<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>My original ask was to clarify the timeline for customers dealing with this. If we changed “120 days from the time the contract was signed” to “60 days from the time the TLD was delegated” or even “30 days from the time the TLD was delegated” that would be a lot more fair, transparent and easy to understand for customers and CAs alike.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rick<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Thursday, February 06, 2014 10:50 AM<br><b>To:</b> Gervase Markham<br><b>Cc:</b> Rick Andrews; public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] Refinement of gTLD requirements<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Feb 6, 2014 at 5:46 AM, Gervase Markham <<a href="mailto:gerv@mozilla.org" target="_blank">gerv@mozilla.org</a>> wrote:<o:p></o:p></p><div><p class=MsoNormal style='margin-bottom:12.0pt'>On 31/01/14 21:55, Ryan Sleevi wrote:<br>> I would expect you to at least be re-issuing the certificate, since the<br>> original certificate's domain validation procedures clearly failed the<br>> requirements of 11.1.1 with respect to the "new" gTLD, and I would still<br>> expect the previous certificate to be revoked.<o:p></o:p></p></div><p class=MsoNormal>Ryan,<br><br>Are you sure about this? My understanding was that we were attempting to<br>create a safe overlap so that such certificates would not all need to be<br>revoked.<br><br>As an example, if BigCorp had an internal network which used ".bigcorp",<br>and if they were to succeed in getting ".bigcorp" (indeed, this could be<br>the sole reason they forked out $300K to get it, to avoid the 2015<br>internal-certocalypse), then we would not want every certificate they<br>are using internally, which may number in the thousands, to have to be<br>revoked and reissued (potentially, bit-for-bit identically).<br><br>Gerv<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Gerv,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I do view such revocations as desirable, or at least requiring further clarification within the BRs if we're not going to require it.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>In particular, I'm concerned for the situation of CAs that have issued "purely internal" certificates so BigCorp, which may not be BR compliant, on the liberal interpretation that the Scope (Section 1 of BRs 1.1.6) only apply to "[...] Certificates intended to be used for authenticating servers accessible through the Internet." It's clear that the some CAs view a class of issuance as "exempt" from the BRs, as we've seen within the discussions of certain payment providers/POS systems.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I don't think it's sufficient to state something like "Everything else in the cert is BR compliant", since there's a number of other time-gated ("at time of issuance") aspects of the BRs - such as Section 7.1.2.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>A clarification that might avoid revocation:<o:p></o:p></p></div><div><p class=MsoNormal>"Within 120 days after the publication of a contract for a new gTLD is published on [<a href="http://www.icann.org">www.icann.org</a>], CAs MUST revoke each Certificate containing a Domain Name that includes the new gTLD unless the CA can demonstrate the certificate is compliant with all requirements of this document if it was treated that the certificate issuance date was on or after such contract publication."<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Of course, this opens up a new issue - namely, that if the BRs have tightened since the (intranet) certificate was issued, such a certificate may no longer be compliant. Word smithing welcome.<o:p></o:p></p></div></div></div></div></body></html>