<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:644119210;
mso-list-type:hybrid;
mso-list-template-ids:239232242 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:1062212524;
mso-list-template-ids:-1477134834;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#467886" vlink="#96607D" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>We were looking at some of the details in Ballot SC-063 V4: Make OCSP Optional, Require CRLs, and Incentivize Automation<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><a href="https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc4e6f133c/docs/BR.md#721-version-numbers">https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc4e6f133c/docs/BR.md#721-version-numbers</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>We have 2 comments in the area of CRLs and Reason codes:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>#1: For certificateHold it says:<br><br><o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>MUST NOT be included if the CRL entry is for 1) a Certificate subject to these Requirements, or 2) a Certificate not subject to these Requirements and was either A) issued on-or-after 2020-09-30 or B) has a <code><span style='font-family:"Calibri",sans-serif'>notBefore</span></code> on-or-after 2020-09-30.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>We’d like to suggest a change because:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>Regarding “2) a Certificate not subject to these Requirements”, If “these Requirements” means the BRs, how is it that the BRs can place requirements on non TLS certificates? Maybe this was an old requirement related to ICAs that issued both TLS and non-TLS certificates, which isn’t a concern anymore<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>This also has a back dated requirement given that it places requirements that were issued prior to this ballot being adopted (for certs not subject to these Requirements.)<o:p></o:p></span></li></ol><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>We recommend removing #2. It’s not urgent so maybe we do this in the next clean-up. I opened this issue to track this:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'> <a href="https://github.com/cabforum/servercert/issues/506">https://github.com/cabforum/servercert/issues/506</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>=====================================<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>#2: This ballot was to make CRLs required, but there isn’t a requirement to included CDP into the TLS certificates. Is this intentional, or should we go through the BR and update to make it clear that for certificates that are not short lived certificates CDP is required and AIA is optional? Perhaps there was a discussion prior that documented this.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>For example, <a href="https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc4e6f133c/docs/BR.md#712112-crl-distribution-points">https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc4e6f133c/docs/BR.md#712112-crl-distribution-points</a> says:<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.25in'><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><br>The CRL Distribution Points extension MUST be present in:<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol;mso-ligatures:none'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none'>Subordinate CA Certificates; and<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.75in;text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol;mso-ligatures:none'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none'>Subscriber Certificates that 1) do not qualify as "Short-lived Subscriber Certificates" and 2) do not include an Authority Information Access extension with an id-ad-ocsp accessMethod.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>Which implies you can omit CDP if you have </span><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none'>id-ad-ocsp accessMethod.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><br>You could interpret these sections as including the CDP is optional. <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'> <a href="https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc4e6f133c/docs/BR.md#712112-crl-distribution-points">https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc4e6f133c/docs/BR.md#712112-crl-distribution-points</a><o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><a href="https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc4e6f133c/docs/BR.md#71276-subscriber-certificate-extensions">https://github.com/cabforum/servercert/blob/a0efd83d3818fe5c3df23bf4b32483cc4e6f133c/docs/BR.md#71276-subscriber-certificate-extensions</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>If the intent of the ballot is to ensure that every TLS CA has a CRL, but CDP is not required, then we should make that more clear in various places. Issue created:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'> <a href="https://github.com/cabforum/servercert/issues/505">https://github.com/cabforum/servercert/issues/505</a><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>Regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif'>Doug<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>