div><div style="border-width: medium medium medium 1.5pt; border-style: none none none solid; border-color: currentcolor currentcolor currentcolor blue; border-image: none; padding: 0in 0in 0in 4pt;"><div><div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(225, 225, 225) currentcolor currentcolor; border-image: none; padding: 3pt 0in 0in;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b>From:</b><span class="Apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;">dzacharo@harica.gr</a>><span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>Friday, January 19, 2024 2:00 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Pedro FUENTES <<a href="mailto:pfuentes@wisekey.com" style="color: blue; text-decoration: underline;">pfuentes@wisekey.com</a>>; Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;">Inigo.Barreira@sectigo.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg@cabforum.org</a>><br><b>Cc:</b><span class="Apple-converted-space"> </span>Bruce Morton <<a href="mailto:bruce.morton@entrust.com" style="color: blue; text-decoration: underline;">bruce.morton@entrust.com</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;">tim.hollebeek@digicert.com</a>><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [EXTERNAL]-Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></div></div></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;">Hi Pedro,<br><br>If the proposed ballot interacts with sections that are modified by an existing ballot, the second ballot proposer needs to describe what will the possible results of that section look like, basically by writing down the expected language if the first ballot passes or fails.<br><br>Bylaws section 2.4 (10):<br><i><br>If a ballot is proposed to amend the same section of the Final Guidelines or the Final Maintenance Guidelines as one or more previous ballot(s) that has/have not yet been finally approved, the newly proposed ballot must include information about, and a link to, any such previous ballot(s), and may include provisions to avoid any conflicts relating to such previous ballots.</i><br><br><br>I hope this helps.<br><br>Dimitris.<o:p></o:p></p><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">On 19/1/2024 2:34 μ.μ., Pedro FUENTES wrote:<o:p></o:p></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Hello,<o:p></o:p></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">I’d like to know how this would interact with the change proposed by Dimitris for the VATEL thing.<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">In my case I did put on hold my own proposed change (regulation of use of QGIS for organization validation) until the doc was in RFC format, and I wonder if we should do the same for other proposed changes, as I guess the order of the ballots is important here.<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Best,<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Pedro<o:p></o:p></div><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">On 19 Jan 2024, at 13:27, Inigo Barreira via Servercert-wg<span class="Apple-converted-space"> </span><a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;"><servercert-wg@cabforum.org></a><span class="Apple-converted-space"> </span>wrote:<o:p></o:p></div></div><div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Hi all,<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">As per yesterday´s SCWG call, I´ve also updated the BRs with the new section numbers of the EVG. Only 2 sections have been affected and therefore updated.</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;">Section 3.2.2.4.7</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;">EVG 11.14.3<span class="apple-converted-space"> </span></span><span style="font-size: 10pt; font-family: Wingdings;">à</span><span class="apple-converted-space"><span style="font-size: 10pt;"> </span></span><span style="font-size: 10pt;">3.2.2.14.3</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;"> </span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;">Section 7.1.2.7.5</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;">EVG 9.2<span class="apple-converted-space"> </span></span><span style="font-size: 10pt; font-family: Wingdings;">à</span><span class="apple-converted-space"><span style="font-size: 10pt;"> </span></span><span style="font-size: 10pt;">7.1.4.2</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB"> </span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">You can find all the information in the PR 440,<span class="apple-converted-space"> </span></span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_servercert_pull_440_commits&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=4yDjCByZihcF66OPg0-LImW7hEJ3BRBPpguv_Dh5h0I&e=" style="color: blue; text-decoration: underline;"><span lang="EN-GB">EVGs based on RFC3647 by barrini · Pull Request #440 · cabforum/servercert (github.com)</span></a><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">First, I had to update the current version of the BRs I was working with (2.0.0) to the current one (2.0.2) and then make the changes to the newest one.