<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=windows-1251"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Cambria;
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
h3
        {mso-style-priority:9;
        mso-style-link:"Heading 3 Char";
        margin-top:12.0pt;
        margin-right:0in;
        margin-bottom:3.0pt;
        margin-left:0in;
        text-align:justify;
        page-break-after:avoid;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.Heading3Char
        {mso-style-name:"Heading 3 Char";
        mso-style-priority:9;
        mso-style-link:"Heading 3";
        font-family:"Times New Roman","serif";
        font-weight:bold;}
p.line874, li.line874, div.line874
        {mso-style-name:line874;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.line862, li.line862, div.line862
        {mso-style-name:line862;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.apple-converted-space
        {mso-style-name:apple-converted-space;}
span.EmailStyle22
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:1107701490;
        mso-list-type:hybrid;
        mso-list-template-ids:1161742168 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-text:"%1\)";
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi everyone, <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=line874 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white'><span style='font-family:"Cambria","serif";color:black'>Because ICANN will begin the process of issuing new generic Top Level Domains (gTLDs) in 2012, certain Certificates for non-public names will need to be revoked on an accelerated schedule in order to prevent collisions and possible MITM attacks on newly registered domains.  ICANN is primary concerned about the number of *.gTLD certificates that CAs have previously issued.   For example, *.XXX may exist despite being .XXX being approved for registration back in 2010.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Cambria","serif"'>The attached motion is intended to eliminate erratic use of wildcard characters and mitigate the ICANN security concerns while providing a transition period for affected customers.  I’m looking for an additional endorser.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Cambria","serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Cambria","serif"'>----------------<o:p></o:p></span></p><h3 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in'><span style='font-family:"Cambria","serif";font-weight:normal'><o:p> </o:p></span></h3><h3 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in'><span style='font-family:"Cambria","serif";font-weight:normal'>Jeremy Rowley made the following motion, and Rick Andrews  and ______________  endorsed it:<o:p></o:p></span></h3><h3 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in'><span style='font-family:"Cambria","serif";font-weight:normal'>---- Motion Begins ----<o:p></o:p></span></h3><h3 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in'><span style='font-family:"Cambria","serif";font-weight:normal'>---- Erratum Begins ----<o:p></o:p></span></h3><h3 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in'><a name="_Toc310247246"></a><a name="_Ref273699070"></a><a name="_Ref281487439"></a><span style='font-family:"Cambria","serif";font-weight:normal'>Add the following as new Section 11.1.3:</span><span style='font-family:"Cambria","serif";font-weight:normal'><o:p></o:p></span></h3><h3 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in'><span style='font-family:"Cambria","serif"'>11.1    Authorization by Domain Name Registrant <o:p></o:p></span></h3><h3 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in'><span style='font-family:"Cambria","serif"'>11.1.3 Wildcard Domain Validation<o:p></o:p></span></h3><p class=line874 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white'><span style='font-family:"Cambria","serif";color:black'>Before issuing a certificate with a wildcard character (*) in a CN or subjectAltName of type DNS-ID, the CA MUST establish and follow a documented procedure† that determines if the wildcard character occurs in the first label position to the left of a “registry-controlled” label or “public suffix” (e.g. “*.com”, “*.co.uk”, see RFC 6454 Section 8.2 for further explanation).<o:p></o:p></span></p><p class=line874 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white'><span style='font-family:"Cambria","serif";color:black'>If a wildcard would fall within the label immediately to the left of a registry-controlled† or public suffix, CAs MUST refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.local”, but MAY issue “*.example.com” to Example Co.).  <o:p></o:p></span></p><p class=line874 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white'><span style='font-family:"Cambria","serif";color:black'>Prior to September 1, 2013, each CA MUST revoke any valid certificate that does not comply with this section of the Requirements.<o:p></o:p></span></p><p class=line862 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in;background:white'><span style='font-family:"Cambria","serif";color:black'>†Determination of what is “registry-controlled” versus  the registerable portion of a </span><span style='font-family:"Cambria","serif"'>Country Code Top-Level Domain Namespace <span style='color:black'>is not standardized at the time of writing and is not a property of the DNS itself. Current best practice is to consult a “public suffix list” such as<span class=apple-converted-space> </span></span></span><a href="http://publicsuffix.org/"><span style='font-family:"Cambria","serif";border:none windowtext 1.0pt;padding:0in'>http://publicsuffix.org/</span></a><span style='font-family:"Cambria","serif";color:black'>.  If the process for making this determination is standardized by an RFC, then such a procedure SHOULD be preferred.</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><h3 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in'><span style='font-family:"Cambria","serif";font-weight:normal'>Add the following as new Section 11.1.4:<o:p></o:p></span></h3><h3 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in'><span style='font-family:"Cambria","serif"'>11.1.4 New gTLD Domains<o:p></o:p></span></h3><p class=line874 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white'><span style='font-family:"Cambria","serif";color:black'>Prior to issuing a Certificate containing an Internal Server Name with a gTLD that ICANN has announced as under consideration to make operational, the CA MUST provide a warning to the applicant that the gTLD may soon become resolvable and that, at that time, the CA will revoke the Certificate unless the applicant promptly registers the domain name. CAs SHOULD NOT issue Certificates containing a new gTLD under consideration by ICANN.<o:p></o:p></span></p><p class=line874 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white'><span style='font-family:"Cambria","serif";color:black'>Within 30 days after a CA is made aware that ICANN approved a </span><span style='font-family:"Cambria","serif"'>new gTLD for operation:<o:p></o:p></span></p><p class=line874 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo2;background:white'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>1)<span style='font:7.0pt "Times New Roman"'>     </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Each CA MUST compare the new gTLD against the CA’s records of valid certificates. <o:p></o:p></span></p><p class=line874 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo2;background:white'><![if !supportLists]><span style='font-family:"Cambria","serif";color:black'><span style='mso-list:Ignore'>2)<span style='font:7.0pt "Times New Roman"'>     </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>If a valid certificate contains a FQDN whose public suffix is the same as the <span style='color:black'>new gTLD, the CA MUST re-verify that the Subscriber is either the Domain Name Registrant or has control over the FQDN in accordance with Section 11.1.  <o:p></o:p></span></span></p><p class=line874 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo2;background:white'><![if !supportLists]><span style='font-family:"Cambria","serif";color:black'><span style='mso-list:Ignore'>3)<span style='font:7.0pt "Times New Roman"'>     </span></span></span><![endif]><span style='font-family:"Cambria","serif";color:black'>The CA MUST revoke a Certificate containing a Domain Name that includes the new gTLD if the Subscriber is not the Domain Name Registrant and the Subscriber cannot demonstrate control over the domain within 60 days after the new gTLD becomes publicly resolvable in the DNS. <o:p></o:p></span></p><h3 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in'><span style='font-family:"Cambria","serif";font-weight:normal'>---- Motion Ends ----<o:p></o:p></span></h3><h3 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in'><span style='font-family:"Cambria","serif";font-weight:normal'>---- Erratum Ends ----<o:p></o:p></span></h3><p class=line874 style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white'><span style='font-family:"Cambria","serif"'>Thanks,<o:p></o:p></span></p><p class=MsoNormal>Jeremy<o:p></o:p></p></div></body></html>