<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
SSC votes: "Yes".<br>
<br>
Thanks,<br>
M.D.<br>
<br>
On 5/17/2012 9:34 PM, Tim Moses wrote:
<blockquote
cite="mid:5B68A271B9C97046963CB6A5B8D6F62C0236E0@SOTTEXCH10.corp.ad.entrust.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="line874" style="background:white"><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">Motion:<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">Jeremy
Rowley made the following motion, and Dean Coclin and
Richard Smith endorsed it:<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">...
Motion begins....<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">Effective
immediately.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">...
Erratum begins ...<o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">A.
Replace the definition of "Domain Authorization" in
Section 4 of the Baseline Requirements with the following:</span></em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<p class="line862" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">"<strong><span
style="font-family:"Arial","sans-serif"">Domain
Authorization Document</span></strong>: Documentation
provided by, or a CA’s documentation of a communication
with, a Domain Name Registrar, the Domain Name Registrant,
or the person or entity listed in WHOIS as the Domain Name
Registrant (including any private, anonymous, or proxy
registration service) attesting to the authority of an
Applicant to request a Certificate for a specific Domain
Namespace.<o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">B.
Add the following new definitions to Section 4 of the
Baseline Requirements:</span></em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<strong><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">High
Risk Certificate Request</span></strong><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">:
A Request that the CA flags for additional scrutiny by
reference to internal criteria and databases maintained by
the CA, which may include names at higher risk for phishing
or other fraudulent usage, names contained in previously
rejected certificate requests or revoked Certificates, names
listed on the Miller Smiles phishing list or the Google Safe
Browsing list, or names that the CA identifies using its own
risk-mitigation criteria.<o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<strong><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">Reliable
Data Source</span></strong><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">:
An identification document or source of data used to verify
Subject Identity Information that is generally recognized
among commercial enterprises and governments as reliable,
and which was created by a third party for a purpose other
than the Applicant obtaining a Certificate."<o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">C.
Replace Section 11.1 of the Baseline Requirements with the
following:</span></em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<p class="line862" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">"<strong><span
style="font-family:"Arial","sans-serif"">11.1.1
Authorization by Domain Name Registrant</span></strong><o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">For
each Fully-Qualified Domain Name listed in a Certificate,
the CA SHALL confirm that, as of the date the Certificate
was issued, the Applicant either is the Domain Name
Registrant or has control over the FQDN by:<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">1.
Confirming the Applicant as the Domain Name Registrant
directly with the Domain Name Registrar;<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">2.
Communicating directly with the Domain Name Registrant using
an address, email, or telephone number provided by the
Domain Name Registrar;<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">3.
Communicating directly with the Domain Name Registrant using
the contact information listed in the WHOIS record’s
“registrant”, “technical”, or “administrative” field;<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">4.
Communicating with the Domain’s administrator using an email
address created by pre-pending ‘admin’, ‘administrator’,
‘webmaster’, ‘hostmaster’, or ‘postmaster’ in the local
part, followed by the at-sign (“@”), followed by the Domain
Name, which may be formed by pruning zero or more components
from the requested FQDN;<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">5.
Relying upon a Domain Authorization Document;<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">6.
Having the Applicant demonstrate practical control over the
FQDN by making an agreed-upon change to information found on
an online Web page identified by a uniform resource
identifier containing the FQDN; or<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">7.
Using any other method of confirmation, provided that the CA
maintains documented evidence that the method of
confirmation establishes that the Applicant is the Domain
Name Registrant or has control over the FQDN to at least the
same level of assurance as those methods previously
described.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">Note:
For purposes of determining the appropriate domain name
level or Domain Namespace, the registerable Domain Name is
the second-level domain for generic top-level domains (gTLD)
such as .com, .net, or .org, or, if the Fully Qualified
Domain Name contains a 2 letter Country Code Top-Level
Domain (ccTLD), then the domain level is whatever is allowed
for registration according to the rules of that ccTLD.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">If
the CA relies upon a Domain Authorization Document to
confirm the Applicant’s control over a FQDN, then the Domain
Authorization Document MUST substantiate that the
communication came from either the Domain Name Registrant
(including any private, anonymous, or proxy registration
service) or the Domain Name Registrar listed in the WHOIS.
The CA MUST verify that the Domain Authorization Document
was either (i) dated on or after the certificate request
date or (ii) used by the CA to verify a previously issued
certificate and that the Domain Name’s WHOIS record has not
been modified since the previous certificate’s issuance.<o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<strong><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">11.1.2
Authorization for an IP Address</span></strong><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">For
each IP Address listed in a Certificate, the CA SHALL
confirm that, as of the date the Certificate was issued, the
Applicant has control over the IP Address by:<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">1.
