<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body>
<div dir="auto"><span style="font-family: Calibri, sans-serif; font-size: 14.6667px; display: inline !important;">Hi <span style="font-size: 14.6667px; display: inline !important;">Karina,</span></span></div>
<span style="font-family: Calibri, sans-serif; font-size: 14.6667px; display: inline !important;">
<div dir="auto"><span style="font-family: Calibri, sans-serif; font-size: 14.6667px; display: inline !important;"><br>
</span></div>
> OCSP is not optional for TLS at this time. Thus, we will be changing our policy to : “<u>All non-TLS</u> end-entity certificates must contain an AIA extension with a valid OCSP URL”. We will continue to investigate OCSP for TLS.</span>
<div dir="auto"><font face="Calibri, sans-serif"><span style="font-size: 14.6667px;"><br>
</span></font></div>
<div dir="auto"><font face="Calibri, sans-serif"><span style="font-size: 14.6667px;">Do you mean: “<u>All TLS</u> end-entity certificates must contain an AIA extension with a valid OCSP URL”</span></font></div>
<div dir="auto"><font face="Calibri, sans-serif"><span style="font-size: 14.6667px;"><br>
</span></font></div>
<div dir="auto"><font face="Calibri, sans-serif"><span style="font-size: 14.6667px;">Paul</span></font></div>
<div dir="auto"><font face="Calibri, sans-serif"><span style="font-size: 14.6667px;"><br>
</span></font>
<div dir="auto"><span style="font-family: Calibri, sans-serif; font-size: 14.6667px; display: inline !important;"><br>
</span></div>
<div dir="auto"><span style="font-family: Calibri, sans-serif; font-size: 14.6667px; display: inline !important;"><br>
</span></div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Smcwg-public <smcwg-public-bounces@cabforum.org> on behalf of Karina Sirota Goodley via Smcwg-public <smcwg-public@cabforum.org><br>
<b>Sent:</b> Sunday, October 9, 2022 8:08:42 PM<br>
<b>To:</b> smcwg-public@cabforum.org <smcwg-public@cabforum.org><br>
<b>Cc:</b> Karina Sirota Goodley <Karina.Sirota@microsoft.com><br>
<b>Subject:</b> [EXTERNAL] [Smcwg-public] Microsoft requirements for OCSP URLs in S/MIME certificates</font>
<div> </div>
</div>
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
span.x_EmailStyle17
{font-family:"Calibri",sans-serif;
color:windowtext}
.x_MsoChpDefault
{font-family:"Calibri",sans-serif}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.x_WordSection1
{}
-->
</style>
<div lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<br>
<hr>
<div class="x_WordSection1">
<p class="x_MsoNormal">Hi all, </p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">In regards to the question of Microsoft requirements for OCSP URLs in S/MIME certificates, I had to do quite a bit of digging around the various teams across Microsoft. However, I can confirm that OCSP can be optional for any non-TLS
certificate types. This includes S/MIME. </p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">OCSP is not optional for TLS at this time. Thus, we will be changing our policy to : “All non-TLS end-entity certificates must contain an AIA extension with a valid OCSP URL”. We will continue to investigate OCSP for TLS.
</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Best, </p>
<p class="x_MsoNormal">Karina Sirota Goodley</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"> </p>
</div>
</div>
<i>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the
information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</i>
</body>
</html>