<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-2022-jp">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
        {font-family:"\@SimSun";
        panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin-top:0in;
        margin-right:0in;
        margin-bottom:8.0pt;
        margin-left:0in;
        line-height:105%;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;
        mso-fareast-language:ZH-CN;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:SimSun;
        mso-fareast-language:ZH-CN;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:8.0pt;
        margin-left:.5in;
        line-height:105%;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;
        mso-fareast-language:ZH-CN;}
p.Default, li.Default, div.Default
        {mso-style-name:Default;
        margin:0in;
        margin-bottom:.0001pt;
        text-autospace:none;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;
        color:black;
        mso-fareast-language:ZH-CN;}
span.EmailStyle19
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;
        mso-fareast-language:ZH-CN;}
span.EmailStyle23
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:662200204;
        mso-list-type:hybrid;
        mso-list-template-ids:-1086430092 1171930902 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-text:"\(%1\)";
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:.75in;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:1.25in;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:1.75in;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.25in;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.75in;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:3.25in;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:3.75in;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:4.25in;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:4.75in;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D;mso-fareast-language:EN-US'>Kirk – we <b>can</b> still issue certificates to public IP addresses (not Reserved IP addresses or Internal names).<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D;mso-fareast-language:EN-US'>Doug<o:p></o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='color:#1F497D;mso-fareast-language:EN-US'><o:p> </o:p></span></a></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><b>From:</b> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>kirk_hall@trendmicro.com<br><b>Sent:</b> Wednesday, November 18, 2015 6:38 PM<br><b>To:</b> CABFPub (public@cabforum.org) <public@cabforum.org><br><b>Subject:</b> [cabfpub] FW: Question 4 – Domain Validation pre-ballot<o:p></o:p></p></div></div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'>Wayne Thayer said he tended to agree with Peter Bowen$B!G(Js comments, and suggested the following changes:<o:p></o:p></p><p class=MsoListParagraph style='margin-left:1.25in;text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>(1)<span style='font:7.0pt "Times New Roman"'>    </span></span><![endif]>Change $B!H(JAuthorization Domain$B!I(J in this section to $B!H(JFQDN$B!I(J, so Method 8 would read as follows:<o:p></o:p></p><p class=Default style='margin-left:1.25in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>8. Having the Applicant demonstrate control over the requested FQDN by the CA confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the <i><s>Authorization Domain Name</s></i>  </span><b><u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:red'>FQDN</span></u></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:red'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>in accordance with section 3.2.2.5</span><o:p></o:p></p><p class=Default style='margin-left:1.25in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p><p class=Default style='margin-left:1.25in;text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>(2)<span style='font:7.0pt "Times New Roman"'>  </span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'>As a separate matter Wayne said:</span><o:p></o:p></p><p class=Default style='margin-left:1.25in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'> </span><o:p></o:p></p><p class=Default style='margin-left:1.25in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'>$B!H(JAlso, section 3.2.2.5 includes a practical control method that we should consider updating to match the new method 6 and an $B!H(Jany other method$B!I(J option that we should consider removing as part of this ballot.$B!I(J</span><o:p></o:p></p><p class=Default style='margin-left:1.25in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'> </span><o:p></o:p></p><p class=Default style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'>Here is what Sec. 3.2.2.5 says now, with some language <u>underlined</u> for discussion.  (J[Question from Kirk (J–(J now that we can no longer issue public certs for IP Addresses, should we simply DELETE BR 3.2.2.5 now?]</span><o:p></o:p></p><p class=Default style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><b><i>3.2.2.5. Authentication for an IP Address</i></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'>For each IP Address listed in a Certificate, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant has control over the IP Address by:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'>1. Having the Applicant demonstrate practical control over the IP Address by making an agreed$B!