<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:-apple-system;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.changed
{mso-style-name:changed;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:12.0pt">TLS and S/MIME BR 6.5.1 state, $B!H(BThe CA SHALL enforce multi$B!>(Bfactor authentication for all accounts capable of directly causing certificate issuance.$B!I(B The same text will also be added to the CSBR, if the latest
ballot passes.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:-apple-system;color:#1F2328;border:none windowtext 1.0pt;padding:0in">Mozilla Policy 2.1 states, $B!H(BCA operators whose certificates are included in Mozilla's root store MUST enforce multi-factor authentication
for all accounts capable of causing certificate issuance or performing Registration Authority or Delegated Third Party functions, or implement technical controls operated by the CA to restrict certificate issuance through the account to a limited set of pre-approved
domains or email addresses</span><span class="changed"><span style="font-size:12.0pt;font-family:-apple-system;color:#1F2328;background:white">;$B!I(B<o:p></o:p></span></span></p>
<p class="MsoNormal"><span class="changed"><span style="font-size:12.0pt;font-family:-apple-system;color:#1F2328;background:white"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span class="changed"><span style="font-size:12.0pt;font-family:-apple-system;color:#1F2328;background:white">Should we consider adding text similar to $B!H(B</span></span><span style="font-size:12.0pt;font-family:-apple-system;color:#1F2328;border:none windowtext 1.0pt;padding:0in">or
implement technical controls operated by the CA to restrict certificate issuance through the account to a limited set of pre-approved domains$B!I(B, which would allow the Mozilla requirement to be used for TLS certificates from the CAB Forum$B!G(Bs perspective?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:-apple-system;color:#1F2328;border:none windowtext 1.0pt;padding:0in"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:-apple-system;color:#1F2328;border:none windowtext 1.0pt;padding:0in">If acceptable, similar changes could also be suggested to the S/MIME and Code Signing Working Groups.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:-apple-system;color:#1F2328;border:none windowtext 1.0pt;padding:0in"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:-apple-system;color:#1F2328;border:none windowtext 1.0pt;padding:0in"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:-apple-system;color:#1F2328;border:none windowtext 1.0pt;padding:0in">Thanks, Bruce.</span><o:p></o:p></p>
</div>
<i>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains.
<u>Please notify Entrust immediately and delete the message from your system.</u></i>
</body>
</html>