<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Wayne,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I think it's safest to err on the side of caution and use the explicit wording that you proposed.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Tom<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Wayne Thayer <wthayer@gmail.com> <br><b>Sent:</b> Friday, February 23, 2024 2:45 PM<br><b>To:</b> Tom Zermeno <tom@ssl.com><br><b>Cc:</b> CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org>; Martijn Katerbarg <martijn.katerbarg@sectigo.com><br><b>Subject:</b> Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 align=left width="100%" style='width:100.0%'><tr><td style='background:#A6A6A6;padding:5.25pt 1.5pt 5.25pt 1.5pt'></td><td width="100%" style='width:100.0%;background:#EAEAEA;padding:5.25pt 3.75pt 5.25pt 11.25pt'><div><p class=MsoNormal style='mso-element:frame;mso-element-frame-hspace:2.25pt;mso-element-wrap:around;mso-element-anchor-vertical:paragraph;mso-element-anchor-horizontal:column;mso-height-rule:exactly'><span style='font-size:9.0pt;font-family:"Segoe UI",sans-serif;color:#212121'>You don't often get email from <a href="mailto:wthayer@gmail.com">wthayer@gmail.com</a>. <a href="https://aka.ms/LearnAboutSenderIdentification">Learn why this is important</a><o:p></o:p></span></p></div></td><td width=75 style='width:56.25pt;background:#EAEAEA;padding:5.25pt 3.75pt 5.25pt 3.75pt;align:left'></td></tr></table><div><div><div><p class=MsoNormal>Tom,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I had originally placed the Debian exception in the sublist of 6.1.1.3(5), but Aaron Gable correctly pointed out that it doesn't make sense there because that sublist is prefaced with the statement "the following precautions SHALL be implemented:" I think it would be logically difficult to interpret the exception as belonging with 6.1.1.3(5)(ii) Close Primes, but I do agree that it could be clearer. To that end, I've change the indentation of the exception sentence in <a href="https://github.com/wthayer/servercert/pull/1/files">https://github.com/wthayer/servercert/pull/1/files</a> Does that help? I could also change the wording to "Debian weak keys (<a href="https://wiki.debian.org/SSLkeys">https://wiki.debian.org/SSLkeys</a>) are exempt from the requirements of Section 6.1.1.3(5).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Wayne<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Fri, Feb 23, 2024 at 10:33 AM Tom Zermeno <<a href="mailto:tom@ssl.com">tom@ssl.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Wayne,<br><br>Regarding the change of the Debian weak keys statement at proposed line 1701: is the statement intended to be a sub-clause of the second item in the sublist, which would then make Debian weak keys exempt from the Fermat factorization method check? Or, more likely based on the recent discussion, was the statement meant to be a third item in the list, which would then exempt Debian weak keys from the 5th condition of the list requiring CAs to reject certificate requests?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>My question stems from the abnormal line spacing and indention of the statement, which stands out from the surrounding text.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks, <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Tom<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;border-color:currentcolor currentcolor'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>> <b>On Behalf Of </b>Wayne Thayer via Servercert-wg<br><b>Sent:</b> Friday, February 23, 2024 11:18 AM<br><b>To:</b> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com" target="_blank">martijn.katerbarg@sectigo.com</a>><br><b>Cc:</b> CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br><b>Subject:</b> Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Martijn,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I would summarize the reasoning for removing the Debian requirements as follows:<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>- CAs would prefer the greater clarity that would be provided by the weak keys ballot that failed last year.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>- However, some CAs were of the opinion that the prior ballot imposed more explicit requirements for Debian weak key checking rather than just clarifying existing requirements. The "new" requirements were viewed as burdensome.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>- The Debian vulnerability is more than 15 years old. If an Applicant submits a Debian weak key at this point, they almost certainly have bigger security issues.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>- So the cost of these requirements outweighs the benefits at this point in time.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I included a few links to the discussion during the prior balot's voting period, and there was also discussion at the last SCWG teleconference that should be captured in the minutes.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Wayne<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Fri, Feb 23, 2024 at 2:19 AM Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com" target="_blank">martijn.katerbarg@sectigo.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid windowtext 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)'><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Wayne, <br><br>Apologies if I’ve missed something in discussions, but why exactly are we removing the Debian Weak Keys language, and even explicitly mentioned that CAs do not need to check for them (anymore)?<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>Regards,<br><br>Martijn<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div id="m_-3237787619249778961m_-6864181456797876892mail-editor-reference-message-container"><div><div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;border-color:currentcolor'><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><b><span style='font-size:12.0pt;font-family:"Aptos",sans-serif;color:black'>From: </span></b><span style='font-size:12.0pt;font-family:"Aptos",sans-serif;color:black'>Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>> on behalf of Wayne Thayer via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br><b>Date: </b>Thursday, 22 February 2024 at 20:01<br><b>To: </b>CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br><b>Subject: </b>Re: [Servercert-wg] Compromised/Weak Keys Ballot Proposal</span><o:p></o:p></p></div><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.0pt;background:#FAFA03'><span style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I am seeking a second endorser for this proposal. Below is a draft of the ballot language.