</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB"> </span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">Regards</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB"> </span><o:p></o:p></div></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-image: none; border-color: currentcolor;"><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b>De:</b><span class="apple-converted-space"> </span>Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;">Inigo.Barreira@sectigo.com</a>><br><b>Enviado el:</b><span class="apple-converted-space"> </span>viernes, 15 de diciembre de 2023 12:42<br><b>Para:</b><span class="apple-converted-space"> </span>Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;">Inigo.Barreira@sectigo.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg@cabforum.org</a>>; Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;">dzacharo@harica.gr</a>>; Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com" style="color: blue; text-decoration: underline;">Bruce.Morton@entrust.com</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;">tim.hollebeek@digicert.com</a>><br><b>Asunto:</b><span class="apple-converted-space"> </span>RE: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></div></div></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;"> </span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Hi everyone<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">As per last week discussion during the SCWG, we agreed to follow section 6 of the RFC 3647 for the new EVG format.</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">With that in mind, I´ve updated the correspondent PR (#440) to reflect it that way, so:</span><o:p></o:p></div></div><ul type="disc" style="margin-bottom: 0in;"><li class="MsoListParagraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">Changed section 1.1 name from scope to overview</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">Created a new section 3.2.1 for possession of the private key</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">Moved all the other stuff of the old section 11 to a “new” section 3.2.2 for organization identity.</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">Also created the remaining ones, 3.2.3, 3.2.4, etc.</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">Update section 8 removing section 8.1 and renumbering the others and putting the self audits under 8.1 and leaving section 8.7 for readiness audits because don´t know where it can fit better (this section does not exist in RFC 3647 section 6)</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-right: 0in; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">Checked all links</span><o:p></o:p></li></ul><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB"> </span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">In any case, see the comparison here:<span class="apple-converted-space"> </span></span><span style="font-size: 10pt;"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_servercert_compare_90a98dc7c1131eaab01af411968aa7330d315b9b...238ff99fbe04f2aa24f2c58910d8133f2283f11e&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=Fkxi2puIea-XluHGWRpA2fMQdGTdESWl6jTcxt-Mh2I&e=" style="color: blue; text-decoration: underline;"><span lang="EN-GB">Comparing 90a98dc7c1131eaab01af411968aa7330d315b9b...238ff99fbe04f2aa24f2c58910d8133f2283f11e · cabforum/servercert (github.com)</span></a></span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;"> </span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">If you´re ok with this change, we can move forward a propose the ballot for which I´ll need 2 endorsers.</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB"> </span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">Regards</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB"> </span><o:p></o:p></div></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-image: none; border-color: currentcolor;"><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b>De:</b><span class="apple-converted-space"> </span>Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg-bounces@cabforum.org</a>><span class="apple-converted-space"> </span><b>En nombre de<span class="apple-converted-space"> </span></b>Inigo Barreira via Servercert-wg<br><b>Enviado el:</b><span class="apple-converted-space"> </span>jueves, 7 de diciembre de 2023 13:08<br><b>Para:</b><span class="apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;">dzacharo@harica.gr</a>>; Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com" style="color: blue; text-decoration: underline;">Bruce.Morton@entrust.