<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.Default, li.Default, div.Default
{mso-style-name:Default;
margin:0in;
margin-bottom:.0001pt;
text-autospace:none;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>I don’t have strong feelings either way. If “validation” is over-broad, we can use “/.well-known/validation/pki/” instead.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>-Rick<o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>kirk_hall@trendmicro.com<br><b>Sent:</b> Wednesday, November 18, 2015 3:23 PM<br><b>To:</b> CABFPub (public@cabforum.org)<br><b>Subject:</b> [cabfpub] VWG Question 2 – Domain Validation pre-ballot<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'>Richard Barnes is withdrawing this suggested edit of adding other paths, but has suggested the path "/.well-known/validation" in the current ballot be CHANGED to "/.well-known/<b><span style='color:red'>pki-</span></b>validation". His reasoning is as follows:<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.0in'>I can actually live with this [withdrawing his suggested addition of other authorized paths]. Eric Mill pointed out to me that you can distinguish between validation types within that directory, so there's enough flexibility without the liberalization. So unless anyone else thinks there's a need to liberalize this requirement, consider the proposal withdrawn.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.0in'>I would like to bike-shed the string a little bit. The word "validation" is over-broad. One could certainly imagine other "validation" things going under .well-known. (POSH, an existing .well-known user, comes close <a href="http://www.iana.org/go/draft-ietf-xmpp-posh-06">http://www.iana.org/go/draft-ietf-xmpp-posh-06</a>)<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt'>What would people think about changing from "validation" to something like "pki-validation"?<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><b>From:</b> Kirk Hall (RD-US) <br><b>Sent:</b> Thursday, November 12, 2015 5:08 PM<br><b>To:</b> CABFPub (<a href="mailto:public@cabforum.org">public@cabforum.org</a>)<br><b>Subject:</b> Question 2 – Domain Validation pre-ballot<o:p></o:p></p></div></div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><b>Question 2 – Domain Validation pre-ballot<o:p></o:p></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'>The second open question for the current Domain Validation ballot also comes from Richard Barnes of Mozilla, and is as follows.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=Default style='margin-left:1.0in'><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Proposal 2: In <u>line H</u> <o:p></o:p></span></b></p><p class=Default style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=Default style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>CURRENT DRAFT: <o:p></o:p></span></p><p class=Default style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=Default style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>“6. Having the Applicant demonstrate control over the requested FQDN by installing a Random Value (contained in the name of the file, the content of a file, on a web page in the form of a meta tag, or any other format as determined by the CA) under "/.well-known/validation" directory on an Authorized Domain Name, that can be validated over an Authorized Port; or”<o:p></o:p></span></p><p class=Default style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=Default style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Richard proposes to add the following language as shown: "*** or any other path under .well-known registered by IANA for this purpose" <o:p></o:p></span></p><p class=Default style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=Default style='margin-left:1.5in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>6. Having the Applicant demonstrate control over the requested FQDN by installing a Random Value (contained in the name of the file, the content of a file, on a web page in the form of a meta tag, or any other format as determined by the CA) under "/.well-known/validation" directory on an Authorized Domain Name, </span><b><u><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:red'>or any other path under .well-known registered by IANA for this purpose</span></u></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:red'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>that can be validated over an Authorized Port; or <o:p></o:p></span></p><p class=Default style='margin-left:2.0in'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'>Richard’s reasoning: “For automated systems like ACME, they're going to want a much more precise definition of the validation process than what's in this document, and they may want to use different .well-known paths to indicate different methods that are all compliant with this section. Requiring the IANA registration allows these differences to exist, but in a controlled way.”<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'>On the call today, it was noted that only a single path "/.well-known/validation" directory on an Authorized Domain Name” was chosen intentionally – so that webmasters could be informed to lock down this path on their websites to avoid allowing a hacker to post a bogus credential (such as a bogus Random Value, etc.) and obtain a cert by practical demonstration for a domain they do not really own or control. The sentiment on the call was against this change. One comment was that if a different path was needed in the future, it could be discussed and added later by a separate ballot if justified.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><b><u>Questions</u></b>: The Validation Working is likely to reject this suggested change. However, we would like to hear from anyone who things the suggested change is a good idea.<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><table class=MsoNormalTable border=0 cellpadding=0 width=628 style='width:471.1pt;margin-left:.5in'><tr><td style='background:white;padding:.75pt .75pt .75pt .75pt'><table class=MsoNormalTable border=0 cellpadding=0><tr><td style='padding:.75pt .75pt .75pt .75pt'><pre><o:p> </o:p></pre><pre>TREND MICRO EMAIL NOTICE<o:p></o:p></pre><pre>The information contained in this email and any attachments is confidential <o:p></o:p></pre><pre>and may be subject to copyright or other intellectual property protection. <o:p></o:p></pre><pre>If you are not the intended recipient, you are not authorized to use or <o:p></o:p></pre><pre>disclose this information, and we request that you notify us by reply mail or<o:p></o:p></pre><pre>telephone and delete the original message from your mail system.<o:p></o:p></pre></td></tr></table></td></tr></table><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p></div></body></html>