Having the Applicant demonstrate practical control over the
IP Address by making an agreed-upon change to information
found on an online Web page identified by a uniform resource
identifier containing the IP Address;<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">2.
Obtaining documentation of IP address assignment from the
Internet Assigned Numbers Authority (IANA) or a Regional
Internet Registry (RIPE, APNIC, ARIN, AfriNIC, LACNIC);<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">3.
Performing a reverse-IP address lookup and then verifying
control over the resulting Domain Name under Section 11.1.1;
or<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">4.
Using any other method of confirmation, provided that the CA
maintains documented evidence that the method of
confirmation establishes that the Applicant has control over
the IP Address to at least the same level of assurance as
the methods previously described."<o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">D.
Replace Section 11.3 of the Baseline Requirements with the
following:</span></em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<p class="line862" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">"<strong><span
style="font-family:"Arial","sans-serif"">11.3 Age of
Certificate Data</span></strong><o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">Section
9.4 limits the validity period of Subscriber Certificates.
The CA MAY use the documents and data provided in Section 11
to verify certificate information, provided that the CA
obtained the data or document from a source specified under
Section 11 no more than thirty-nine (39) months prior to
issuing the certificate.”<o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">E.
Replace Section 11.5 of the Baseline Requirements with the
following:</span></em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<p class="line862" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">"<strong><span
style="font-family:"Arial","sans-serif"">11.5 High
Risk Requests</span></strong><o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">The
CA SHALL develop, maintain, and implement documented
procedures that identify and require additional verification
activity for High Risk Certificate Requests prior to the
Certificate’s approval, as reasonably necessary to ensure
that such requests are properly verified under these
Requirements."<o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">F.
Replace Section 11.6 of the Baseline Requirements with the
following:</span></em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<strong><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">11.6
Data Source Accuracy</span></strong><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">Prior
to using any data source as a Reliable Data Source, the CA
SHALL evaluate the source for its reliability, accuracy, and
resistance to alteration or falsification. The CA SHOULD
consider the following during its evaluation:<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">1)
The age of the information provided,<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">2)
The frequency of updates to the information source,<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">3)
The data provider and purpose of the data collection,<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">4)
The public accessibility of the data availability, and<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">5)
the relative difficulty in falsifying or altering the data.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">Databases
maintained by the CA, its owner, or its affiliated companies
do not qualify as a Reliable Data Source if the primary
purpose of the database is to collect information for the
purpose of fulfilling the validation requirements under
Section 11.<o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">G.
Replace Section 14.2.1 of the Baseline Requirements with
the following:</span></em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<p class="line862" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">"<strong><span
style="font-family:"Arial","sans-serif"">14.2.1
General</span></strong><o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">The
CA MAY delegate the performance of all, or any part, of
Section 11 of these Requirements to a Delegated Third Party,
provided that the process as a whole fulfills all of the
requirements of Section 11. Before the CA authorizes a
Delegated Third Party to perform a delegated function, the
CA SHALL contractually require the Delegated Third Party to:<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">1)
Meet the qualification requirements of Section 14.1, when
applicable to the delegated function;<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">2)
Retain documentation in accordance with Section 15.3.2;<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">3)
Abide by the other provisions of these Requirements that are
applicable to the delegated function; and<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">4)
Comply with (a) the CA’s Certificate Policy/Certification
Practice Statement or (b) the Delegated Third Party’s
practice statement that the CA has verified complies with
these Requirements.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">The
CA SHALL verify that the Delegated Third Party’s personnel
involved in the issuance of a Certificate meet the training
and skills requirements of Section 14 and the document
retention and event logging requirements of Section 15.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">If
a Delegated Third Party fulfills any of the CA’s obligations
under Section 11.5 (High Risk Requests), the CA SHALL verify
that the process used by the Delegated Third Party to
identify and further verify High Risk Certificate Requests
provides at least the same level of assurance as the CA’s
own processes."<o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">H.
Replace Section 11.2.1 of the Baseline Requirements with
the following:</span></em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<p class="line862" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">"<strong><span
style="font-family:"Arial","sans-serif"">11.2.1
Identity</span></strong><o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">If
the Subject Identity Information is to include the name or
address of an organization, the CA SHALL verify the identity
and address of the organization and that the address is the
Applicant’s address of existence or operation.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">The
CA SHALL verify the identity and address of the Applicant
using documentation provided by, or through communication
with, at least one of the following:<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">1.