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg@cabforum.org</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;">tim.hollebeek@digicert.com</a>><br><b>Asunto:</b><span class="apple-converted-space"> </span>Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></div></div></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;"> </span><o:p></o:p></div></div><div style="border: 1pt solid black; padding: 2pt;"><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif; line-height: 12pt; background: rgb(250, 250, 3);"><span style="font-size: 10pt;">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></div></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Hi there,<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">See the comparing one.<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_servercert_compare_90a98dc7c1131eaab01af411968aa7330d315b9b...13b4f85a494fefa52510512a2fb3c4d7c77a7a36&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=SAlnT_XxVC5MVdb-AWK-2-2ft5iK_-91Uh8zev3Au44&e=" style="color: blue; text-decoration: underline;"><span lang="EN-GB">Comparing 90a98dc7c1131eaab01af411968aa7330d315b9b...13b4f85a494fefa52510512a2fb3c4d7c77a7a36 · cabforum/servercert (github.com)</span></a></span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;"> </span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;">Regards</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB"> </span><o:p></o:p></div></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-image: none; border-color: currentcolor;"><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b>De:</b><span class="apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;">dzacharo@harica.gr</a>><br><b>Enviado el:</b><span class="apple-converted-space"> </span>lunes, 4 de diciembre de 2023 22:18<br><b>Para:</b><span class="apple-converted-space"> </span>Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com" style="color: blue; text-decoration: underline;">Bruce.Morton@entrust.com</a>>; Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;">Inigo.Barreira@sectigo.com</a>>; CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg@cabforum.org</a>>; Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;">tim.hollebeek@digicert.com</a>><br><b>Asunto:</b><span class="apple-converted-space"> </span>Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></div></div></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;"> </span><o:p></o:p></div></div><div style="border: 1pt solid black; padding: 2pt;"><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif; line-height: 12pt; background: rgb(250, 250, 3);"><span style="font-size: 10pt;">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></div></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;"> </span><o:p></o:p></p><div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;">On 4/12/2023 9:22 μ.μ., Bruce Morton wrote:</span><o:p></o:p></div></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">I thought an intriguing promise of doing documents in Github and in the same format is that we would see the requirements in the same section, which would allow for better management. Also, the proposal Paul brought forward for the BR of BRs would work much better if we use the same sections. I guess I am encouraging the move of EV from a non-standard format to a sort of standard RFC 3647 format would be to help provide document alignment.<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">+1 to Dimitris original suggestion.<o:p></o:p></div></div></blockquote><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><ul type="disc" style="margin-bottom: 0in; margin-top: 0in;"><li class="MsoNormal" style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_code-2Dsigning_compare_main...importEVG&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=IH-hz12ss4KJRRKpXUPs_ykN-ftU1yP8_QWnqFumUpE&e=" style="color: blue; text-decoration: underline;">https://github.com/cabforum/code-signing/compare/main...importEVG</a><o:p></o:p></li></ul><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;">This is currently WIP, maintaining the numbering of RFC 3647 section 6, and moving the EV Guidelines sections referenced by the CSBRs into new sections. We've done these conversions in the past and they worked pretty well, leading to consistently structured policy documents across the ecosystem.<br><br>It's not perfect but it tries to move requirements to where RFC 3647 and the BRs expect them to be. For example, section 11.14 of the EV Guidelines talks about re-use of existing documentation which fits into section 4.2.1 of the BRs.<br><br><br>Thanks,<br>Dimitris.<o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Thanks, Bruce.