<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=windows-1251"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:windowtext;
text-decoration:none none;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.il
{mso-style-name:il;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1499660638;
mso-list-type:hybrid;
mso-list-template-ids:663364848 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:1868371228;
mso-list-type:hybrid;
mso-list-template-ids:-1972348782 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-GB link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'>Hi all.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'>Just to set the history books straight, on my vote from Nov 2012, which almost got through bar one browser. It was not to prevent the use of wildcards, but to allow the clear identify the owner of the public private key pair to be displayed when multiple FQDNs were added to a Domain Validated certificate where those FQDNs did not have the same base domain. e.g. If you wanted foo.com and foo.co.uk you needed to have an OV, but foo.bar.com and bar.com was acceptable as a DV (Which is I guess suggesting a stronger form of Wildcard if you look at it this way, but not quite as we wanted to keep the option of wildcards but prevent what’s still possible today which is effectively wild/mixed domains. We wanted to ensure that the person who owned or controlled the key pair was clearly identified in the case of mixed FQDNs and it was not up to the relying party to try to ‘guess’ which of the domain names included in a certificate might be the one owning/controlling the key pair on behalf of the others (As you cannot assume it’s the domain name which floats up to the deprecated CN position or is first in the SAN list).<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'>It’s very topical now to discussions considering the need to identify the owner of key pairs operated by CA’s on behalf of others and yes, Globalsign does follow what we believe to be best practice by not allowing mixed domain ownership at a DV level without identifying a true owner to relying parties. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'>How time goes by so quickly!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal style='background:white'><b><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif'>From:<span class=apple-converted-space> </span></span></i></b><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif'>Steve Roylance <<a href="mailto:steve.roylance@globalsign.com" target="_blank"><span style='color:#1155CC'>steve.roylance@globalsign.com</span></a>><br><b>Date:<span class=apple-converted-space> </span></b>Thursday, 15 November 2012 17:27<br><b>To:<span class=apple-converted-space> </span></b><<a href="mailto:public@cabforum.org" target="_blank"><span style='color:#1155CC'>public@cabforum.org</span></a>>, CABForum Management <<a href="mailto:management@cabforum.org" target="_blank"><span style='color:#1155CC'>management@cabforum.org</span></a>><br><b>Subject:<span class=apple-converted-space> </span></b><span class=il>Ballot</span><span class=apple-converted-space> </span><span class=il>92</span><span class=apple-converted-space> </span>- Subject Alternative Names</span></i><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif'><o:p></o:p></span></i></p><p class=MsoNormal style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif'> <o:p></o:p></span></i></p><p class=MsoNormal style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif'><a href="https://www.cabforum.org/wiki/92%20-%20Subject%20Alternative%20Names" target="_blank"><span style='color:#1155CC'>https://www.cabforum.org/wiki/<span class=il>92</span>%20-%20Subject%20Alternative%20Names</span></a><o:p></o:p></span></i></p><p class=MsoNormal style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif'> <o:p></o:p></span></i></p><p class=MsoNormal style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif'>Steve Roylance of GlobalSign made the following motion and Yngve Pettersen of Opera and Jeremy Rowley of Digicert have endorsed it:<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>... Motion begins...<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>Effective on the 1st July 2013<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>... Erratum begins ...<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>The following sections will be amended in the Baseline Requirements document.<o:p></o:p></span></i></p><p style='background:white'><strong><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>INSERT</span></i></strong><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'> in Section 4. Definitions the following:<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>Public IP Address: An IP Address that is not a Reserved IP Address.<o:p></o:p></span></i></p><p style='background:white'><strong><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>REPLACE</span></i></strong><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'> Section 9.2.1 (Subject Alternative Name Extension) with the following:<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>9.2.1 Subject Alternative Name Extension<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>Certificate Field: extensions:subjectAltName<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>Required/Optional: Required<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>Contents: This extension MUST contain at least one entry that is either a Fully-Qualified Domain Name or Public IP Address. Each subjectAltName entry MUST either be a Domain Name or an IP Address. The CA MUST confirm the Applicant’s control of each dNSName or Public IP Address entry in accordance with Section 11.1.<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>SubjectAltName entries MAY include domain Names containing wildcard characters.<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>If the subjectAltName is:<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>1) a Public IP Address,<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>2) a Registered Domain Name that has a Domain Name Registrant different than (and not an Affiliate of) the Domain Name Registrant of any other Registered Domain Name in the subjectAltName extension in the Certificate, or<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>3) a Reserved IP Address or Internal Server Name.<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>then the CA MUST verify the identity of an entity that controls the private key in accordance with Section 11.2 and include the Subject Identity Information in the issued Certificate in accordance with 9.2.4. The CA MAY include explanatory information in the Subject Organizational Unit field or a non-subject certificate field to clarify the Subject Identity Information included in the Certificate.<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>Prior to issuing a Certificate containing an Internal Server Name or Reserved IP Address, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. As of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 if the subjectAlternativeName contains a Reserved IP Address or Internal Server Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Server Name.