<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hello,<o:p></o:p></p><p class=MsoNormal>I reviewed the meeting minutes [1] of our very productive discussion of the profiles ballot last month and distilled the discussion into the following list of items that have yet to be addressed. Please reply to this message if you know of other items that are still open but aren’t listed.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Here are the 11 items I identified from the meeting minutes alongside some proposed text for some items. Several of the items are still open-ended and require further discussion before we can develop concrete text proposals:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>1. Cross Certificates must have EKUs<o:p></o:p></p><p class=MsoNormal>Move to separate ballot<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>2. First policy OID must be CABF reserved OID<o:p></o:p></p><p class=MsoNormal>Change to a SHOULD, then consider changing to a MUST in "profiles v2.0"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>3. Changes to Name Constraints<o:p></o:p></p><p class=MsoNormal>Drop specification around sRVNames entirely<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>4. Cross Certificates<o:p></o:p></p><p class=MsoNormal>Current text at https://github.com/sleevi/cabforum-docs/pull/36/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR1856:<o:p></o:p></p><p class=MsoNormal>"Provided that the Issuing CA has confirmed that the existing CA Certificate was issued in compliance with the then-current version of the Baseline Requirements, the Issuing CA MAY deviate from the requirements in [Section 7.1.4](#714-name-forms) as follows:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The encoded `subject` name shall be byte-for-byte identical to the encoded `subject` name of the existing CA Certificate."<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Does this address the concern surrounding legacy names?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>5. AKI/SKI<o:p></o:p></p><p class=MsoNormal>AKIs in roots: do we have follow-up for why this should be a SHOULD?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a href="https://github.com/sleevi/cabforum-docs/pull/36/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR2797">https://github.com/sleevi/cabforum-docs/pull/36/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR2797</a><o:p></o:p></p><p class=MsoNormal>"Uniqueness": RFC 5280 and RFC 7093 make it clear that AKI and SKI values are not security relevant. Why are we mandating this?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>6. certificatePolicies in OCSP responder certificates<o:p></o:p></p><p class=MsoNormal>https://github.com/sleevi/cabforum-docs/pull/36/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR2404<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Change the MUST NOT to a SHOULD NOT, or MAY?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>7. QCStatements as a SHOULD NOT<o:p></o:p></p><p class=MsoNormal>https://github.com/sleevi/cabforum-docs/pull/36/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR2260<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Change SHOULD NOT to a MAY?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>8. Serial number<o:p></o:p></p><p class=MsoNormal>"MUST be a number greater than zero (0) and less than 2^159 containing at least 64 bits of output from a CSPRNG."<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>9. Non-TLS CAs<o:p></o:p></p><p class=MsoNormal>This is still very much an open-ended question. We likely will need at least one whole meeting on this topic.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>10. (Domain Names in Subject Fields requiring DCV, example given was O=SSL.com)<o:p></o:p></p><p class=MsoNormal>Current proposal:<o:p></o:p></p><p class=MsoNormal>https://github.com/sleevi/cabforum-docs/pull/36/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR2950<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Change to:<o:p></o:p></p><p class=MsoNormal>"Subject commonName attributes MUST NOT..."?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>11. Backdating<o:p></o:p></p><p class=MsoNormal>https://github.com/sleevi/cabforum-docs/pull/36/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR2128<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Change Description to "MUST represent time of signature plus or minus 48 hours"?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>[1] <a href="https://lists.cabforum.org/pipermail/validation/2021-November/001728.html">https://lists.cabforum.org/pipermail/validation/2021-November/001728.html</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>