<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div style="border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-image: none; border-color: currentcolor;"><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b>From:</b><span class="apple-converted-space"> </span>Servercert-wg<span class="apple-converted-space"> </span><a href="mailto:servercert-wg-bounces@cabforum.org" style="color: blue; text-decoration: underline;"><servercert-wg-bounces@cabforum.org></a><span class="apple-converted-space"> </span><b>On Behalf Of<span class="apple-converted-space"> </span></b>Inigo Barreira via Servercert-wg<br><b>Sent:</b><span class="apple-converted-space"> </span>Monday, December 4, 2023 2:15 PM<br><b>To:</b><span class="apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA)<span class="apple-converted-space"> </span><a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;"><dzacharo@harica.gr></a>; Tim Hollebeek<span class="apple-converted-space"> </span><a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;"><tim.hollebeek@digicert.com></a><br><b>Cc:</b><span class="apple-converted-space"> </span>CA/B Forum Server Certificate WG Public Discussion List<span class="apple-converted-space"> </span><a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;"><servercert-wg@cabforum.org></a><br><b>Subject:</b><span class="apple-converted-space"> </span>[EXTERNAL] Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></div></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 10pt;"> </span><o:p></o:p></div></div><div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 1pt; color: white;">Dimitris, I think that we should focus on the EVG not on the CP/CPS. The CA´s CP/CPS will have that 3. 2. 1 section because it´s in the TLS BRs but that does not mean that the EVG must have also that section 3. 2. 1 (BTW, the section exist in the</span><o:p></o:p></div></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Dimitris,<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">I think that we should focus on the EVG not on the CP/CPS. The CA´s CP/CPS will have that 3.2.1 section because it´s in the TLS BRs but that does not mean that the EVG must have also that section 3.2.1 (BTW, the section exist in the TLS BRs but with no content). At the end of the day, every CA issuing TLS certs will have to follow the TLS BRs and EVGs and then accommodate their CP/CPSes according to both documents.</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">I understand your point to be stricter in the implementation of that specific point but for every CA to change/update their current CP/CPS with the new EVG in the RFC 3647 format, would find it easier to where to make those changes/adjustments in their own CP/CPS if we can convert easily the current section 11 into 3.2 and not to start looking into different numbers to make that change.</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB"> </span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB">Regards</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span lang="EN-GB"> </span><o:p></o:p></div></div><div><div style="border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-image: none; border-color: currentcolor;"><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b>De:</b><span class="apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;">dzacharo@harica.gr</a>><br><b>Enviado el:</b><span class="apple-converted-space"> </span>lunes, 4 de diciembre de 2023 20:02<br><b>Para:</b><span class="apple-converted-space"> </span>Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;">tim.hollebeek@digicert.com</a>>; Inigo Barreira <<a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;">Inigo.Barreira@sectigo.com</a>><br><b>CC:</b><span class="apple-converted-space"> </span>CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;">servercert-wg@cabforum.org</a>><br><b>Asunto:</b><span class="apple-converted-space"> </span>Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></div></div></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div style="border: 1pt solid black; padding: 2pt;"><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif; line-height: 12pt; background: rgb(250, 250, 3);"><span style="font-size: 10pt;">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></div></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;">FWIW, there are informational RFCs that include SHOULD requirements (I didn't check for other informational RFCs that might contain SHALL requirements). Take a look at<span class="apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.com_v3_-5F-5Fhttps-3A_datatracker.ietf.org_doc_html_rfc8894-5F-5F-3B-21-21FJ-2DY8qCqXTj2-21cDhQeVwolbnJ6hdDSRwEKs2w1lDqgYkiUHc4ApuZ3kUIV3BDxbQ0XAAIsJDbSWbqRevehayXBz-5Foc-2DH9s1zZDBI0YJAc7w-24&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=eZUOnibdXAEm7TArY-4NlpNDvdpq2qrcI6Os5GzWvtY&e=" style="color: blue; text-decoration: underline;">RFC 8894</a>.<br><br>I agree that there seems to be some ambiguity in the REQUIRED CP/CPS structure but the entire reasoning behind using the "RFC 3647 format" was to align CP and CPS documents so that comparisons can be made across different CAs. If one CA reads that they must follow a 2-level structure based on section 4, and another CA reads that they must follow the structure of section 6 of the RFC, we're not meeting the goal for alignment and easy comparisons.<br><br>Digicert's CPS seems to follow the structure of section 6 of RFC 3647. Has anyone spotted a CPS claiming compliance with the TLS BRs that is not following the section 6 structure of 3647?