<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Verdana;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0cm;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;

        mso-fareast-language:EN-US;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:#0563C1;

        text-decoration:underline;}

p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph

        {mso-style-priority:34;

        margin-top:0cm;

        margin-right:0cm;

        margin-bottom:0cm;

        margin-left:36.0pt;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;

        mso-fareast-language:EN-US;}

span.E-mailStijl20

        {mso-style-type:personal-reply;

        font-family:"Verdana",sans-serif;

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:612.0pt 792.0pt;

        margin:70.85pt 70.85pt 70.85pt 70.85pt;}

div.WordSection1

        {page:WordSection1;}

/* List Definitions */

@list l0

        {mso-list-id:27993618;

        mso-list-type:hybrid;

        mso-list-template-ids:-1016434912 68354063 68354073 68354075 68354063 68354073 68354075 68354063 68354073 68354075;}

@list l0:level1

        {mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;}

@list l0:level2

        {mso-level-number-format:alpha-lower;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;}

@list l0:level3

        {mso-level-number-format:roman-lower;

        mso-level-tab-stop:none;

        mso-level-number-position:right;

        text-indent:-9.0pt;}

@list l0:level4

        {mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;}

@list l0:level5

        {mso-level-number-format:alpha-lower;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;}

@list l0:level6

        {mso-level-number-format:roman-lower;

        mso-level-tab-stop:none;

        mso-level-number-position:right;

        text-indent:-9.0pt;}

@list l0:level7

        {mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;}

@list l0:level8

        {mso-level-number-format:alpha-lower;

        mso-level-tab-stop:none;

        mso-level-number-position:left;

        text-indent:-18.0pt;}

@list l0:level9

        {mso-level-number-format:roman-lower;

        mso-level-tab-stop:none;

        mso-level-number-position:right;

        text-indent:-9.0pt;}

@list l1

        {mso-list-id:1824850119;

        mso-list-template-ids:348700882;}

@list l1:level2

        {mso-level-number-format:alpha-lower;

        mso-level-tab-stop:72.0pt;

        mso-level-number-position:left;

        text-indent:-18.0pt;}

ol

        {margin-bottom:0cm;}

ul

        {margin-bottom:0cm;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="NL" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">

<div class="WordSection1">

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">Hi all,<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif"><o:p> </o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">Ballot SMC03 introduced the term “extant CA” as follows:<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif"><o:p> </o:p></span></p>

<ol style="margin-top:0cm" start="1" type="1">

<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo3"><i><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">Is a Publicly-Trusted Subordinate CA Certificate whose `notBefore` field is before September 1, 2023

<span style="background:yellow;mso-highlight:yellow">and has issued end entity S/MIME Certificates;</span><o:p></o:p></span></i></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo3"><i><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">The CA Certificate includes no Extended Key Usage extension, contains `anyExtendedKeyUsage` in the EKU

extension, or contains `id-kp-emailProtection` in the EKU extension; <o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo3"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif"> The CA Certificate complies with the profile defined in [RFC 5280](<a href="http://tools.ietf.org/html/rfc5280"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">http://tools.ietf.org/html/rfc5280</a><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">).

 The following two deviations from the [RFC 5280](</span></i><a href="http://tools.ietf.org/html/rfc5280"><i><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">http://tools.ietf.org/html/rfc5280</span></i></a><i><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">)

 profile are acceptable:<o:p></o:p></span></i>

<ol style="margin-top:0cm" start="1" type="a">

<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level2 lfo3"><i><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">The CA Certificate contains a `nameConstraints` extension that is not marked critical;

<o:p></o:p></span></i></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level2 lfo3"><i><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">The CA Certificate contains a policy qualifier of type UserNotice which contains `explicitText` that

 uses an encoding that is not permitted by [RFC 5280](</span></i><a href="http://tools.ietf.org/html/rfc5280"><i><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">http://tools.ietf.org/html/rfc5280</span></i></a><i><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">)

 (i.e., the `DisplayText` is encoded using BMPString or VisibleString); and <o:p>

</o:p></span></i></li></ol>

</li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo3"><i><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">The CA Certificate contains the `anyPolicy` identifier (2.5.29.32.0) or specific OIDs in the `certificatePolicies`

 extension that do not include those defined in [Section 7.1.6.1](#7161-reserved-certificate-policy-identifiers) of these Requirements.<o:p></o:p></span></i></li></ol>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif"><o:p> </o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">Now it might seem like nit-picking but we had a question specifically about the first line. If a CA is S/MIME capable but only issues other CA certificates which

 in turn issue end-user S/MIME certificates is that still be covered by this definition? 

<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif"><o:p> </o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">PKIoverheid operates a 4-layer hierarchy in which the level 2 CAs only issue CA certificates to Trust Service providers who actually issue end-user (S/MIME and

 qualified) certificates. We’re asking this question because we’re currently planning (re)issuance of existing PKIoverheid level 3 CAs to remain compliant with the SBRGs (or move them off S/MIME completely when it is no longer needed) per the timelines stated

 in Appendix B. <o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif"><o:p> </o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">Reading the text verbatim would indicate that the level 2 CAs are not included in the definition of the “extant CA” since it never has and never will issue end-user

 certificates of any kind but we have our doubts if that is a valid interpretation.<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif"><o:p> </o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif">What take do other CAs (or browsers) have on this?

<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif"><o:p> </o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL">Kind Regards,<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL"><o:p> </o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL">Jochem van den Berge<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL">Compliance officer PKIoverheid<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL"><o:p> </o:p></span></p>

<p class="MsoNormal"><b><span lang="EN-GB" style="font-size:14.0pt;font-family:"Verdana",sans-serif;color:#538135;mso-fareast-language:NL">Logius<o:p></o:p></span></b></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif;color:#1F497D;mso-fareast-language:NL"><o:p> </o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL">Digital Government Service<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL">Ministry of the Interior and Kingdom Relations<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL">........................................................................<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="FR" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F4E79;mso-fareast-language:NL"><o:p> </o:p></span></p>

<p class="MsoNormal"><b><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL">M</span></b><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL"> (+31) (0)6 – 21 16 26 89<o:p></o:p></span></p>

<p class="MsoNormal"><b><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL">T 

</span></b><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL">(+31) (0)70 - 888 76 91<b><o:p></o:p></b></span></p>

<p class="MsoNormal"><a href="mailto:jochem.vanden.berge@logius.nl"><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL">jochem.vanden.berge@logius.nl</span></a><u><span lang="FR" style="font-size:9.0pt;color:#0563C1;mso-fareast-language:NL"><br>

</span></u><a href="http://www.logius.nl/"><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL">www.logius.nl</span></a><u><span lang="FR" style="color:#0563C1;mso-fareast-language:NL"><o:p></o:p></span></u></p>

<p class="MsoNormal"><span lang="FR" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F4E79;mso-fareast-language:NL"><o:p> </o:p></span></p>

<p class="MsoNormal"><span lang="FR" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL">workdays Mo-Tue & Thu-Fri<o:p></o:p></span></p>

<p class="MsoNormal"><span lang="EN-GB" style="font-size:9.0pt;font-family:"Verdana",sans-serif;mso-fareast-language:NL">........................................................................<o:p></o:p></span></p>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<br>

<HR>

<font color=gray size=1 face=Arial>Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.<br>This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. </HR><br></font></body>

</html>