A government agency in the jurisdiction of the Applicant’s
legal creation, existence, or recognition;<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">2.
A third party database that is periodically updated and
considered a Reliable Data Source;<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">3.
A site visit by the CA or a third party who is acting as an
agent for the CA; or<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">4.
An Attestation Letter.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">The
CA MAY use the same documentation or communication described
in 1 through 4 above to verify both the Applicant’s identity
and address.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">Alternatively,
the CA MAY verify the address of the Applicant (but not the
identity of the Applicant) using a utility bill, bank
statement, credit card statement, government-issued tax
document, or other form of identification that the CA
determines to be reliable."<o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">I.
Replace Section 11.2.2 of the Baseline Requirements with
the following:</span></em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<p class="line862" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">"<strong><span
style="font-family:"Arial","sans-serif"">11.2.2
DBA/Tradename</span></strong><o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">If
the Subject Identity Information is to include a DBA or
tradename, the CA SHALL verify the Applicant’s right to use
the DBA/tradename using at least one of the following:<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">1.
Documentation provided by, or communication with, a
government agency in the jurisdiction of the Applicant’s
legal creation, existence, or recognition;<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">2.
A Reliable Data Source;<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">3.
Communication with a government agency responsible for the
management of such DBAs or tradenames;<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">4.
An Attestation Letter accompanied by reliable documentary
support; or<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">5.
A utility bill, bank statement, credit card statement,
government-issued tax document, or other form of
identification that the CA determines to be reliable."<o:p></o:p></span></p>
<p class="line867" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">J.
Replace Section 11.2.4 of the Baseline Requirements with
the following:</span></em><span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black"><o:p></o:p></span></p>
<p class="line862" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">"<strong><span
style="font-family:"Arial","sans-serif"">11.2.4
Verification of Individual Applicant</span></strong><o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">If
an Applicant subject to this Section 11.2 is a natural
person, then the CA SHALL verify the Applicant’s name,
Applicant’s address, and the authenticity of the certificate
request.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">The
CA SHALL verify the Applicant’s name using a legible copy,
which discernibly shows the Applicant’s face, of at least
one currently valid government-issued photo ID (passport,
drivers license, military ID, national ID, or equivalent
document type). The CA SHALL inspect the copy for any
indication of alteration or falsification.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">The
CA SHALL verify the Applicant’s address using a form of
identification that the CA determines to be reliable, such
as a government ID, utility bill, or bank or credit card
statement. The CA MAY rely on the same government-issued ID
that was used to verify the Applicant’s name.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">The
CA SHALL verify the certificate request with the Applicant
using a Reliable Method of Communication."<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">...
Erratum ends ...<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">The
ballot review period comes into effect at 21:00 UTC on 17
May 2012 and will close at 21:00 UTC on 24 May 2012. Unless
the motion is withdrawn during the review period, the voting
period will start immediately thereafter and will close at
21:00 UTC on 31 May 2012. Votes must be cast by “reply all”
to this email.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">A
vote in favor of the motion must indicate a clear 'yes' in
the response. A vote against must indicate a clear 'no' in
the response. A vote to abstain must indicate a clear
'abstain' in the response. Unclear responses will not be
counted. The latest vote received from any representative of
a voting member before the close of the voting period will
be counted.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">...
Motion ends ...<o:p></o:p></span></p>
<p class="line862" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">Voting
members are listed here:<span class="apple-converted-space"> </span><a
moz-do-not-send="true"
href="http://www.cabforum.org/forum.html"><span
style="border:none windowtext 1.0pt;padding:0in">http://www.cabforum.org/forum.html</span></a><span
class="apple-converted-space"> </span>with the addition of<span
class="apple-converted-space"> </span><a
moz-do-not-send="true"
href="https://www.cabforum.org/wiki/TrendMicro"><span
style="color:gray;border:none windowtext
1.0pt;padding:0in">TrendMicro</span></a> and E-TUGRA.<o:p></o:p></span></p>
<p class="line874" style="background:white;orphans:
2;text-align:-webkit-auto;widows: 2;-webkit-text-size-adjust:
auto;-webkit-text-stroke-width: 0px;word-spacing:0px">
<span
style="font-size:13.0pt;font-family:"Arial","sans-serif";color:black">In
order for the motion to be adopted, two thirds or more of
the votes cast by members in the CA category and one half or
more of the votes cast by members in the browser category
must be in favour. Also, at least seven members must
participate in the ballot, either by voting in favour,
voting against or abstaining.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">T: +1 613 270 3183<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="http://cabforum.org/mailman/listinfo/public">http://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>