<br><br>If all existing public CAs follow the structure of section 6 of 3647 in their CP/CPS documents, we can just clarify that the expectation is what Ben mentioned in<span class="apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.com_v3_-5F-5Fhttps-3A_github.com_BenWilson-2DMozilla_pkipolicy_commit_1a94642cb95017cf382e4e93811db16a2342a806-5F-5F-3B-21-21FJ-2DY8qCqXTj2-21cDhQeVwolbnJ6hdDSRwEKs2w1lDqgYkiUHc4ApuZ3kUIV3BDxbQ0XAAIsJDbSWbqRevehayXBz-5Foc-2DH9s1zZDBIIavReJg-24&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=7yKm78aVhCw6xlE85YVTEd_kGz4SHJhZ83xtcshx1Ag&e=" style="color: blue; text-decoration: underline;">https://github.com/BenWilson-Mozilla/pkipolicy/commit/1a94642cb95017cf382e4e93811db16a2342a806</a>, so that we address this ambiguity. We probably don't even need an effective date if it causes no issue on existing CAs.<br><br>My point is that if we leave this open to interpretation, we can't compare CP/CPS sections across multiple CAs efficiently, and this defeats the whole purpose of the requirement to structure CP/CPS documents according to RFC 3647. We might as well abandon the idea of converting the EV Guidelines into that format.<br><br>I believe that the intent has always been to enforce a "stricter" alignment. But if indeed there are deviations, I'd support some stricter language to align CP/CPS documents according to section 6 of RFC 3647 even with a future effective date :)<br><br><br>Dimitris.<o:p></o:p></p><div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">On 4/12/2023 7:27 μ.μ., Tim Hollebeek wrote:<o:p></o:p></div></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Yeah, the fact that the section 6 outline goes deeper than the actual described format in section 4 is annoying, and you’re right, it’s probably the source of these disagreements. I always look at section 4, because it has the actual guidance about what sort of information should be considered for inclusion.<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">This is what happens when people try to turn informational documents into normative requirements. You have to try to interpret what phrases like “are strongly advised to adhere”, which isn’t even a RFC 2119 SHOULD. And it can’t even be a SHOULD, because as an informational RFC, it is prohibited from having requirements, even SHOULDs! That’s why it’s written that way. Also, informational RFCs are not examined as closely for inconsistencies (because there are no requirements!) which is how divergences like section 4 vs 6 happen. It wasn’t intended to be used as a compliance document.<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">I still think what Inigo did is perfectly fine, although there are lots of other perfectly fine solutions, too. What we need to be discussing is what’s best for us, not RFC 3647 requires, because RFC 3647 has infinite leeway. As Aaron and I have been pointing out, you’ll find lots of divergences at level three, and there’s even lots of additional content in level two, just because a lot of newer content doesn’t really have a good fit in RFC 3647.<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">Now, that said, we might want to be more strict in the future, and if we choose to do so, we can be. I just don’t want people overstating what the rules actually are, because a lot of people’s time has been wasted enforcing RFC 3647 in a way that is far stricter than was ever intended (one of the reasons I’m so vocal on this issue is because I got this point of view from one of the original authors).<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">-Tim<o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><div style="border-width: medium medium medium 1.5pt; border-style: none none none solid; padding: 0in 0in 0in 4pt; border-image: none; border-color: currentcolor currentcolor currentcolor blue;"><div><div style="border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-image: none; border-color: currentcolor;"><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b>From:</b><span class="apple-converted-space"> </span>Dimitris Zacharopoulos (HARICA)<span class="apple-converted-space"> </span><a href="mailto:dzacharo@harica.gr" style="color: blue; text-decoration: underline;"><dzacharo@harica.gr></a><br><b>Sent:</b><span class="apple-converted-space"> </span>Saturday, December 2, 2023 5:26 AM<br><b>To:</b><span class="apple-converted-space"> </span>Tim Hollebeek<span class="apple-converted-space"> </span><a href="mailto:tim.hollebeek@digicert.com" style="color: blue; text-decoration: underline;"><tim.hollebeek@digicert.com></a>; Inigo Barreira<span class="apple-converted-space"> </span><a href="mailto:Inigo.Barreira@sectigo.com" style="color: blue; text-decoration: underline;"><Inigo.Barreira@sectigo.com></a><br><b>Cc:</b><span class="apple-converted-space"> </span>CA/B Forum Server Certificate WG Public Discussion List<span class="apple-converted-space"> </span><a href="mailto:servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;"><servercert-wg@cabforum.org></a><br><b>Subject:</b><span class="apple-converted-space"> </span>Re: [Servercert-wg] SC-065: Convert EVGs into RFC 3647 format pre-ballot<o:p></o:p></div></div></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;">We still have a disagreement so please allow me one more attempt to clarify my position because it seems you didn't check the links included in my previous post. I will copy some of that text here for convenience.