<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">OpenTrust votes NO.<br>
<br>
I've got nothing against Tor, I use it and operate a relay node,
and I appreciate its value.<br>
<br>
However:<br>
<ul>
<li>there's no constraint on service descriptor key sizes, and
right now the keys are 1024bits RSA by default. The service
descriptor key is what gives the hidden service its name
(facebookcorewwwi.onion, for example), so it can't be changed
without changing the hidden service name, and the service
descriptor key size can't easily be changed (it's a manual and
undocumented process, and I'm not sure a larger key will be
accepted by Tor clients). The vast majority of onion keys are
also RSA1024 ones. For example, the service descriptor key for
the "facebookcorewwwi" service is also a 1024bits one. Whoever
gets the private key can impersonate the hidden service.
CABForum members must not certify public keys smaller than
2048 bits since 2013-12-31, let's not reintroduce them now.<br>
</li>
<li>the hidden service name that will be certified is generated
using a truncated SHA1. Cryptographically, that's not a
security problem so far because it uses the second preimage
resistance of SHA1, and SHA1 has no real weakness regarding
second preimage. It's a 2^80 work effort for an attacker to
generate a key having the same hidden service name as an
existing one. CABForum members have already agreed to avoid
SHA1, with a deprecation plan, even for intermediate CA
certificates, where we also rely on the second preimage
resistance property of the hash function (with a 2^160 effort
for an attacker because it's not truncated). Let's be
consistent and avoid SHA1 all along.<br>
</li>
<li>the final goal of this ballot is to allow a Tor user to
access a non hidden service using a hidden service name. Such
a user can *already* access to the public facing classical
version of this service, using its public name. A Tor user can
already access <a class="moz-txt-link-freetext" href="https://www.whatever.com">https://www.whatever.com</a> with its browser and
the browser will be happy and get the green bar if the
certificate is an EV one. I may fail to see the expected
benefit, but that's it, I don't see it.<br>
</li>
</ul>
<br>
<pre class="moz-signature" cols="72">--
Erwann ABALEA
</pre>
Le 10/02/2015 19:38, Jeremy Rowley a écrit :<br>
</div>
<blockquote
cite="mid:c014cf8abae64a48a05386fe3543f732@EX2.corp.digicert.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.emailquote, li.emailquote, div.emailquote
{mso-style-name:emailquote;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:1.0pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Here’s
the ballot with the two typos fixed:<o:p></o:p></span></b></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Applicants
want a CA-signed .onion address for several reasons,
including:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">-
Powerful web platform features are restricted to secure
origins, which are currently not available to onion names
(in part, because of the lack of IANA registration).
Permitting EV certs for onion names will help provide a
secure origin for the service, moving onion towards use of
powerful web platform features.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">-
Currently, access to .onion names over https from a
standard browser results in the standard existing 'Invalid
Certificate' warning. Training users to click through
security warnings lowers the value of these warnings and
will cause users to miss important security information.
Removing these warnings for the user, through use of a
digital certificate, will help users recognize and avoid
real MITM attacks.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">-
The public needs attribution of ownership of the .onion
address to differentiate onion services, including
potential phishing services. Because onion names are not
easily recognizable strings, providing the public with
additional information about the operator has significant
security improvements, especially in regions where use of
the incorrect name could have lethal consequences.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">The
following motion has been proposed by Jeremy Rowley of
DigiCert and endorsed by Ryan Sleevi of Google and Wayne
Thayer of GoDaddy.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">---------------------<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Motion
Starts<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">---------------------<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">1)
Amend Section 9.2.1 of the Baseline Requirements v. 1.2.3
as follows:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">9.2.1
Subject Alternative Name Extension<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Certificate
Field: extensions:subjectAltName<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Required/Optional:
Required <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Contents:
This extension MUST contain at least one entry. Each entry
MUST be either a dNSName containing the Fully-Qualified
Domain Name or an iPAddress containing the IP address of a
server. The CA MUST confirm that the Applicant controls
the Fully-Qualified Domain Name or IP address or has been
granted the right to use it by the Domain Name Registrant
or IP address assignee, as appropriate.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Wildcard
FQDNs are permitted. As of the Effective Date of these
Requirements, prior to the issuance of a Certificate with
a subjectAlternativeName extension or Subject commonName
field containing a Reserved IP Address or Internal Name,
the CA SHALL notify the Applicant that the use of such
Certificates has been deprecated by the CA / Browser Forum
and that the practice will be eliminated by October 2016.
