<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>That’s the first time I’ve heard that interpretation, and I don’t think that is what’s inferred by the BRs: “the CA MUST provide a warning to the applicant that the gTLD may soon become resolvable and that, at that time, the CA will revoke the Certificate unless the applicant promptly registers the domain name.”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I’d like to hear how others have interpreted this.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rick<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Friday, January 31, 2014 1:56 PM<br><b>To:</b> Rick Andrews<br><b>Cc:</b> Gervase Markham; public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] Refinement of gTLD requirements<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Fri, Jan 31, 2014 at 1:31 PM, Rick Andrews <<a href="mailto:Rick_Andrews@symantec.com" target="_blank">Rick_Andrews@symantec.com</a>> wrote:<o:p></o:p></p><p class=MsoNormal>Comments inline.<o:p></o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>> -----Original Message-----<br>> From: Gervase Markham [mailto:<a href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>]<br>> Sent: Friday, January 31, 2014 2:12 AM<br>> To: Rick Andrews; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>> Subject: Re: [cabfpub] Refinement of gTLD requirements<br>><br>> On 30/01/14 18:50, Rick Andrews wrote:<br>> > I believe that CA’s cannot determine if the Subscriber is “either the<br>> > Domain Name Registrant or can demonstrate control over the Domain<br>> Name”<br>> > until the domain has been delegated.<br>><br>> Is the information in the "contract signed" email not sufficient to<br>> identify the company concerned? If it is, then in order to determine<br>> that someone is the Domain Name Registrant, you have to ascertain they<br>> work for that company.<br>><br>> If it's not, then we should get ICANN to add more info to those emails.<o:p></o:p></p></div><p class=MsoNormal>No, it's not a question of who to contact, but rather uncertainty about when the domain will be open for registration, and whether the certificate holder will have time to register the domain and prove ownership to the CA before the deadline passes.<o:p></o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>> > 1. Checking the page<br>> > _<a href="http://newgtlds.icann.org/en/program-status/delegated-strings_" target="_blank">http://newgtlds.icann.org/en/program-status/delegated-strings_</a><br>> > (updated within one day or two after the delegation happens)<br>> > 2. Checking the page<br>> > _<a href="https://data.iana.org/TLD/tlds-alpha-by-domain.txt_(updated" target="_blank">https://data.iana.org/TLD/tlds-alpha-by-domain.txt_(updated</a><br>> > automatically by IANA)<br>><br>> There is also a mailing list, and a spreadsheet auto-populated from the<br>> mailing list which Mozilla maintains.<br>><br>> > “Within 120 days after the delegation from the public DNS root for a<br>> new<br>> > gTLD<br>><br>> As Ryan says, the choice of "contracted" was intentional.<o:p></o:p></p></div><p class=MsoNormal>I was under the impression that some domains would open for registration and allow the certificate holder to buy the domain. In such cases, the certificate doesn't need to be revoked. We have customers who hope to do that. I'm trying to make that process more clear and straightforward for the certificate holder and the CA.<br><span style='color:#888888'><br><span class=hoenzb>-Rick</span></span><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I would expect you to at least be re-issuing the certificate, since the original certificate's domain validation procedures clearly failed the requirements of 11.1.1 with respect to the "new" gTLD, and I would still expect the previous certificate to be revoked.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The important aspect is that the domain registries should be able to set their policies, and the only way to allow them the flexibility to evaluate the risk to their operations and make a policy decision on how to balance the risk to their potential registrants is by the contracted date.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></div></div></div></div></body></html>