<o:p></o:p></p><div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">On 1/12/2023 11:31 μ.μ., Tim Hollebeek wrote:<o:p></o:p></div></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">…<span class="Apple-converted-space"> </span><o:p></o:p></div></blockquote><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><br>I think I might have a hint on our disconnect. RFC 3647 has an indicative Table of Contents in Chapter 6 (<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.com_v3_-5F-5Fhttps-3A_datatracker.ietf.org_doc_html_rfc3647-2Asection-2D6-5F-5F-3BIw-21-21FJ-2DY8qCqXTj2-21cDhQeVwolbnJ6hdDSRwEKs2w1lDqgYkiUHc4ApuZ3kUIV3BDxbQ0XAAIsJDbSWbqRevehayXBz-5Foc-2DH9s1zZDBKp-5FQdGmg-24&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=cp3VExDM2DhLCKZSB-C46rsVM45LgWuB6qsMlwtjSHY&e=" style="color: blue; text-decoration: underline;">https://datatracker.ietf.org/doc/html/rfc3647#section-6</a>) outlining the proposed CP/CPS sections and subsections using 3 levels.<br><br>Here is the text of the opening paragraph of that section (emphasis added):<br><br><o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">…<span class="Apple-converted-space"> </span><o:p></o:p></div></blockquote><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><br>The reason the CA/B Forum BRs were structured according to this outline was to assist with comparisons between CP/CPS documents of different CAs, making the review of these documents easier.<br><br>That's why you see sections like 1.5.4 "CPS approval procedures" in the BRs as an empty section with "No Stipulation". There are many such sections in the BRs, all coming from section 6 of RFC 3647.<br><br>I hope this is clearer now.<br><br><o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">…<span class="Apple-converted-space"> </span><o:p></o:p></div></blockquote><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><br>During the last couple of years reviewing CP/CPS documents, I saw some uniformity at least in Publicly Trusted CAs, and they all seem to follow the BRs structure which comes from the outline of section 6 of RFC 3647. However, it's not a bad idea to further clarify BR section 2.2 to better meet the expectations.<br><br><o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">…<span class="Apple-converted-space"> </span><o:p></o:p></div></blockquote><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><br>To my point, BR 3.2.1 IS an RFC 3647 required section as it is explicitly mentioned in the outline of section 6 of RFC 3647:<br><br><o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">…<span class="Apple-converted-space"> </span><o:p></o:p></div></blockquote><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><br>Details about the contents of that section can be found in the first bullet of<span class="apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__urldefense.com_v3_-5F-5Fhttps-3A_datatracker.ietf.org_doc_html_rfc3647-2Asection-2D4.3.2-5F-5F-3BIw-21-21FJ-2DY8qCqXTj2-21cDhQeVwolbnJ6hdDSRwEKs2w1lDqgYkiUHc4ApuZ3kUIV3BDxbQ0XAAIsJDbSWbqRevehayXBz-5Foc-2DH9s1zZDBIL19sP-5Fw-24&d=DwMGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=VVgYrcQHYItvxshaRW05i_oEkdLisu_m-OdTzlBeXn8&e=" style="color: blue; text-decoration: underline;">section 4.3.2 of RFC 3647</a>.<span class="apple-converted-space"> </span><br><br>Does that make more sense?<br><br>Dimitris.<br><br><o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;">…<span class="Apple-converted-space"> </span><o:p></o:p></div></blockquote><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div></div></blockquote><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><i>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains.<span class="apple-converted-space"> </span><u>Please notify Entrust immediately and delete the message from your system.