Also as of the Effective Date, the CA SHALL NOT issue a
certificate with an Expiry Date later than 1 November 2015
with a subjectAlternativeName extension or Subject
commonName field containing a Reserved IP Address or
Internal Name. Effective 1 October 2016, CAs SHALL revoke
all unexpired Certificates whose subjectAlternativeName
extension or Subject commonName field contains a Reserved
IP Address or Internal Name. <u>Effective May 1, 2015,
each CA SHALL revoke all unexpired Certificates with an
Internal Name using onion as the <span
style="color:#1F497D">right</span>-most label in an
entry in the subjectAltName Extension or commonName
field unless such Certificate was issued in accordance
with Appendix F of the EV Guidelines.</u><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">2)
Amend Section 9.2.2 and 11.7.1 of the Guidelines for the
Issuance and Management of Extended Validation
Certificates v1.5.2 as follows:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">9.2.2.
Subject Alternative Name Extension Certificate field:
subjectAltName:dNSName<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Required/Optional:
Required<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Contents:
This extension MUST contain one or more host Domain
Name(s) owned or controlled by the Subject and to be
associated with the Subject’s server. Such server MAY be
owned and operated by the Subject or another entity (e.g.,
a hosting service). Wildcard certificates are not allowed
for EV Certificates<u> except as permitted under Appendix
F</u>.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">11.7
Verification of Applicant’s Domain Name<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">11.7.1.
Verification Requirements<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">(1)
For each Fully-Qualified Domain Name listed in a
Certificate, other than a Domain Name with .onion in the
right-most label of the Domain Name, the CA SHALL confirm
that, as of the date the Certificate was issued, the
Applicant (or the Applicant’s Parent Company, Subsidiary
Company, or Affiliate, collectively referred to as
“Applicant” for the purposes of this section) either is
the Domain Name Registrant or has control over the FQDN
using a procedure specified in Section 11.1.1 of the
Baseline Requirements, except that a CA MAY NOT verify a
domain using the procedure described 11.1.1(7). <u>For a
Certificate issued to a Domain Name with .onion in the
right-most label of the Domain Name, the CA SHALL
confirm that, as of the date the Certificate was issued,
the Applicant’s control over the .onion Domain Name in
accordance with Appendix F.</u><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">(2)
Mixed Character Set Domain Names: EV Certificates MAY
include Domain Names containing mixed character sets only
in compliance with the rules set forth by the domain
registrar. The CA MUST visually compare any Domain Names
with mixed character sets with known high risk domains. If
a similarity is found, then the EV Certificate Request
MUST be flagged as High Risk. The CA must perform
reasonably appropriate additional authentication and
verification to be certain beyond reasonable doubt that
the Applicant and the target in question are the same
organization.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">3)
Add a new Appendix F to the Guidelines for the Issuance
and Management of Extended Validation Certificates v1.5.2:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Appendix
F – Issuance of Certificates for .onion Domain Names <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">A
CA may issue an EV Certificate with .onion in the
right-most label of the Domain Name provided that issuance
complies with the requirements set forth in this Appendix:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">1.
CAB Forum Tor Service Descriptor Hash extension
(2.23.140.1.31)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">The
CAB Forum has created an extension of the TBSCertificate
for use in conveying hashes of keys related to .onion
addresses. The Tor Service Descriptor Hash extension has
the following format:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">cabf-TorServiceDescriptor
OBJECT IDENTIFIER ::= { 2.23.140.1.31 }<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">TorServiceDescriptorSyntax
::= <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
SEQUENCE ( 1..MAX ) of TorServiceDescriptorHash<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">TorServiceDescriptorHash::
= SEQUENCE {<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
onionURI UTF8String<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
algorithm AlgorithmIdentifier<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
subjectPublicKeyHash BIT STRING }<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Where
the AlgorithmIdentifier is a hashing algorithm (defined in
RFC 6234) performed over the DER-encoding of an ASN.1
SubjectPublicKey of the .onion service and
SubjectPublicKeyHash is the hash output.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">2.