<o:p></o:p></span></i></p><p style='background:white'><strong><i><s><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:red'>REPLACE</span></s></i></strong><i><s><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:red'> Section 9.2.2 (Subject Common Name Field) with the following:</span></s></i><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'><o:p></o:p></span></i></p><p style='background:white'><i><s><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:red'>9.2.2 Subject Common Name Field</span></s></i><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'><o:p></o:p></span></i></p><p style='background:white'><i><s><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:red'>Certificate Field: subject:commonName (OID 2.5.4.3)</span></s></i><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'><o:p></o:p></span></i></p><p style='background:white'><i><s><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:red'>Required/Optional: Deprecated (Discouraged, but not prohibited)</span></s></i><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'><o:p></o:p></span></i></p><p style='background:white'><i><s><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:red'>Contents: If present, this field MUST contain a single Public IP address or single Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension (see Section 9.2.1). Reserved IP Addresses and Internal Server Names are prohibited.</span></s></i><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'><o:p></o:p></span></i></p><p style='background:white'><strong><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>REPLACE</span></i></strong><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'> Section 10.2.3 (Information Requirements) with the following:<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>10.2.3 Information Requirements<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>The certificate request MAY include all factual information about the Applicant to be included in the Certificate, and such additional information as is necessary for the CA to obtain from the Applicant in order to comply with these Requirements and the CA’s Certificate Policy and/or Certification Practice Statement. In cases where the certificate request does not contain all the necessary information about the Applicant, the CA SHALL obtain the remaining information from the Applicant or, having obtained it from a reliable, independent, third-party data source, confirm it with the Applicant.<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>Applicant information MUST include, but not be limited to, at least one Subject Alternative Name as defined in Section 9.2.1.<o:p></o:p></span></i></p><p style='background:white'><strong><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>INSERT</span></i></strong><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'> in Section 11.1 (Authorization by Domain Name Registrant) the following two new sections:<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>11.1.3 Wildcard Domain Validation<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>Before issuing a certificate with a wildcard character (*) in a CN or subjectAltName of type DNS-ID, the CA MUST establish and follow a documented procedure† that determines if the wildcard character occurs in the first label position to the left of a “registry-controlled” label or “public suffix” (e.g. “*.com”, “*.<a href="http://co.uk/" target="_blank"><span style='color:#1155CC'>co.uk</span></a>”, see RFC 6454 Section 8.2 for further explanation). If a wildcard would fall within the label immediately to the left of a registry-controlled† or public suffix, CAs SHALL refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs SHALL NOT issue “*.<a href="http://co.uk/" target="_blank"><span style='color:#1155CC'>co.uk</span></a>”, but MAY issue “*.<a href="http://example.co.uk/" target="_blank"><span style='color:#1155CC'>example.co.uk</span></a>” to Example Ltd.)<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>†Determination of what is “registry-controlled” versus the registerable portion of a Country Code Top-Level Domain Namespace is not standardized at the time of writing and is not a property of the DNS itself. Current best practice is to consult a “public suffix list” such as <a href="http://publicsuffix.org/" target="_blank"><span style='color:#0044B3;border:none windowtext 1.0pt;padding:0cm;text-decoration:none'>http://publicsuffix.org/</span></a>. If the process for making this determination is standardized by an RFC, then such a procedure SHOULD be preferred.<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>... Erratum ends ...<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>The review period for this<span class=apple-converted-space> </span></span></i><span class=il><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif'>ballot</span></i></span><span class=apple-converted-space><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'> </span></i></span><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>shall commence at 21:00 UTC on 15 November 2012 and will close at 21:00 UTC on 22 November 2012. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 21:00 UTC on 29 November 2012. Votes must be cast by posting an on-list reply to this thread.<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>... Motions ends ...<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>A vote in favor of the motion must indicate a clear 'yes' in the response.<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted.<o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>Voting members are listed here: <a href="http://www.cabforum.org/forum.html" target="_blank"><span style='color:#0044B3;border:none windowtext 1.0pt;padding:0cm;text-decoration:none'>http://www.cabforum.org/forum.html</span></a><o:p></o:p></span></i></p><p style='background:white'><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and one half or more of the votes cast by members in the browser category must be in favor. Also, at least six members must participate in the<span class=apple-converted-space> </span></span></i><span class=il><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif'>ballot</span></i></span><i><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:black'>, either by voting in favor, voting against or abstaining.<o:p></o:p></span></i></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'>Steve<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:windowtext;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='color:windowtext'>From:</span></b><span lang=EN-US style='color:windowtext'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Jeremy Rowley<br><b>Sent:</b> 19 March 2015 23:26<br><b>To:</b> Eddy Nigg; public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] EV Wildcards<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Oh yeah. I forgot to mention another proposal was to eliminate wildcard certs for DV. This was raised a while ago by Globalsign and actually went to a ballot. It failed at that time by browser vote.