<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
@font-face
{font-family:Cambria-BoldItalic;}
@font-face
{font-family:TimesNewRomanPSMT;}
@font-face
{font-family:Cambria-Bold;}
@font-face
{font-family:TimesNewRomanPS-BoldMT;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Thanks, Jason. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Fixes to v.1.1.7 and v.1.1.8 of the Baseline Requirements have been uploaded to the CABF website and wiki.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Ben<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I noticed a couple of formatting issues in the Baseline Requirements v1.1.7 that have remained in version 1.1.8. Errors are
<span style="background:yellow;mso-highlight:yellow">highlighted</span>. How can we get these fixed?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Item 1<o:p></o:p></b></p>
<p class="MsoNormal">Section 11.2 has content from section 11.1.4 included in the title.
<o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="1259" style="width:755.6pt;border-collapse:collapse">
<tbody>
<tr>
<td width="631" valign="top" style="width:378.3pt;border:solid windowtext 1.0pt;background:#D9D9D9;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><b>Current text<o:p></o:p></b></p>
</td>
<td width="629" valign="top" style="width:377.3pt;border:solid windowtext 1.0pt;border-left:none;background:#D9D9D9;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><b>Corrected text<o:p></o:p></b></p>
</td>
</tr>
<tr>
<td width="631" valign="top" style="width:378.3pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:13.0pt;font-family:Cambria-Bold">11.1.4 New gTLD Domains<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Times New Roman","serif"">CAs SHOULD NOT issue Certificates containing a new gTLD under consideration by ICANN. Prior to issuing a Certificate containing an Internal
Name with a gTLD that ICANN has announced as under consideration to make operational, the CA MUST provide a warning to the applicant that the gTLD may soon become resolvable and that, at that time, the CA will revoke the Certificate unless the applicant promptly
registers the domain name. When a gTLD is delegated by inclusion in the IANA Root Zone Database, the Internal Name becomes a Domain Name, and at such time, a Certificate with such gTLD, which may have complied with these Requirements at the time it was issued,
will be in a violation of these Requirements, unless the CA has verified the Subscriber’s rights in the Domain Name. The provisions below are intended to prevent such violation from happening.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Times New Roman","serif"">Within 30 days after ICANN has approved a new gTLD for operation, as evidenced by publication of a contract with the gTLD operator on [www.ICANN.org]
each CA MUST (1) compare the new gTLD against the CA’s records of valid certificates and (2) cease issuing Certificates containing a Domain Name that includes the new gTLD until after the CA has first verified the Subscriber's control over or exclusive right
to use the Domain Name in accordance with Section 11.1.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><i><span style="font-size:14.0pt;font-family:Cambria-BoldItalic"><o:p> </o:p></span></i></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><i><span style="font-size:14.0pt;font-family:Cambria-BoldItalic">11.2
<span style="background:yellow;mso-highlight:yellow">Within 120 days after the publication of a contract for a new gTLD is published on [www.icann.org], CAs MUST revoke each Certificate containing a Domain Name that includes the new gTLD unless the Subscriber
is either the Domain Name Registrant or can demonstrate control over the Domain Name.</span> Verification of Subject Identity Information<o:p></o:p></span></i></b></p>
<p class="MsoNormal" style="text-autospace:none"><b><i><span style="font-size:14.0pt;font-family:Cambria-BoldItalic"><o:p> </o:p></span></i></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Times New Roman","serif"">If the Applicant requests a Certificate that will contain Subject Identity Information comprised only of the countryName field, then the CA
SHALL verify the country associated with the Subject using a verification process meeting the requirements of Section 11.2.5 and that is described in the CA’s Certificate Policy and/or Certification Practice Statement. If the Applicant requests a Certificate
that will contain the countryName field and other Subject Identity Information, then the CA SHALL verify the identity of the Applicant, and the authenticity of the Applicant Representative’s certificate request using a verification process meeting the requirements
of this Section 11.2 and that is described in the CA’s Certificate Policy and/or Certification Practice Statement. The CA SHALL inspect any document relied upon under this Section for alteration or falsification.</span><o:p></o:p></p>
</td>
<td width="629" valign="top" style="width:377.3pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:13.0pt;font-family:Cambria-Bold">11.1.4 New gTLD Domains<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Times New Roman","serif"">CAs SHOULD NOT issue Certificates containing a new gTLD under consideration by ICANN. Prior to issuing a Certificate containing an Internal
Name with a gTLD that ICANN has announced as under consideration to make operational, the CA MUST provide a warning to the applicant that the gTLD may soon become resolvable and that, at that time, the CA will revoke the Certificate unless the applicant promptly
