<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">ANF AC abstains ballot 144.<br>
<div class="moz-signature">
<p><img src="cid:part1.04030009.04070109@anf.es" alt="ANF
Autoridad de Certificación"></p>
<b>Enric Castillo</b><br>
Director Técnico<br>
+34 626818285<br>
Gran Via de Les Corts Catalanes 996, Barcelona<br>
+593 0 998554992<br>
12 de Octubre y Cordero, World Trade Center, Torre A, 1102,
Quito <br>
ANF Autoridad de Certificación<br>
<a style="color: #007fa9;" href="https://www.anf.es">www.anf.es</a><br>
<br>
<b>Aviso</b>
<p style="font-size: x-small;">Este mensaje se dirige
exclusivamente a su destinatario y puede contener información
privilegiada o confidencial y/o datos de carácter personal,
cuya difusión está regulada por la Ley Orgánica de Protección
de Datos y la Ley de Servicios de la Sociedad de la
Información. Si usted no es el destinatario indicado (o el
responsable de la entrega al mismo), no debe copiar o entregar
este mensaje a terceros bajo ningún concepto. Si ha recibido
este mensaje por
error o lo ha conseguido por otros medios, le rogamos que nos
lo comunique inmediatamente por esta misma vía y proceda a su
eliminación irreversible. Las opiniones,
conclusiones y demás informaciones incluidas en este mensaje
que no estén relacionadas con asuntos profesionales de ANF
Autoridad de Certificación no están respaldadas por la
empresa.
</p>
</div>
El 10/02/2015 a las 19:38, Jeremy Rowley escribió:<br>
</div>
<blockquote
cite="mid:c014cf8abae64a48a05386fe3543f732@EX2.corp.digicert.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.emailquote, li.emailquote, div.emailquote
{mso-style-name:emailquote;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:1.0pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Here’s
the ballot with the two typos fixed:<o:p></o:p></span></b></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Applicants
want a CA-signed .onion address for several reasons,
including:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">-
Powerful web platform features are restricted to secure
origins, which are currently not available to onion names
(in part, because of the lack of IANA registration).
Permitting EV certs for onion names will help provide a
secure origin for the service, moving onion towards use of
powerful web platform features.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">-
Currently, access to .onion names over https from a
standard browser results in the standard existing 'Invalid
Certificate' warning. Training users to click through
security warnings lowers the value of these warnings and
will cause users to miss important security information.
Removing these warnings for the user, through use of a
digital certificate, will help users recognize and avoid
real MITM attacks.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">-
The public needs attribution of ownership of the .onion
address to differentiate onion services, including
potential phishing services. Because onion names are not
easily recognizable strings, providing the public with
additional information about the operator has significant
security improvements, especially in regions where use of
the incorrect name could have lethal consequences.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">The
following motion has been proposed by Jeremy Rowley of
DigiCert and endorsed by Ryan Sleevi of Google and Wayne
Thayer of GoDaddy.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">---------------------<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Motion
Starts<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">---------------------<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">1)
Amend Section 9.2.1 of the Baseline Requirements v. 1.2.3
as follows:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">9.2.1
Subject Alternative Name Extension<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Certificate
Field: <a class="moz-txt-link-freetext" href="extensions:subjectAltName">extensions:subjectAltName</a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Required/Optional:
Required
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Contents:
This extension MUST contain at least one entry. Each entry
MUST be either a dNSName containing the Fully-Qualified
Domain Name or an iPAddress containing the IP address of a
server. The CA MUST confirm that the Applicant controls
the Fully-Qualified Domain Name or IP address or has been
granted the right to use it by the Domain Name Registrant
or IP address assignee, as appropriate.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Wildcard
FQDNs are permitted. As of the Effective Date of these
Requirements, prior to the issuance of a Certificate with
a subjectAlternativeName extension or Subject commonName
field containing a Reserved IP Address or Internal Name,
the CA SHALL notify the Applicant that the use of such
Certificates has been deprecated by the CA / Browser Forum
and that the practice will be eliminated by October 2016.
