<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>All,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Last week the EV Working Group asked to put proposed Ballot 120 forward to the Forum’s agenda for discussion during the teleconference this Thursday. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Here is the proposed text.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='text-autospace:none'><b><u>Ballot 120 - Affiliate Authority to Verify Domain<o:p></o:p></u></b></p><p class=MsoNormal style='text-autospace:none'><b><u><o:p><span style='text-decoration:none'> </span></o:p></u></b></p><p class=MsoNormal><b><u>Reasons for proposed ballot<o:p></o:p></u></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ballot 72 in May 2012 reorganized the EV Guidelines by moving certain definitions and common provisions to the Baseline Requirements and replacing them with cross references to the Baseline Requirements. In July 2013, Ballot 104 was a similar replacement with a cross reference to avoid unnecessary duplication between the two sets of guidelines , but it inadvertently removed domain verification through a parent or subsidiary from EV Guidelines Sec. 11.6.2 (now renumbered as EVGL 11.6.1), which had listed it as part of the allowed verification process. Ballot 104 essentially deleted the separately listed EVGL 11.6.2 methods for verifying domain ownership, and instead inserted a cross-reference to the methods of verifying domain ownership in BR 11.1.1 (except for subsection (7) – “any other method of confirmation” – which was not deemed reliable enough for EV). <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>There was no discussion to indicate that the removal was intentional, and no one caught the mistake during the review period. (If you want to see EVGL 11.6.2 before the changes deleting the former parent/subsidiary language, see <a href="https://cabforum.org/wp-content/uploads/EV-V1_4_2.pdf">https://cabforum.org/wp-content/uploads/EV-V1_4_2.pdf</a>.) <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Because Ballot 104 inadvertently wiped out the ability to rely on parent-subsidiary/affiliate ownership of domains for all types of certs, previously only found in EVGL 11.6.2, the EV WG determined that corrections to both the EVGL and BR are needed. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>“Affiliate” was copied over to the BR definitions and removed from the EVGL, but other related definitions were not. We allow use of “affiliate” data for EV vetting in other contexts, and many CAs have applied the parent-subsidiary/affiliate rule in former EVGL 11.6.2 to vetting domains for both DV and OV certs, on the grounds that some companies have specially designated affiliates for holding intellectual property, like domain names, and also if the domain vetting method was good enough for EV certs, it was good enough for DV and OV certs as well.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ballot 120 would simply restore the prior rule of former EVGL 11.6.2, inadvertently wiped out by Ballot 104, and fix the copying and updating of definitions that were not done in Ballot 72. This will clarify that (1) domain ownership by a parent, subsidiary, or affiliate (under both the BRs and EVGL) would again be sufficient to let a customer obtain a certificate for its domain, and (2) ensure the corrected rule applies to all classes of server certs – EV, OV, and DV. Ballot 120 is not intended to change prior approved practices for domain confirmation. <o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><b><u><o:p><span style='text-decoration:none'> </span></o:p></u></b></p><p class=MsoNormal style='text-autospace:none'><b>---MOTION BEGINS---<o:p></o:p></b></p><p class=MsoNormal style='text-autospace:none'><b><u><o:p><span style='text-decoration:none'> </span></o:p></u></b></p><p class=MsoNormal style='text-autospace:none'>The Baseline Requirements would be amended as follows:<o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='text-autospace:none'><b>(1) MOVE definitions </b>for “Control”, “Country”, “Parent Company,” “Sovereign State,” and “Subsidiary Company” from the EV Guidelines to the Baseline Requirements, and<o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><b> <o:p></o:p></b></p><p class=MsoNormal style='text-autospace:none'><b>DELETE the following definitions from the EV Guidelines as redundant</b> (because the definitions already exist or will exist in the Baseline Requirements):<o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='text-autospace:none'>“Control”, “Country”, “Government Entity,” “Parent Company,” “Sovereign State,” and “Subsidiary Company” ;<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='text-autospace:none'><b>(2) Amend BR 11.1.1 to read as follows:<o:p></o:p></b></p><p class=MsoNormal style='text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'><u>BR 11.1.1 Authorization by Domain Name Registrant<o:p></o:p></u></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'><i><o:p> </o:p></i></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'>For each Fully-Qualified Domain Name listed in a Certificate, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant <b><u><span style='color:red'>(or the Applicant’s Parent Company, Subsidiary Company, or Affiliate, collectively referred to as “Applicant” for the purposes of this section)</span></u></b><span style='color:red'> </span>either is the Domain Name Registrant or has control over the FQDN by:<o:p></o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'>1. Confirming the Applicant as the Domain Name Registrant directly with the Domain Name Registrar;<o:p></o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'>2. Communicating directly with the Domain Name Registrant using an address, email, or telephone number provided by the Domain Name Registrar;<o:p></o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'>3. Communicating directly with the Domain Name Registrant using the contact information listed in the WHOIS record’s “registrant”, “technical”, or “administrative” field;<o:p></o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'>4. Communicating with the Domain’s administrator using an email address created by pre-pending ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’ in the local part, followed by the at-sign (“@”), followed by the Domain Name, which may be formed by pruning zero or more components from the requested FQDN;<o:p></o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'>5. Relying upon a Domain Authorization Document;<o:p></o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'>6. Having the Applicant demonstrate practical control over the FQDN by making an agreed-upon change to information found on an online Web page identified by a uniform resource identifier containing the FQDN; or<o:p></o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'>7. Using any other method of confirmation, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant is the Domain Name Registrant or has control over the FQDN to at least the same level of assurance as those methods previously described. *** <o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='page-break-after:avoid;text-autospace:none'><b>(3) Amend EVGL 11.6.1(1) to read as follows:<o:p></o:p></b></p><p class=MsoNormal style='page-break-after:avoid;text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'><u>EVGL 11.6.1 Verification Requirements <o:p></o:p></u></p><p class=MsoNormal style='margin-left:.25in;page-break-after:avoid;text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.25in;text-autospace:none'>(1) For each Fully-Qualified Domain Name listed in a Certificate, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant <b><u><span style='color:red'>(or the Applicant’s Parent Company, Subsidiary Company, or Affiliate, collectively referred to as “Applicant” for the purposes of this section)</span></u></b><span style='color:red'> </span>either is the Domain Name Registrant or has control over the FQDN using a procedure specified in Section 11.1.1 of the Baseline Requirements, except that a CA MAY NOT verify a domain using the procedure described 11.1.1(7). ***<o:p></o:p></p><p class=MsoNormal style='text-autospace:none'><b>---MOTION ENDS---<o:p></o:p></b></p><p class=MsoNormal style='text-autospace:none'><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>