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Wayne<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>================================<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>**Ballot SC-XX: Compromised / Weak Keys**<br><br>This ballot updates BR section 6.1.1.3 to address two issues:<br><br>First, the requirements placed on CAs to reject a certificate request if they have been “made aware” that the key pair is compromised is vague and open-ended in regard to how CAs may be “made aware”. This ballot specifies that CAs be “made aware” via their problem reporting mechanism.<br><br>Second, this ballot reintroduces the language from [failed] ballot SC-59: Weak Key Guidance. However, based on feedback received during the discussion and voting period for that ballot, Debian weak key checks are now explicitly out of scope.<br><br>This ballot is proposed by Wayne Thayer (Fastly) and endorsed by Brittany Randall (GoDaddy) and <someone else( )>. You can view and comment on the github pull request representing this ballot here: <a href="https://github.com/wthayer/servercert/pull/1/files" target="_blank">https://github.com/wthayer/servercert/pull/1/files</a> <br><br>The preceding discussions can be seen here:<br><br>* This ballot: <a href="https://lists.cabforum.org/pipermail/servercert-wg/2024-February/004195.html" target="_blank">https://lists.cabforum.org/pipermail/servercert-wg/2024-February/004195.html</a> <br>* The prior weak keys ballot: <a href="https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003820.html" target="_blank">https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003820.html</a> and <a href="https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003857.html" target="_blank">https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003857.html</a><br>* The “made aware” language in <a href="http://6.1.1.3/" target="_blank">6.1.1.3</a>: <a href="https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003902.html" target="_blank">https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003902.html</a><br><br><br>--- Motion Begins ---<br><br>This ballot modifies the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" ("Baseline Requirements") based on Version 2.X.X<br><br>MODIFY the Baseline Requirements as specified in the following redline: <Immutable redline link><br><br>--- Motion Ends ---<br><br>Discussion (at least 7 days):<br><br>- Start: TBD UTC<br>- End: TBD UTC<br><br>Vote for approval (7 days):<br><br>- Start: TBD UTC<br>- End: TBD UTC<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Mon, Feb 12, 2024 at 6:12 PM Wayne Thayer via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid windowtext 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thank you fo the feedback Aaron. I agree with both points you made in the PR and have updated it to reflect your suggestions.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>- Wayne<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Mon, Feb 12, 2024 at 12:27 PM Aaron Gable <<a href="mailto:aaron@letsencrypt.org" target="_blank">aaron@letsencrypt.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid windowtext 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thank you Wayne! I think this gets close to the sweet spot for me, personally. I've left two small comments on the ballot, but on the whole I think I like this approach. <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks again,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Aaron<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Mon, Feb 12, 2024 at 8:18 AM Wayne Thayer via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid windowtext 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Following up from the last SCWG teleconference, I've reviewed the feedback from the discussion [1] and voting [2] periods for ballot SC-59 Weak Key Guidance, along with the prior discussions on the "made aware" language in section 6.1.1.3 [3] and I would like to propose the following Baseline Requirements improvements:<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>* Scope the 6.1.1.3 "made aware" language to "made aware via the CA's documented problem reporting mechanism". This addresses the concern that I raised by limiting how a CA can be "made aware". [4]<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>* Remove the Debian requirements from the prior weak keys ballot and replace them with language that excludes Debian weak keys. Otherwise use the language from the prior ballot, with the exception of a new effective date. This consolidates feedback that CAs do desire the clarity that would have been provided by the prior ballot, but many believe that the burden for rejecting Debian weak keys exceeds the value of doing so at this point in time.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Here's the result: <a href="https://github.com/wthayer/servercert/pull/1/files" target="_blank">https://github.com/wthayer/servercert/pull/1/files</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Note that, while there has been discussion about completely removing weak key checking requirements, there does not appear to be a consensus to do so.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I would appreciate everyone's feedback on the proposal, and I am also seeking endorsers.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Wayne<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>[1] <a href="https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003820.html" target="_blank">https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003820.html</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>[2] <a href="https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003857.html" target="_blank">https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003857.html</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>[3] <a href="https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003902.html" target="_blank">https://lists.cabforum.org/pipermail/servercert-wg/2023-July/003902.html</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>[4] <a href="https://github.com/cabforum/servercert/issues/442" target="_blank">https://github.com/cabforum/servercert/issues/442</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>_______________________________________________<br>Servercert-wg mailing list<br><a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></p></blockquote></div></blockquote></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>_______________________________________________<br>Servercert-wg mailing list<br><a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></p></blockquote></div></div></div></div></div></div></div></blockquote></div></div></div></div></blockquote></div></div></div></body></html>