</u></i><o:p></o:p></div></div></blockquote><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div></div></div></div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 9pt; font-family: Helvetica, sans-serif;">_______________________________________________<br>Servercert-wg mailing list<br></span><a href="mailto:Servercert-wg@cabforum.org" style="color: blue; text-decoration: underline;"><span style="font-size: 9pt; font-family: Helvetica, sans-serif;">Servercert-wg@cabforum.org</span></a><span style="font-size: 9pt; font-family: Helvetica, sans-serif;"><br></span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=NI2v6X_p5sLdAuQxYnL49SedZwqRk1slWN8V5zVZkQs&e=" style="color: blue; text-decoration: underline;"><span style="font-size: 9pt; font-family: Helvetica, sans-serif;">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=wsg-TdwvnM_b-Pg3U1XTwuszyojufD0lb45hNqvXdBXdCbT5NwVJ3w_4u0QY-JUd&s=NI2v6X_p5sLdAuQxYnL49SedZwqRk1slWN8V5zVZkQs&e=</span></a><o:p></o:p></div></div></blockquote></div><div><div><div><div><div><div><div><div><div><div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 8.5pt; color: rgb(246, 36, 0);"><br>WISeKey SA</span></b><o:p></o:p></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 8.5pt;">Pedro Fuentes<br></span></b><span style="font-size: 8.5pt;">CSO - Trust Services Manager</span><span style="font-size: 9pt;"><br></span><span style="font-size: 7.5pt;">Office: + 41 (0) 22 594 30 00<br>Mobile: + 41 (0) </span><span style="font-size: 10pt;">791 274 790</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 7.5pt;">Address: </span><span style="font-size: 7.5pt;">Avenue Louis-Casaï 58 | </span><span style="font-size: 10pt;">1216 Cointrin | Switzerland</span><o:p></o:p></div></div><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 9pt;">Stay connected with <a href="http://www.wisekey.com/" style="color: blue; text-decoration: underline;"><span style="color: rgb(246, 36, 0);">WISeKey</span></a><br><br></span></b><o:p></o:p></p></div><div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 7.5pt; color: rgb(120, 166, 0);">THIS IS A TRUSTED MAIL</span></b><span style="font-size: 7.5pt; color: rgb(120, 166, 0);">: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks</span><o:p></o:p></div></div><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></p></div><div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 7pt; color: darkgray;">CONFIDENTIALITY: </span></b><span style="font-size: 7pt; color: darkgray;">This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender</span><o:p></o:p></div></div><div><div style="margin: 0in; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 7pt; color: darkgray;">DISCLAIMER: </span></b><span style="font-size: 7pt; color: darkgray;">WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.</span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></blockquote></div></blockquote></div></div></div></div></blockquote></div><br><div>
<meta charset="UTF-8"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><font style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; line-height: normal; text-align: start; text-indent: 0px;"><b><font color="#f62400" style="font-size: 11px;"><br class="Apple-interchange-newline">WISeKey SA<br></font></b></font><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; text-align: start; text-indent: 0px;"><font style="color: rgb(0, 0, 0); font-size: 12px; font-weight: normal; font-style: normal;"><span style="font-size: 11px;"><b>Pedro Fuentes<br></b>CSO - Trust Services Manager</span><br><font size="1">Office: + 41 (0) 22 594 30 00<br>Mobile: + 41 (0) </font></font><span style="color: rgb(0, 0, 0); font-size: x-small; font-weight: normal; font-style: normal;">791 274 790</span></div><div style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; text-align: start; text-indent: 0px;"><font style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px;"><font size="1">Address: </font></font><font size="1">Avenue Louis-Casaï 58 | </font><span style="font-size: x-small;">1216 Cointrin | Switzerland</span></div><div style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; text-align: start; text-indent: 0px;"><font><font size="1" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px;"><b>Stay connected with <a href="http://www.wisekey.com"><font color="#f62400">WISeKey</font></a><br></b></font></font><span style="caret-color: rgb(0, 0, 0); color: rgb(169, 169, 169); font-size: 10px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; orphans: 2; widows: 2;"><br></span></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; line-height: normal; text-align: start; text-indent: 0px;"><div style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal;"><span style="orphans: 2; widows: 2;"><font size="1" color="#78a600"><b>THIS IS A TRUSTED MAIL</b>: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks</font></span></div><div style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal;"><span style="orphans: 2; widows: 2; font-size: 9px;"><font color="#a9a9a9"><br></font></span></div><div style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal;"><div style="orphans: 2; widows: 2;"><font color="#a9a9a9" style="font-size: 9px;"><b>CONFIDENTIALITY: </b>This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender</font></div><div style="orphans: 2; widows: 2;"><font color="#a9a9a9" style="font-size: 9px;"><br></font></div><div style="orphans: 2; widows: 2;"><font color="#a9a9a9" style="font-size: 9px;"><b>DISCLAIMER: </b>WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.</font></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
<br></div></div></body></html>