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Resurrection of this proposal was brought up at the face-to-face, but there wasn’t significant discussion there (since the topic was primarily about EV wildcards, not DV)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Jeremy<o:p></o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"></a><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='color:windowtext'>From:</span></b><span lang=EN-US style='color:windowtext'> </span><a href="mailto:public-bounces@cabforum.org"><span lang=EN-US>public-bounces@cabforum.org</span></a><span lang=EN-US style='color:windowtext'> [</span><a href="mailto:public-bounces@cabforum.org"><span lang=EN-US>mailto:public-bounces@cabforum.org</span></a><span lang=EN-US style='color:windowtext'>] <b>On Behalf Of </b>Eddy Nigg<br><b>Sent:</b> Thursday, March 19, 2015 5:21 PM<br><b>To:</b> Jeremy Rowley; </span><a href="mailto:public@cabforum.org"><span lang=EN-US>public@cabforum.org</span></a><span lang=EN-US style='color:windowtext'><br><b>Subject:</b> Re: [cabfpub] EV Wildcards<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US>Thanks again Jeremy!<br><br>I would like to state the following fact as food for thought on this subject....<br><br>Today one can secure a (main) site with an EV certificate and have all content of that site including frames and iframes secured with a regular SSL certificate including wild cards. Browsers have always allowed this with the notable exception of Opera that had at some point a configuration setting for an "All EV" requirement. So if you are on an EV site, this doesn't mean that your connection is really secured with EV - a lot of information can be still leaked to other parties that have not undergone an extended validation and that's usually not what you want (but you don't know usually).<br><br>If we consider this fact, I can't see why EV shouldn't be wild card enabled. Or to take it a step further, why should wild cards be possible with some weak domain control validation only? It's widely known that such wild card DVs can be easily abused.<br><br>On the other hand, EV has undergone a serious verification and the use of an EV certificates for malicious purpose by the certificate holder is almost zero. Except if it loses the key or something, but that's an entirely different story.</span><span lang=EN-US style='font-size:12.0pt'><o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US>On 03/20/2015 01:00 AM, Jeremy Rowley wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US>During the face-to-face, the forum discussed allowing wildcard characters in EV certificates. The reasons for allowing it were:<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo2'><![if !supportLists]><span lang=EN-US><span style='mso-list:Ignore'>1)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US>The lack of wildcard characters is one reason many large enterprises choose OV/DV over EV. As entities move increasingly to cloud-based solutions and as IPv4 addresses become an increasingly limited resource, wildcards are being used in more and more places. <o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo2'><![if !supportLists]><span lang=EN-US><span style='mso-list:Ignore'>2)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US>EV domain validation is tied to the baseline requirements. The baseline requirements, even with the proposed domain validation revisions, permit validation of the base domain of an FQDN. Validation does not necessarily happen at each subdomain level. Therefore, putting wildcard characters doesn’t increase the risk as CAs aren’t looking specifically at the FQDN (except as part of the high risk check).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>The reasons against allowing it were:<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo4'><![if !supportLists]><span lang=EN-US><span style='mso-list:Ignore'>1)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US>CAs are looking at the FQDN as part of the high risk check. (The counter to this was that high risk checks are highly language and CA dependent – I might not catch that bankofamerica.mydomain.com is a high risk domain if I’m operating outside the US)<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l1 level1 lfo4'><![if !supportLists]><span lang=EN-US><span style='mso-list:Ignore'>2)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US>Eliminating wildcards ensures the requester knows exactly what domains are being covered by the EV cert. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>There were probably more arguments for and against, but I think this gets the discussion started. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Jeremy<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'><br><br><o:p></o:p></span></p><pre><span lang=EN-US>_______________________________________________<o:p></o:p></span></pre><pre><span lang=EN-US>Public mailing list<o:p></o:p></span></pre><pre><a href="mailto:Public@cabforum.org"><span lang=EN-US>Public@cabforum.org</span></a><span lang=EN-US><o:p></o:p></span></pre><pre><a href="https://cabforum.org/mailman/listinfo/public"><span lang=EN-US>https://cabforum.org/mailman/listinfo/public</span></a><span lang=EN-US><o:p></o:p></span></pre></blockquote><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif'>-- <o:p></o:p></span></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0><tr><td colspan=2 style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>Regards <o:p></o:p></span></p></td></tr><tr><td colspan=2 style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> <o:p></o:p></span></p></td></tr><tr><td style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>Signer: <o:p></o:p></span></p></td><td style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>Eddy Nigg, COO/CTO<o:p></o:p></span></p></td></tr><tr><td style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> <o:p></o:p></span></p></td><td style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><a href="http://www.startcom.org"><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>StartCom Ltd.</span></a><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p></td></tr><tr><td style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>XMPP: <o:p></o:p></span></p></td><td style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><a href="xmpp:startcom@startcom.org"><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>startcom@startcom.org</span></a><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p></td></tr><tr><td style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>Blog: <o:p></o:p></span></p></td><td style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><a href="http://blog.startcom.org"><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>Join the Revolution!</span></a><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p></td></tr><tr><td style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>Twitter: <o:p></o:p></span></p></td><td style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><a href="http://twitter.com/eddy_nigg"><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>Follow Me</span></a><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p></td></tr><tr><td colspan=2 style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'> <o:p></o:p></span></p></td></tr></table><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman",serif;color:windowtext'><o:p> </o:p></span></p></div></div></div></body></html>