<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Section 3.2.5 is actually called "Validation of Authority" so that
might have been a better place.<br>
<br>
However, I don't think the actual location matters as much as
whether all CAs include it in the same section.<br>
<br>
Jeremy<br>
<br>
<div class="moz-cite-prefix">On 11/2/2014 2:38 PM, Ben Wilson wrote:<br>
</div>
<blockquote
cite="mid:11d8527eb3874ff7b416e623940c1dc2@EX2.corp.digicert.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">This
is an example of a situation where the RFC 3647 framework
does not provide the “perfect” section for the expressions
of a principle that otherwise is “good” to incorporate into
a CP / CPS. For purposes of ballot 125, section 4.2 was
believed to be the best section for putting that practice.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ryan
Sleevi<br>
<b>Sent:</b> Friday, October 31, 2014 7:05 AM<br>
<b>To:</b> Doug Beattie<br>
<b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] Ballot 125 - CAA Records<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Doug,<o:p></o:p></p>
<p>My understanding of the framework from 3647 is that section
3.2 is about validating the identity of the requestor and
their authorization as Applicant Representative to make such a
request.<o:p></o:p></p>
<p>This doesn't seem appropriate for CAA, as it is about
validating the CA's authorization by the organization to issue
certificates - regardless of all the policies from 3.2 being
met of identifying the Applicant.<o:p></o:p></p>
<p>There are some similarities to 7.1.2p2 of the BRs - namely
the ability to distinguish whether or not the Subject
authorized the issuance - but this authorization seems tied to
the Applicant Representative, wheras CAA is a broader
expression of policy between the Subject and CA.<o:p></o:p></p>
<div>
<p class="MsoNormal">On Oct 31, 2014 5:42 AM, "Doug Beattie"
<<a moz-do-not-send="true"
href="mailto:doug.beattie@globalsign.com">doug.beattie@globalsign.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That’s
right Ryan – CAA applies to all SSL/TLS, but probably
not applicable to code signing, individual certs,
etc. Section 3.2 describes the Identify validation
process for all types of certificates the CA issues.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a
moz-do-not-send="true"
name="149663a9cde1d243__MailEndCompose"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span></a><o:p></o:p></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
Ryan Sleevi [mailto:<a moz-do-not-send="true"
href="mailto:sleevi@google.com"
target="_blank">sleevi@google.com</a>] <br>
<b>Sent:</b> Friday, October 31, 2014 8:16 AM<br>
<b>To:</b> Doug Beattie<br>
<b>Cc:</b> CABFPub<br>
<b>Subject:</b> Re: [cabfpub] Ballot 125 - CAA
Records</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p><br>
On Oct 31, 2014 4:46 AM, "Doug Beattie" <<a
moz-do-not-send="true"
href="mailto:doug.beattie@globalsign.com"
target="_blank">doug.beattie@globalsign.com</a>>
wrote:<br>
><br>
> I’m starting to look at making updates to the CPS
to support this ballot and wonder if the wrong section
was specified in the ballot. Is Section 4.2 where
this belongs, or is section 3.2 the right place? <br>
><br>
> <br>
><br>
> Section 4.2 contains high level statements and no
real detail, and 4.2 generally refers back to 3.2 for
the specifics:<br>
><br>
> <br>
><br>
> 4.2. Certificate application processing<br>
><br>
> 4.2.1. Performing Identification and
Authentication Functions<br>
><br>
> 4.2.2. Approval or Rejection of Certificate
Applications<br>
><br>
> 4.2.3. Time to Process Certificate Applications<br>
><br>
> <br>
><br>
> Since CAA only applies to some types of
certificates, and the details of domain and
Organization Identity for each type of cert are listed
in 3.2, it would make more sense (to me) to include
the steps CAs use when processing CAA records as part
of the Domain Control, Ownership or “right to use”
processes that are described in section 3.2.<br>
><o:p></o:p></p>
<p>I'm not sure I understand your remark regarding "some
types of certificates" - it would certainly apply to
every cert intended for server authenticated TLS.<o:p></o:p></p>
<p>> <br>
><br>
> Doug<br>
><br>
> <br>
><br>
> <br>
><br>
> From: <a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank">public-bounces@cabforum.org</a>
[mailto:<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org"
target="_blank">public-bounces@cabforum.org</a>] On
Behalf Of Ben Wilson<br>
> Sent: Tuesday, September 30, 2014 11:01 AM<br>
> To: CABFPub<br>
