<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
font-size:10.0pt;
font-family:"Cambria",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
font-size:10.0pt;
font-family:"Cambria",serif;
color:black;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:10.0pt;
font-family:"Cambria",serif;
color:black;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:10.0pt;
font-family:"Cambria",serif;
color:black;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
font-size:10.0pt;
font-family:"Cambria",serif;
color:black;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:352078765;
mso-list-template-ids:-582596128;}
@list l0:level1
{mso-level-start-at:11;
mso-level-text:%1;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:30.0pt;
text-indent:-30.0pt;}
@list l0:level2
{mso-level-text:"%1\.%2";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:39.0pt;
text-indent:-30.0pt;}
@list l0:level3
{mso-level-text:"%1\.%2\.%3";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.5in;}
@list l0:level4
{mso-level-text:"%1\.%2\.%3\.%4";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:63.0pt;
text-indent:-.5in;}
@list l0:level5
{mso-level-text:"%1\.%2\.%3\.%4\.%5";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.75in;}
@list l0:level6
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:99.0pt;
text-indent:-.75in;}
@list l0:level7
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-1.0in;}
@list l0:level8
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:135.0pt;
text-indent:-1.0in;}
@list l0:level9
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8\.%9";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-1.25in;}
@list l1
{mso-list-id:497235207;
mso-list-type:hybrid;
mso-list-template-ids:1144313114 792346334 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:146;
mso-level-number-format:bullet;
mso-level-text:\F06E;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2
{mso-list-id:677541241;
mso-list-type:hybrid;
mso-list-template-ids:834722448 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3
{mso-list-id:919633467;
mso-list-type:hybrid;
mso-list-template-ids:873504740 -1256268842 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
{mso-level-start-at:146;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4
{mso-list-id:1090085127;
mso-list-type:hybrid;
mso-list-template-ids:-1604697126 359018268 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l4:level1
{mso-level-start-at:146;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Jeremy,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I have a few comments and recommendation for this ballot:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Item 1: Change the section name.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The current section name is “Authorization by Domain Name Registrant”, but this section defines more than this one authorization method. I suggest naming it
as “Domain Control Validation”, or something similar.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Item 2: Inconsistent definition of the “FQDN, Base Domain or any other domains” that can be used to validate domain control validation.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">When validating a FQDN of a.b.c.d.example.com we need to clearly identify where emails can be sent, where “.well-known” directories can be located, which CNAME
records can be updated, etc. <o:p></o:p></span></p>
<p class="MsoListParagraphCxSpFirst" style="text-indent:-.25in;mso-list:l4 level1 lfo6">
<![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Is c.d.example.com allowed for some/all options?
<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpLast" style="text-indent:-.25in;mso-list:l4 level1 lfo6">
<![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">What about example.com, for some but not all options?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The definitions in the various options are inconsistent and we should take the opportunity to clean this up.<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpFirst" style="text-indent:-.25in;mso-list:l4 level1 lfo6">
<![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">If only the FQDN or the Base Domain can be used, we need to specify that<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle" style="text-indent:-.25in;mso-list:l4 level1 lfo6">
<![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">If anything between the FQDN and the Base Domain can be used, we need to specify that.<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpLast" style="text-indent:-.25in;mso-list:l4 level1 lfo6">
<![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">We should specify which domains can be used for a wildcard FQDN (strip off the “*.” and treat that as the FQDN)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I recommend we define a new term and we use that throughout the list of Domain Control Validation methods.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Authorized Domains</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">: The FQDN, the Base Domain,
or any FQDN in-between these two values. For the purpose of verifying a wildcard FQDN, the CA MUST remove the leading wildcard character and period and treat the remaining as a FQDN.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Item 3: In Item 5, I suggest including the entire definition of “Domain Authorization Document” right in the list vs. referencing a short paragraph that defines
Domain Authorization Document later in the section (ease of reading and to make this option clear and standalone)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Item 4: In the “Note” about FQDNs, we say :</span>
<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l4 level1 lfo6"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>“<span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">FQDNs may be listed in Subscriber Certificates using dNSNames in the subjectAltName extension or…”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Even though the CommonName is depreciated and the value in the CommonName needs to be in the SAN, should we explicitly call out CommonName as a location for FQDNs?<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l4 level1 lfo6"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">FQDNs may be listed in Subscriber Certificates
<u>in the Common Name field of the Subject DN</u>, using dNSNames in the subjectAltName extension or…”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Item 5: Domain Authorization Document<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The paragraph about the Domain Authorization Document section says:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l4 level1 lfo6"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The CA MUST verify that the Domain Authorization Document was either (i) dated
<u>on or after the certificate request date</u> or (ii) used by the CA to verify a previously issued certificate and that the Domain Name’s WHOIS record has
<u>not been modified</u> since the previous certificate’s issuance.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Item (i) implies you cannot get a Domain Authorization Document to validate a domain and then enter it into a managed SSL offering and allow customers to request
and receive certificates against this pre-vetted domain. I might not be interpreting this correctly though. Does this document need to be dated AFTER the
<u>certificate request</u>, and if so, what is the reason for that? One would think that this could be done once and then re-used for 39 months like the other “Certificate Data” for all subsequent Certificate Requests.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">As far as item (ii), do we need to verify that the WHOIS record has not been modified since the previous certificate’s request? Again, I would assume that if
you collected a set of “Certificate Data” at a point in time, you should be able to use it for 39 months without going back to check WHOIS for each certificate request you process for that domain. I also assume you need a new Domain Authorization Document
every 39 months (more frequently for EV)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Item 6: gTLDs<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Some companies have registered their own new TLDs, like BMW. Assuming this is owned and managed by one company (vs. .email or similar generic values), can this
