<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Dear Roman,<br>
<br>
HARICA would be interested to collaborate on this.<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 3/9/2024 11:12 π.μ., Roman Fischer
via Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:01000191b6f1541c-de2caa89-3bc2-4464-9ea4-7314175e427e-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Aptos;}@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">Dear fellow CA reps,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">Together with the vendor of our PKI system,
we're now at the point where we either use their code to run
as remote perspectives (either on VMs hosted in any of the
public cloud providers or VMs running in our datacenters
with outbound VPNs that terminate at suitable remote
locations) or standardize the protocol / API between the
primary (local) perspective and the remotes and then use any
other (i.e. open source) implementation of the remote
perspective.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">We are aware of the Open MPIC initiative which
is very valuable. At the moment, they seem to focus on
providing a "complete" MPIC solution and their API
specification implements a single call to perform the
corroboration from multiple perspectives all at once. Also,
Open MPIC's choice of AWS Lambda functions for the
implementation is – while totally elegant – not in line with
our strategy for programming language and cloud usage.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">We're currently more focusing on a protocol /
API that specifies the call to one remote perspective and an
implementation that can be run in a VM/Docker container.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">After my last mail, two interested CAs
contacted me privately and showed interest in collaboration
on the implementation of MPIC. Are there any other CAs
working on this and willing to share / collaborate?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">Kind regards<br>
Roman<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> Roman Fischer
<br>
<b>Sent:</b> Mittwoch, 22. Mai 2024 09:29<br>
<b>To:</b> CA/B Forum Server Certificate WG Public
Discussion List <a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> RE: [Servercert-wg] Discussion Period
Begins - Ballot SC-067 V3: "Require domain validation
and CAA checks to be performed from multiple Network
Perspectives"<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">Dear colleagues,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">We have started internal discussions about
possible architectures to implement this new feature. This
of course also involves the vendor of our CA system because
architecture of the remote perspectives has big impacts on
the changes needed in the CA system.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">One of the ideas we were brainstorming involves
partnering with other CAs to share remote perspectives. Of
course this would require some standardized protocol, mutual
authentication, contracts, … which I realize is probably as
huge an effort as doing it all by yourself.
</span><span
style="font-size:11.0pt;font-family:"Segoe UI Emoji",sans-serif"
lang="EN-US">😉</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">What are other CAs ideas for implementing this?
Please feel free to also contact me directly if you rather
not discuss on the list.
</span><span
style="font-size:11.0pt;font-family:"Segoe UI Emoji",sans-serif"
lang="EN-US">😊</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">Kind regards<br>
Roman<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"><o:p> </o:p></span></p>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> Servercert-wg <<a
href="mailto:servercert-wg-bounces@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Chris Clements via Servercert-wg<br>
<b>Sent:</b> Montag, 20. Mai 2024 16:30<br>
<b>To:</b> CA/B Forum Server Certificate WG Public
Discussion List <<a
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b> [Servercert-wg] Discussion Period Begins -
Ballot SC-067 V3: "Require domain validation and CAA
checks to be performed from multiple Network Perspectives"<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">Purpose
of Ballot SC-067 V3</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">This
Ballot proposes updates to the
<i>Baseline Requirements for the Issuance and Management
of Publicly-Trusted TLS Server Certificates</i> (i.e.,
TLS BRs) related to “Multi-Perspective Issuance
Corroboration” (“MPIC”).</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">Background</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- MPIC
refers to performing domain validation and CAA checks from