> Subject: [cabfpub] Ballot 125 - CAA Records<br>
><br>
> <br>
><br>
> Ballot 125 - CAA Records<br>
><br>
> Rick Andrews of Symantec made the following
motion and Jeremy Rowley of Digicert and Ryan Sleevi
of Google have endorsed it:<br>
><br>
> Reasons for proposed ballot RFC 6844 defines a
Certification Authority Authorization DNS Resource
Record (CAA). A CAA allows a DNS domain name holder to
specify the CAs authorized to issue certificates for
that domain. Publication of the CAA gives CAs and
domain holders additional controls to reduce the risk
of unintended certificate mis-issuance.<br>
><br>
> The proponents of this ballot believe that this
proposed modification to the Baseline Requirements,
which gives CAs up to six months to update their CP
and/or CPS to state the degree to which they implement
CAA, provides all CAs with the flexibility needed to
begin implementation of CAA.<br>
><br>
> ---MOTION BEGINS---<br>
><br>
> Add to Section 4 Definitions, new item:<br>
><br>
> CAA: From RFC 6844 (http:<a
moz-do-not-send="true"
href="http://tools.ietf.org/html/rfc6844"
target="_blank">tools.ietf.org/html/rfc6844</a>):
“The Certification Authority Authorization (CAA) DNS
Resource Record allows a DNS domain name holder to
specify the Certification Authorities (CAs) authorized
to issue certificates for that domain. Publication of
CAA Resource Records allows a public Certification
Authority to implement additional controls to reduce
the risk of unintended certificate mis-issue.”<br>
><br>
> Add the following to the end of Section 8.2.2,
Disclosure:<br>
><br>
> Effective as of [insert date that is six months
from Ballot 125 adoption], section 4.2 of a CA's
Certificate Policy and/or Certification Practice
Statement (section 4.1 for CAs still conforming to RFC
2527) SHALL state whether the CA reviews CAA Records,
and if so, the CA’s policy or practice on processing
CAA Records for Fully Qualified Domain Names. The CA
SHALL log all actions taken, if any, consistent with
its processing practice.<br>
><br>
> The resulting Section 8.2.2 would read as
follows:<br>
><br>
> The CA SHALL publicly disclose its Certificate
Policy and/or Certification Practice Statement through
an appropriate and readily accessible online means
that is available on a 24x7 basis. The CA SHALL
publicly disclose its CA business practices to the
extent required by the CA’s selected audit scheme (see
Section 17.1). The disclosures MUST include all the
material required by RFC 2527 or RFC 3647, and MUST be
structured in accordance with either RFC 2527 or RFC
3647. Effective as of [insert date that is six months
from Ballot 125 adoption], section 4.2 of a CA's
Certificate Policy and/or Certification Practice
Statement (section 4.1 for CAs still conforming to RFC
2527) SHALL state whether the CA reviews CAA Records,
and if so, the CA’s policy or practice on processing
CAA Records for Fully Qualified Domain Names. The CA
SHALL log all actions taken, if any, consistent with
its processing practice.<br>
><br>
> ---MOTION ENDS---<br>
><br>
> The review period for this ballot shall commence
at 2200 UTC on Tuesday, 30 September 2014, and will
close at 2200 UTC on Tuesday, 7 October 2014. Unless
the motion is withdrawn during the review period, the
voting period will start immediately thereafter and
will close at 2200 UTC on Tuesday, 14 October 2014.
Votes must be cast by posting an on-list reply to this
thread.<br>
><br>
> A vote in favor of the motion must indicate a
clear 'yes' in the response. A vote against must
indicate a clear 'no' in the response. A vote to
abstain must indicate a clear 'abstain' in the
response. Unclear responses will not be counted. The
latest vote received from any representative of a
voting member before the close of the voting period
will be counted. Voting members are listed here: <a
moz-do-not-send="true"
href="https://cabforum.org/members/" target="_blank">https://cabforum.org/members/</a><br>
><br>
> In order for the motion to be adopted, two thirds
or more of the votes cast by members in the CA
category and greater than 50% of the votes cast by
members in the browser category must be in favor.
Quorum is currently seven (7) members– at least seven
members must participate in the ballot, either by
voting in favor, voting against, or abstaining.<br>
><br>
> <br>
><br>
><br>
> _______________________________________________<br>
> Public mailing list<br>
> <a moz-do-not-send="true"
href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br>
> <a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>