<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
On 02/05/2013 11:39 PM, From Jeremy Rowley:
<blockquote cite="mid:048c01ce03e9$401ba560$c052f020$@digicert.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">Jeremy Rowley made the following motion,
and Rick Andrews and Steve Roylance endorsed it:<o:p></o:p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
StartCom votes NO. <br>
<br>
Explanation - the proposed change regarding the wild cards is
redundant since the CA is required to confirm a domain control or
ownership of the relevant domain name. Since no *.com validation
should be possible, the proposed safeguards are redundant and not
necessary.<br>
<br>
Regarding the proposed change in respect to new generic TLDs, since
no domain control validation could have been performed by the CA in
the past for any non-existing TLD, we believe certificates
containing such non-existing TLDs shouldn't be issued in first
place. Also such certificates will be disallowed in the future
according to the BR itself and we believe that this practice should
have been abolished in the past already.<br>
<br>
We don't think it's wise to give any exclusions at all and this
process and proposed change to the BR is suspect to be prone to
failures and mistakes. Therefore we cannot support this ballot.<br>
<br>
<blockquote cite="mid:048c01ce03e9$401ba560$c052f020$@digicert.com"
type="cite">
<div class="WordSection1"><o:p></o:p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Add the following as new Section 11.1.3:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">11.1 Authorization by Domain Name
Registrant <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">11.1.3 Wildcard Domain Validation<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Before issuing a certificate with a
wildcard character (*) in a CN or subjectAltName of type
DNS-ID, the CA MUST establish and follow a documented
procedure† that determines if the wildcard character occurs in
the first label position to the left of a
“registry-controlled” label or “public suffix” (e.g. “*.com”,
“*.co.uk”, see RFC 6454 Section 8.2 for further explanation).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If a wildcard would fall within the label
immediately to the left of a registry-controlled† or public
suffix, CAs MUST refuse issuance unless the applicant proves
its rightful control of the entire Domain Namespace. (e.g. CAs
MUST NOT issue “*.co.uk” or “*.local”, but MAY issue
“*.example.com” to Example Co.). <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Prior to September 1, 2013, each CA MUST
revoke any valid certificate that does not comply with this
section of the Requirements.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">†Determination of what is
“registry-controlled” versus the registerable portion of a
Country Code Top-Level Domain Namespace is not standardized at
the time of writing and is not a property of the DNS itself.
Current best practice is to consult a “public suffix list”
such as <a class="moz-txt-link-freetext" href="http://publicsuffix.org/">http://publicsuffix.org/</a>. If the process for making
this determination is standardized by an RFC, then such a
procedure SHOULD be preferred.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Add the following as new Section 11.1.4:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">11.1.4 New gTLD Domains<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">CAs SHOULD NOT issue Certificates
containing a new gTLD under consideration by ICANN. Prior to
issuing a Certificate containing an Internal Server Name with
a gTLD that ICANN has announced as under consideration to make
operational, the CA MUST provide a warning to the applicant
that the gTLD may soon become resolvable and that, at that
time, the CA will revoke the Certificate unless the applicant
promptly registers the domain name. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Within 30 days after ICANN has approved a
new gTLD for operation, as evidenced by publication of a
contract with the gTLD operator on [<a class="moz-txt-link-abbreviated" href="http://www.icann.org">www.icann.org</a>] each CA
MUST (1) compare the new gTLD against the CA’s records of
valid certificates and (2) cease issuing Certificates
containing a Domain Name that includes the new gTLD until
after the CA has first verified the Subscriber's control over
or exclusive right to use the Domain Name in accordance with
Section 11.1.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Within 120 days after the publication of a
contract for a new gTLD is published on [<a class="moz-txt-link-abbreviated" href="http://www.icann.org">www.icann.org</a>], CAs
MUST revoke each Certificate containing a Domain Name that
includes the new gTLD unless the Subscriber is either the
Domain Name Registrant or can demonstrate control over the
Domain Name.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">... Erratum Ends ...<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p><br>
</p>
</div>
</blockquote>
<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</body>
</html>