Also as of the Effective Date, the CA SHALL NOT issue a
certificate with an Expiry Date later than 1 November 2015
with a subjectAlternativeName extension or Subject
commonName field containing a Reserved IP Address or
Internal Name. Effective 1 October 2016, CAs SHALL revoke
all unexpired Certificates whose subjectAlternativeName
extension or Subject commonName field contains a Reserved
IP Address or Internal Name.
<u>Effective May 1, 2015, each CA SHALL revoke all
unexpired Certificates with an Internal Name using onion
as the
<span style="color:#1F497D">right</span>-most label in
an entry in the subjectAltName Extension or commonName
field unless such Certificate was issued in accordance
with Appendix F of the EV Guidelines.</u><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">2)
Amend Section 9.2.2 and 11.7.1 of the Guidelines for the
Issuance and Management of Extended Validation
Certificates v1.5.2 as follows:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">9.2.2.
Subject Alternative Name Extension Certificate field:
subjectAltName:dNSName<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Required/Optional:
Required<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Contents:
This extension MUST contain one or more host Domain
Name(s) owned or controlled by the Subject and to be
associated with the Subject’s server. Such server MAY be
owned and operated by the Subject or another entity (e.g.,
a hosting service). Wildcard certificates are not allowed
for EV Certificates<u> except as permitted under Appendix
F</u>.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">11.7
Verification of Applicant’s Domain Name<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">11.7.1.
Verification Requirements<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">(1)
For each Fully-Qualified Domain Name listed in a
Certificate, other than a Domain Name with .onion in the
right-most label of the Domain Name, the CA SHALL confirm
that, as of the date the Certificate was issued, the
Applicant (or the Applicant’s Parent Company, Subsidiary
Company, or Affiliate, collectively referred to as
“Applicant” for the purposes of this section) either is
the Domain Name Registrant or has control over the FQDN
using a procedure specified in Section 11.1.1 of the
Baseline Requirements, except that a CA MAY NOT verify a
domain using the procedure described 11.1.1(7).
<u>For a Certificate issued to a Domain Name with .onion
in the right-most label of the Domain Name, the CA SHALL
confirm that, as of the date the Certificate was issued,
the Applicant’s control over the .onion Domain Name in
accordance with Appendix F.</u><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">(2)
Mixed Character Set Domain Names: EV Certificates MAY
include Domain Names containing mixed character sets only
in compliance with the rules set forth by the domain
registrar. The CA MUST visually compare any Domain Names
with mixed character sets with known high risk domains. If
a similarity is found, then the EV Certificate Request
MUST be flagged as High Risk. The CA must perform
reasonably appropriate additional authentication and
verification to be certain beyond reasonable doubt that
the Applicant and the target in question are the same
organization.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">3)
Add a new Appendix F to the Guidelines for the Issuance
and Management of Extended Validation Certificates v1.5.2:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Appendix
F – Issuance of Certificates for .onion Domain Names
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">A
CA may issue an EV Certificate with .onion in the
right-most label of the Domain Name provided that issuance
complies with the requirements set forth in this Appendix:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">1.
CAB Forum Tor Service Descriptor Hash extension
(2.23.140.1.31)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">The
CAB Forum has created an extension of the TBSCertificate
for use in conveying hashes of keys related to .onion
addresses. The Tor Service Descriptor Hash extension has
the following format:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">cabf-TorServiceDescriptor
OBJECT IDENTIFIER ::= { 2.23.140.1.31 }<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">TorServiceDescriptorSyntax
::=
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
SEQUENCE ( 1..MAX ) of TorServiceDescriptorHash<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">TorServiceDescriptorHash::
= SEQUENCE {<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
onionURI UTF8String<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
algorithm AlgorithmIdentifier<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
subjectPublicKeyHash BIT STRING }<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Where
the AlgorithmIdentifier is a hashing algorithm (defined in
RFC 6234) performed over the DER-encoding of an ASN.1
SubjectPublicKey of the .onion service and
SubjectPublicKeyHash is the hash output.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">2.