The CA MUST verify the Applicant’s control over the .onion
Domain Name using one of the following:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">a.
The CA MAY verify the Applicant’s control over the .onion
service by posting a specific value at a well-known URL
under RFC5785. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">b.
The CA MAY verify the Applicant’s control over the .onion
service by having the Applicant provide a Certificate
Request signed using the .onion public key if the
Attributes section of the certificationRequestInfo
contains: <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">(i)
A caSigningNonce attribute that 1) contains a single value
with at least 64-bits of entropy, 2) is generated by the
CA, and 3) delivered to the Applicant through a Verified
Method of Communication and<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">(ii)
An applicantSigningNonce attribute that 1) contains a
single value with at least 64-bits of entropy and 2) is
generated by the Applicant.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">The
signing nonce attributes have the following format:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">caSigningNonce
ATTRIBUTE ::= { <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">WITH
SYNTAX OCTET STRING<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">EQUALITY
MATCHING RULE octetStringMatch<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">SINGLE
VALUE TRUE<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">ID
{ cabf-caSigningNonce }<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
}<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">cabf-caSigningNonce
OBJECT IDENTIFIER ::= { cabf 41 } <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">applicantSigningNonce
ATTRIBUTE ::= { <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">WITH
SYNTAX OCTET STRING<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">EQUALITY
MATCHING RULE octetStringMatch<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">SINGLE
VALUE TRUE<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">ID
{ cabf-applicantSigningNonce }<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
}<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">cabf-applicantSigningNonce
OBJECT IDENTIFIER ::= { cabf 42 }<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">4.
Each Certificate that includes a Domain Name where .onion
is in the right-most label of the Domain Name MUST conform
to the requirements of these Guidelines, including the
content requirements in Section 9 and Appendix B of the
Baseline Requirements, except that the CA MAY include a
wildcard character in the Subject Alternative Name
Extension and Subject Common Name Field as the left-most
character in the .onion Domain Name provided inclusion of
the wildcard character complies with Section 11.1.3 of the
Baseline Requirements.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">5.
CAs MUST NOT issue a Certificate that includes a Domain
Name where .onion is in the right-most label of the Domain
Name with a validity period longer than 15 months. Despite
Section 9.2.1 of the Baseline Requirements deprecating the
use of Internal Names, a CA MAY issue a Certificate
containing an .onion name with an expiration date later
than 1 November 2015 after (and only if) .onion is
officially recognized by the IESG as a reserved TLD. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">6.
On or before May 1, 2015, each CA MUST revoke all
Certificates issued with the Subject Alternative Name
extension or Common Name field that includes a Domain Name
where .onion is in the right-most label of the Domain Name
unless the Certificate was issued in compliance with this
Appendix F.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">----<o:p></o:p></span></p>
</div>
<div style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Motion Ends <span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">-----<o:p></o:p></span></p>
</div>
<div style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">The review period for this ballot shall
commence at 2200 UTC on Thursday, 4 February 2015, and will
close at 2200 UTC on Thursday, 11 February 2015. Unless the
motion is withdrawn during the review period, the voting
period will start immediately thereafter and will close at
2200 UTC on Monday, 18 February 2015. Votes must be cast by
posting an on-list reply to this thread. <span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">A vote in favor of the motion must
indicate a clear 'yes' in the response. A vote against must
indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear
responses will not be counted. The latest vote received from
any representative of a voting member before the close of
the voting period will be counted. Voting members are listed
here: <a moz-do-not-send="true"
href="https://cabforum.org/members/"><span
style="color:#0563C1">https://cabforum.org/members/</span></a>
<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">In order for the motion to be adopted,
two thirds or more of the votes cast by members in the CA
category and greater than 50% of the votes cast by members
in the browser category must be in favor. Quorum is
currently nine (9) members– at least nine members must
participate in the ballot, either by voting in favor, voting
against, or abstaining. <span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>