multiple Network Perspectives before certificate issuance,
as described within the Ballot for the applicable
validation methods in TLS BR Sections 3.2.2.4 and 3.2.2.5.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- Not all
methods described in TLS BR Sections 3.2.2.4 and 3.2.2.5
will require using MPIC.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- This
work was most recently motivated by research presented at
Face-to-Face 58 [1] by Princeton University, but has been
discussed for years prior as well.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- The
goal of this proposal is to make it more difficult for
adversaries to successfully launch equally-specific prefix
attacks against the domain validation processes described
in the TLS BRs.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Additional background information can be found in an
update shared at Face-to-Face 60 [2].</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">Benefits
of Adoption</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- Recent
publicly-documented attacks have used BGP hijacks to fool
domain control validation and obtain malicious
certificates, which led to the impersonation of HTTPS
websites [3][</span><span
style="font-family:"Arial",sans-serif;color:black">4</span><span
style="font-family:"Arial",sans-serif;color:#0E101A">].</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- Routing
security defenses (e.g., RPKI) can mitigate the risk of
global BGP attacks, but localized, equally-specific BGP
attacks still pose a significant threat to the Web PKI
[5][6].</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Corroborating domain control validation checks from
multiple network perspectives (i.e., MPIC) spread across
the Internet substantially reduces the threat posed by
equally-specific BGP attacks, ensuring the integrity of
domain validation and issuance decisions [5][7][8].</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Existing deployments of MPIC at the scale of millions of
certificates a day demonstrate the feasibility of this
technique at Internet scale [7][9].</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">Intellectual
Property (IP) Disclosure</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- While
not a Server Certificate Working Group Member, researchers
from Princeton University presented at Face-to-Face 58,
provided academic expertise, and highlighted
publicly-available peer-reviewed research to support
Members in drafting this ballot.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- The
Princeton University researchers indicate that they have
not filed for any patents relating to their MPIC work and
do not plan to do so in the future.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Princeton University has indicated that it is unable to
agree to the CA/Browser Forum IPR agreement because it
could encumber inventions invented by researchers not
involved in the development of MPIC or with the CA/B
Forum.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Princeton University has instead provided the attached IPR
statement. Pursuant to the IPR statement, Princeton
University has granted a worldwide royalty free license to
the intellectual property in MPIC developed by the
researchers and has made representations regarding its
lack of knowledge of any other Princeton intellectual
property needed to implement MPIC.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- The
attached IPR statement has not changed since disclosed in
Discussion Round 1.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">- For
clarity, Princeton University’s IPR statement is NOT
intended to replace the Forum’s IPR agreement or allow
Princeton to participate in the Forum in any capacity.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">- Members
seeking legal advice regarding this ballot should consult
their own counsel.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">Proposal
Revision History</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Pre-Ballot Release #1 (work team artifacts and broader
Validation Subcommittee collaboration) [10]</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">-
Pre-Ballot Release #2 [11]</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">Previous
versions of this Ballot</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050">-</span><span
style="font-family:"Arial",sans-serif;color:#0E101A"> Ballot
Release #1 [12] (comparing Version 2 to Version 1) [13].
Note, some of the changes represented in the comparison
are updates made by other ballots that have since passed
(e.g., SC-069).</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">- Ballot
Release #2 [14] (comparing Version 3 to Version 2) [15].
