<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>Sorry, case of the Fridays. The comment is pending because I didn’t submit the review yet (so no one could see it). I went ahead and did that now.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Servercert-wg <servercert-wg-bounces@cabforum.org> <b>On Behalf Of </b>Corey Bonnell via Servercert-wg<br><b>Sent:</b> Friday, September 20, 2024 11:36 AM<br><b>To:</b> Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br><b>Subject:</b> Re: [Servercert-wg] Discussion Period Begins | SC-079 - Allow more than one Certificate Policy in a Cross-Certified Subordinate CA Certificate<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>I commented on the Github PR last week, but the comment is still pending: the first sentence of 7.1.2.2.6 should be changed to remove “If present”, as cross certificates must always include the certificatePolicies extension. The “if present” stipulation was originally added to address the Root CA certificate case, where the omission of the certificatePolicies extension is encouraged.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Corey<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org">servercert-wg-bounces@cabforum.org</a>> <b>On Behalf Of </b>Paul van Brouwershaven via Servercert-wg<br><b>Sent:</b> Friday, September 20, 2024 4:03 AM<br><b>To:</b> CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>><br><b>Subject:</b> [Servercert-wg] Discussion Period Begins | SC-079 - Allow more than one Certificate Policy in a Cross-Certified Subordinate CA Certificate<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><b><span style='font-size:11.0pt;color:black'>### Purpose of the Ballot</span></b><span style='font-size:11.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'>This ballot duplicates the content of section 7.1.2.10.5 (CA Certificate Certificate Policies) into section 7.1.2.2 (Cross-Certified Subordinate CA Certificate Profile) as section 7.1.2.2.6 (Cross-Certified Subordinate CA Certificate Certificate Policies), modifying the requirement from <i>"MUST contain exactly one Reserved Certificate Policy Identifier"</i> to <i>"MUST include at least one Reserved Certificate Policy Identifier. If any Subscriber Certificates will chain up directly to the Certificate issued under this Certificate Profile, this Cross-Certified Subordinate CA Certificate MUST contain exactly one Reserved Certificate Policy Identifier"</i>. This change allows the inclusion of multiple Reserved Certificate Policy Identifiers in a Cross-Certified Subordinate CA Certificate, except when any Subscriber Certificates chain up directly to the Certificate issued under this Certificate Profile.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'>Additionally, the description of the `policyIdentifier` contents was updated for clarification in both sections.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'>The following motion has been proposed by Paul van Brouwershaven (Entrust) and endorsed by Ben Wilson (Mozilla) and Thomas Zermeno (SSL.com).<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'>GitHub pull request for this ballot: <a href="https://github.com/cabforum/servercert/pull/544">https://github.com/cabforum/servercert/pull/544</a> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><b><span style='font-size:11.0pt;color:black'>### Motion begins</span></b><span style='font-size:11.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'>MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.7 as specified in the following redline:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'>- <a href="https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5...20ac9adc0f9620f5b361c96c1041404432e7fa47">https://github.com/cabforum/servercert/compare/ba28d04894d69c8fac62850b9d0de5061658c7c5...20ac9adc0f9620f5b361c96c1041404432e7fa47</a> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><b><span style='font-size:11.0pt;color:black'>### Motion ends</span></b><span style='font-size:11.0pt;color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'>This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'>Discussion (7+ days)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'>- Start time: 2024-09-20 08:00 UTC<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'>- End time: 2024-09-27 08:00 UTC<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'>Vote for approval (7 days)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'>- Start time: TBC<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;color:black'>- End time: TBC<o:p></o:p></span></p></div><p class=MsoNormal><i>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately and delete the message from your system.</u></i> <o:p></o:p></p></div></body></html>