The CA MUST verify the Applicant’s control over the .onion
Domain Name using one of the following:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">a.
The CA MAY verify the Applicant’s control over the .onion
service by posting a specific value at a well-known URL
under RFC5785.
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">b.
The CA MAY verify the Applicant’s control over the .onion
service by having the Applicant provide a Certificate
Request signed using the .onion public key if the
Attributes section of the certificationRequestInfo
contains: <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">(i)
A caSigningNonce attribute that 1) contains a single value
with at least 64-bits of entropy, 2) is generated by the
CA, and 3) delivered to the Applicant through a Verified
Method of Communication and<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">(ii)
An applicantSigningNonce attribute that 1) contains a
single value with at least 64-bits of entropy and 2) is
generated by the Applicant.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">The
signing nonce attributes have the following format:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">caSigningNonce
ATTRIBUTE ::= {
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">WITH
SYNTAX OCTET STRING<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">EQUALITY
MATCHING RULE octetStringMatch<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">SINGLE
VALUE TRUE<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">ID
{ cabf-caSigningNonce }<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
}<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">cabf-caSigningNonce
OBJECT IDENTIFIER ::= { cabf 41 }
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">applicantSigningNonce
ATTRIBUTE ::= {
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">WITH
SYNTAX OCTET STRING<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">EQUALITY
MATCHING RULE octetStringMatch<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">SINGLE
VALUE TRUE<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">ID
{ cabf-applicantSigningNonce }<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
}<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">cabf-applicantSigningNonce
OBJECT IDENTIFIER ::= { cabf 42 }<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">4.
Each Certificate that includes a Domain Name where .onion
is in the right-most label of the Domain Name MUST conform
to the requirements of these Guidelines, including the
content requirements in Section 9 and Appendix B of the
Baseline Requirements, except that the CA MAY include a
wildcard character in the Subject Alternative Name
Extension and Subject Common Name Field as the left-most
character in the .onion Domain Name provided inclusion of
the wildcard character complies with Section 11.1.3 of the
Baseline Requirements.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">5.
CAs MUST NOT issue a Certificate that includes a Domain
Name where .onion is in the right-most label of the Domain
Name with a validity period longer than 15 months. Despite
Section 9.2.1 of the Baseline Requirements deprecating the
use of Internal Names, a CA MAY issue a Certificate
containing an .onion name with an expiration date later
than 1 November 2015 after (and only if) .onion is
officially recognized by the IESG as a reserved TLD. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">6.
On or before May 1, 2015, each CA MUST revoke all
Certificates issued with the Subject Alternative Name
extension or Common Name field that includes a Domain Name
where .onion is in the right-most label of the Domain Name
unless the Certificate was issued in compliance with this
Appendix F.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">----<o:p></o:p></span></p>
</div>
<div style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Motion Ends <span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">-----<o:p></o:p></span></p>
</div>
<div style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">The review period for this ballot shall
commence at 2200 UTC on Thursday, 4 February 2015, and will
close at 2200 UTC on Thursday, 11 February 2015. Unless the
motion is withdrawn during the review period, the voting
period will start immediately thereafter and will close at
2200 UTC on Monday, 18 February 2015. Votes must be cast by
posting an on-list reply to this thread.
<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">A vote in favor of the motion must
indicate a clear 'yes' in the response. A vote against must
indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear
responses will not be counted. The latest vote received from
any representative of a voting member before the close of
the voting period will be counted. Voting members are listed
here:
<a moz-do-not-send="true"
href="https://cabforum.org/members/"><span
style="color:#0563C1">https://cabforum.org/members/</span></a>
<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">In order for the motion to be adopted,
two thirds or more of the votes cast by members in the CA
category and greater than 50% of the votes cast by members
in the browser category must be in favor. Quorum is
currently nine (9) members– at least nine members must
participate in the ballot, either by voting in favor, voting
against, or abstaining.
<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>