>(Jupon change to information found on an online Web page identified by a uniform resource identifier containing the IP Address;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'>2. Obtaining documentation of IP address assignment from the Internet Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIPE, APNIC, ARIN, AfriNIC, LACNIC);<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'>3. Performing a reverse$B!>(JIP address lookup and then verifying control over the resulting Domain Name under Section 3.2.2.4; or<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'>4. <u>Using any other method of confirmation</u>, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant has control over the IP Address to at least the same level of assurance as the methods previously described.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'>Note: IPAddresses may be listed in Subscriber Certificates using IPAddress in the subjectAltName extension or in Subordinate CA Certificates via IPAddress in permittedSubtrees within the Name Constraints extension.<o:p></o:p></p><p class=Default style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'> </span><o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'> <o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'> <o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><b>From:</b> Kirk Hall (RD-US) <br><b>Sent:</b> Thursday, November 12, 2015 5:08 PM<br><b>To:</b> CABFPub (<a href="mailto:public@cabforum.org">public@cabforum.org</a>)<br><b>Subject:</b> Question 4 (J–(J Domain Validation pre-ballot<o:p></o:p></p></div></div><p class=MsoNormal style='margin-left:.5in'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><b>Question 4 (J–(J Domain Validation pre-ballot</b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'> <o:p></o:p></p><(Jp class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'>Again, Peter Bowen of Amazon did not submit specific new language, but posed the following comment about new Method No. 8 shown below:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><b> </b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;line-height:normal'><b>Proposal 4: In <u>line K</u> of current draft (Method No. 8)</b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;line-height:normal'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;line-height:normal'>$B!H(JConversely, in item K, using Authorization Domain seems inappropriate.  Just because I control the IP address of <a href="http://corp.example.com">corp.example.com</a> doesn't mean I have control <a href="http://payments.corp.example.com">payments.corp.example.com</a>.$B!I(J<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'> <o:p></o:p></p><p class=Default style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Here is the current Ballot language for Method No. 7:</span><o:p></o:p></p><p class=Default style='margin-left:.5in'> <o:p></o:p></p><p class=Default style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>[Current Ballot language]</span><o:p></o:p></p><p class=Default style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p><p class=Default style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>8. Having the Applicant demonstrate control over the requested FQDN by the CA confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the Authorization Domain Name in accordance with section 3.2.2.5; or </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'>On the call today, Wayne Thayer thought he agreed with Peter$B!G(Js comment, and offered to come up with revised ballot language on this issue.  There was no other discussion.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><b><u><span style='color:black'>Question for Discussion</span></u><span style='color:black'>: </span></b><span style='color:black'>Should proving domain control for an SLDN (Base Domain) or a FQDN by showing the applicant controls an IP address returned from a DNS lookup for A or AAAA records be sufficient to show domain control for all <u>higher level</u> FQDNs also?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><b><span style='color:black'> </span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'> <o:p></o:p></p><(Jp class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><b><u>To Peter Bowen</u></b>: If you want to comment on this issue, please email to me and I will post to the Public list.<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'> <o:p></o:p></p><table class=MsoNormalTable border=0 cellspacing=3 cellpadding=0 style='margin-left:.5in'><tr><td style='background:white;padding:.75pt .75pt .75pt .75pt'><table class=MsoNormalTable border=0 cellspacing=3 cellpadding=0><tr><td style='padding:.75pt .75pt .75pt .75pt'><pre><o:p> </o:p></pre><pre>TREND MICRO EMAIL NOTICE<o:p></o:p></pre><pre>The information contained in this email and any attachments is confidential <o:p></o:p></pre><pre>and may be subject to copyright or other intellectual property protection. <o:p></o:p></pre><pre>If you are not the intended recipient, you are not authorized to use or <o:p></o:p></pre><pre>disclose this information, and we request that you notify us by reply mail or<o:p></o:p></pre><pre>telephone and delete the original message from your mail system.<o:p></o:p></pre></td></tr></table></td></tr></table><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><span style='font-size:12.0pt;font-family:SimSun'><o:p> </o:p></span></p></div></body></html>