registers the domain name. When a gTLD is delegated by inclusion in the IANA Root Zone Database, the Internal Name becomes a Domain Name, and at such time, a Certificate with such gTLD, which may have complied with these Requirements at the time it was issued,
will be in a violation of these Requirements, unless the CA has verified the Subscriber’s rights in the Domain Name. The provisions below are intended to prevent such violation from happening.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Times New Roman","serif"">Within 30 days after ICANN has approved a new gTLD for operation, as evidenced by publication of a contract with the gTLD operator on
<a href="http://www.ICANN.org">www.ICANN.org</a>] each CA MUST (1) compare the new gTLD against the CA’s records of valid certificates and (2) cease issuing Certificates containing a Domain Name that includes the new gTLD until after the CA has first verified
the Subscriber's control over or exclusive right to use the Domain Name in accordance with Section 11.1.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Times New Roman","serif"">Within 120 days after the publication of a contract for a new gTLD is published on [www.icann.org], CAs MUST revoke each Certificate containing
a Domain Name that includes the new gTLD unless the Subscriber is either the Domain Name Registrant or can demonstrate control over the Domain Name.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><i><span style="font-size:14.0pt;font-family:Cambria-BoldItalic">11.2 Verification of Subject Identity Information<o:p></o:p></span></i></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Times New Roman","serif"">If the Applicant requests a Certificate that will contain Subject Identity Information comprised only of the countryName field, then the CA
SHALL verify the country associated with the Subject using a verification process meeting the requirements of Section 11.2.5 and that is described in the CA’s Certificate Policy and/or Certification Practice Statement. If the Applicant requests a Certificate
that will contain the countryName field and other Subject Identity Information, then the CA SHALL verify the identity of the Applicant, and the authenticity of the Applicant Representative’s certificate request using a verification process meeting the requirements
of this Section 11.2 and that is described in the CA’s Certificate Policy and/or Certification Practice Statement. The CA SHALL inspect any document relied upon under this Section for alteration or falsification.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Item 2<o:p></o:p></b></p>
<p class="MsoNormal">The exponents in Appendix A are written incorrectly resulting in a change of their value.<o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td width="631" valign="top" style="width:378.3pt;border:solid windowtext 1.0pt;background:#D9D9D9;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><b>Current text<o:p></o:p></b></p>
</td>
<td width="631" valign="top" style="width:378.3pt;border:solid windowtext 1.0pt;border-left:none;background:#D9D9D9;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal"><b>Corrected text<o:p></o:p></b></p>
</td>
</tr>
<tr>
<td width="631" valign="top" style="width:378.3pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:10.0pt;font-family:TimesNewRomanPS-BoldMT">(4) General requirements for public keys<o:p></o:p></span></b></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10.0pt;font-family:TimesNewRomanPSMT">RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in
the range between <span style="background:yellow;mso-highlight:yellow">2<sup>16+1</sup></span></span><sup><span style="font-size:6.5pt;font-family:TimesNewRomanPSMT">
</span></sup><span style="font-size:10.0pt;font-family:TimesNewRomanPSMT">and <span style="background:yellow;mso-highlight:yellow">
2<sup>256-1</sup></span>.</span><o:p></o:p></p>
</td>
<td width="631" valign="top" style="width:378.3pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:10.0pt;font-family:TimesNewRomanPS-BoldMT">(4) General requirements for public keys<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:TimesNewRomanPSMT">RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between
<span style="background:yellow;mso-highlight:yellow">2<sup>16</sup>+1</span></span><sup><span style="font-size:6.5pt;font-family:TimesNewRomanPSMT"> </span></sup><span style="font-size:10.0pt;font-family:TimesNewRomanPSMT">and
<span style="background:yellow;mso-highlight:yellow">2<sup>256</sup>-1</span>.<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="631" valign="top" style="width:378.3pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" style="text-autospace:none">2<sup>16+1 </sup>= 131072 This reads 2<sup>17</sup><o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">2<sup>256-1 </sup>= 5.7896044618658097711785492504344e+76 This reads 2<sup>255</sup><b><span style="font-size:10.0pt;font-family:TimesNewRomanPS-BoldMT"><o:p></o:p></span></b></p>
</td>
<td width="631" valign="top" style="width:378.3pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p class="MsoNormal" style="text-autospace:none">2<sup>16</sup>+1 = 65537<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none">2<sup>256</sup>-1= 1.1579208923731619542357098500869e+77<b><span style="font-size:10.0pt;font-family:TimesNewRomanPS-BoldMT"><o:p></o:p></span></b></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt;font-family:"Georgia","serif";color:black">Jason Kubicki, CISSP<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>