Note, some of the changes represented in the comparison
are updates made by other ballots that have since passed
(e.g., SC-072).</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:#0E101A">References</span></b><span
style="font-family:"Arial",sans-serif;color:#0E101A">:</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[1]
</span><a
href="https://cabforum.org/wp-content/uploads/13-CAB-Forum-face-to-face-multiple-vantage-points.pdf"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://cabforum.org/wp-content/uploads/13-CAB-Forum-face-to-face-multiple-vantage-points.pdf</span></a><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[2]
</span><a
href="https://drive.google.com/file/d/1LTwtAwHXcSaPVSsqKQztNJrV2ozHJ7ZL/view?usp=drive_link"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://drive.google.com/file/d/1LTwtAwHXcSaPVSsqKQztNJrV2ozHJ7ZL/view?usp=drive_link</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[3]
</span><a
href="https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[4]
</span><a
href="https://www.coinbase.com/blog/celer-bridge-incident-analysis"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://www.coinbase.com/blog/celer-bridge-incident-analysis</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[5]
</span><a
href="https://www.usenix.org/conference/usenixsecurity23/presentation/cimaszewski"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://www.usenix.org/conference/usenixsecurity23/presentation/cimaszewski</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[6]
</span><a
href="https://www.blackhat.com/docs/us-15/materials/us-15-Gavrichenkov-Breaking-HTTPS-With-BGP-Hijacking-wp.pdf"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://www.blackhat.com/docs/us-15/materials/us-15-Gavrichenkov-Breaking-HTTPS-With-BGP-Hijacking-wp.pdf</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[7]
</span><a
href="https://www.usenix.org/conference/usenixsecurity21/presentation/birge-lee"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://www.usenix.org/conference/usenixsecurity21/presentation/birge-lee</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[8]
</span><a
href="https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[9]
</span><a
href="https://security.googleblog.com/2023/05/google-trust-services-acme-api_0503894189.html"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://security.googleblog.com/2023/05/google-trust-services-acme-api_0503894189.html</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[10]
</span><a
href="https://github.com/ryancdickson/staging/pull/6"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://github.com/ryancdickson/staging/pull/6</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[11]
</span><a
href="https://github.com/ryancdickson/staging/pull/8"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://github.com/ryancdickson/staging/pull/8</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[12]
</span><a
href="https://github.com/cabforum/servercert/pull/487"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://github.com/cabforum/servercert/pull/487</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[13]
</span><a
href="https://github.com/cabforum/servercert/compare/6d10abda8980c6eb941987d3fc26e753e62858c0..5224983ef0a6f94c18808ea3469e7a5ae35746e5"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://github.com/cabforum/servercert/compare/6d10abda8980c6eb941987d3fc26e753e62858c0..5224983ef0a6f94c18808ea3469e7a5ae35746e5</span></a><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[14]
</span><a
href="https://github.com/cabforum/servercert/pull/507"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://github.com/cabforum/servercert/pull/507</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">[15]
</span><a
href="https://github.com/cabforum/servercert/compare/5224983ef0a6f94c18808ea3469e7a5ae35746e5..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://github.com/cabforum/servercert/compare/5224983ef0a6f94c18808ea3469e7a5ae35746e5..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463</span></a><span
style="font-family:"Arial",sans-serif;color:#0E101A"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#0E101A">The
following motion has been proposed by Chris Clements and
Ryan Dickson of Google (Chrome Root Program) and endorsed
by Aaron Gable (ISRG / Let’s Encrypt) and Wayne Thayer
(Fastly). </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:black">— Motion
Begins —</span></b><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">This ballot
modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted TLS Server Certificates”
(“Baseline Requirements”), based on Version 2.0.4.</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">MODIFY the
Baseline Requirements as specified in the following
Redline:</span><o:p></o:p></p>
<p style="margin:0cm"><a
href="https://github.com/cabforum/servercert/compare/c4a34fe2292022e0a04ba66b5a85df75907ac2a2..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463"
moz-do-not-send="true"><span
style="font-family:"Arial",sans-serif">https://github.com/cabforum/servercert/compare/c4a34fe2292022e0a04ba66b5a85df75907ac2a2..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463</span></a><span
style="font-family:"Arial",sans-serif;color:black"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:black">— Motion
Ends —</span></b><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">This ballot
proposes a Final Maintenance Guideline. The procedure for
approval of this ballot is as follows:</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:black">Discussion
(at least 11 days)</span></b><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">- Start:
2024-05-20 14:30:00 UTC</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">- End no
earlier than: 2024-05-31 14:30:00 UTC</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:#500050"> </span><o:p></o:p></p>
<p style="margin:0cm"><b><span
style="font-family:"Arial",sans-serif;color:black">Vote for
approval (7 days)</span></b><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">- Start:
TBD</span><o:p></o:p></p>
<p style="margin:0cm"><span
style="font-family:"Arial",sans-serif;color:black">- End: TBD</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>