be considered the Base Domain? We should spell out that this is allowed. Something along the lines of: Domain Control Validation of a TLD may be used to demonstrate control over all lower level domains if and only if the owner of the TLD is the only entity
registering DNS entries and they they will be used exclusively for “their” FQDNs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Doug<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></a></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> public-bounces@cabforum.org
[mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Jeremy Rowley<br>
<b>Sent:</b> Wednesday, April 15, 2015 7:29 PM<br>
<b>To:</b> public@cabforum.org<br>
<b>Subject:</b> [cabfpub] Domain validation<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">With removal of the opinion letters, I think this is ready for a ballot. Are there two endorsers?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">Amendment to Section 11.1.1 of CA/Browser Forum Baseline Requirements to clarify acceptable methods of validating domain control:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l2 level1 lfo2"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext"><span style="mso-list:Ignore">1)<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">Add the following definitions:
<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman",serif">Base Domain: The portion of an applied-for FQDN that is the first domain name node left of a registry-controlled or public suffix plus the registry-controlled or public suffix (e.g. “domain.co.uk”
or “domain.com”).<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman",serif">Random Value: A value specified by a CA to the Applicant that exhibits 128 bits of entropy.<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l2 level1 lfo2"><![if !supportLists]><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext"><span style="mso-list:Ignore">2)<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">Section 11.1.1 of the CA/Browser Forum’s Baseline Requirements is amended as follows:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">…<o:p></o:p></span></p>
<p class="MsoListParagraph" style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:.75in;mso-add-space:auto;text-align:justify;text-indent:-.5in;page-break-after:avoid;mso-list:l0 level3 lfo4">
<![if !supportLists]><b><i><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext"><span style="mso-list:Ignore">11.1.1<span style="font:7.0pt "Times New Roman"">
</span></span></span></i></b><![endif]><b><i><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">Authorization by Domain Name Registrant<o:p></o:p></span></i></b></p>
<p class="MsoNormal" style="margin-bottom:6.0pt;text-align:justify"><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">For each Fully-Qualified Domain Name listed in a Certificate, the CA SHALL confirm that, as of the date the
Certificate was issued, the Applicant either is the Domain Name Registrant or has control over the FQDN by:
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-align:justify;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">1. Confirming the Applicant as the Domain Name Registrant directly with the Domain Name Registrar through a Reliable Method of Communication, for example using information
provided through WHOIS; or<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-align:justify;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">2. Confirming authorization of the Certificate’s issuance directly with the Domain Name Registrant using a Reliable Method of Communication that is (i) obtained from the
Domain Name Registrar or (ii) listed as the “registrant”, “technical”, or “administrative” contact for the WHOIS record of the Base Domain; or
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-align:justify;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">4. Confirming authorization for the Certificate’s issuance through an email address created by pre-pending ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’
in the local part, followed by the at-sign (“@”), followed by the Domain Name, which may be formed by pruning zero or more components from the requested FQDN; or<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-align:justify;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">5. Relying upon a Domain Authorization Document that meets the requirements listed below; or<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-align:justify;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">6. Having the Applicant demonstrate control over the FQDN or Base Domain by adding a file containing a Random Value to the “/.well-known/certificate” directory at either
the FQDN or the Base Domain in accordance with RFC 5785; or<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-align:justify;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">7. Having the Applicant demonstrate control over the FQDN or Base Domain by the Applicant making a change to information in a DNS record for the FQDN or Base Domain where
the change is a Random Value; or<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-align:justify;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">8. Having the Applicant demonstrate control over the requested FQDN by the CA confirming, in accordance with section 11.1.1, the Applicant’s controls the FQDN (or Base Domain
of the FQDN) returned from a DNS lookup for CNAME records for the requested FQDN; or<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-align:justify;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">9. Having the Applicant demonstrate control over the requested FQDN by the CA confirming, in accordance with section 11.1.2, that the Applicant controls an IP address returned
from a DNS lookup for A or AAAA records for the requested FQDN; or<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-align:justify;text-indent:-.25in">
<span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">10. Having the Applicant demonstrate control over the FQDN by providing a TLS service on a host found in DNS for the FQDN and having the CA (i) initiate a TLS connection with
the host and (ii) verify a Random Value that is a in a format recognized as a valid TLS response.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:10.0pt"><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:10.0pt"><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">Note: For purposes of determining the appropriate domain name level or Domain Namespace, the registerable Domain Name is the
second-level domain for generic top-level domains (gTLD) such as .com, .net, or .org, or, if the Fully Qualified Domain Name contains a 2 letter Country Code Top-Level Domain (ccTLD), then the domain level is whatever is allowed for registration according
to the rules of that ccTLD. If the CA relies upon a Domain Authorization Document to confirm the Applicant’s control over a FQDN, then the Domain Authorization Document MUST substantiate that the communication came from either the Domain Name Registrant (including
any private, anonymous, or proxy registration service) or the Domain Name Registrar listed in the WHOIS. The CA MUST verify that the Domain Authorization Document was either (i) dated on or after the certificate request date or (ii) used by the CA to verify
a previously issued certificate and that the Domain Name’s WHOIS record has not been modified since the previous certificate’s issuance.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:10.0pt"><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">Note: FQDNs may be listed in Subscriber Certificates using dNSNames in the subjectAltName extension or in Subordinate CA Certificates
via dNSNames in permittedSubtrees within the Name Constraints extension.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext">Note: For the purpose of verifying a wildcard FQDN, the CA MUST verify either the Base Domain of the wildcard FQDN or the entire Domain Name Label to the
right of the wildcard character. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext"><o:p> </o:p></span></p>
<p class="line874"><span style="font-size:11.0pt;color:windowtext"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Times New Roman",serif;color:windowtext"><o:p> </o:p></span></p>
</div>
</div>
</body>
</html>