<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:634723352;
mso-list-template-ids:-39128848;}
@list l1
{mso-list-id:1841113390;
mso-list-type:hybrid;
mso-list-template-ids:703463424 67698703 818999044 720020586 -142180730 1507632750 1424765972 704144182 -1922541662 1162370076;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:\2022;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Arial",sans-serif;
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\2022;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Arial",sans-serif;
mso-bidi-font-family:"Times New Roman";}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\2022;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Arial",sans-serif;
mso-bidi-font-family:"Times New Roman";}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\2022;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Arial",sans-serif;
mso-bidi-font-family:"Times New Roman";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\2022;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Arial",sans-serif;
mso-bidi-font-family:"Times New Roman";}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\2022;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Arial",sans-serif;
mso-bidi-font-family:"Times New Roman";}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\2022;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Arial",sans-serif;
mso-bidi-font-family:"Times New Roman";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\2022;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Arial",sans-serif;
mso-bidi-font-family:"Times New Roman";}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><a name="_MailEndCompose"><span style='color:#1F497D'>Dean,<o:p></o:p></span></a></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>I don’t think you’re asking the right question: “Who can request a cert for dean.example.com”. It’s not who can request it, but more the relationship between the Org field and the Domain in the CN or SAN, right? In reality you never know who is requesting the certificate, only what they put into their request.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Today it’s just domain validation that’s needed to verify domains for OV certs, no ownership:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>- Verify Org is a company using an authorized repository<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>- Verify Applicant is authorized to represent the company <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>- They can demonstrate domain control over the domain<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>There is no requirement to verify that the organization “owns” the domain today, are you asking that we change the vetting rules for how domains are added to OV certificates?<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Even EV requirements let the company add domains to an EV cert by demonstrating Domain Control using the same procedures as OV and DV (except for item 7 is prohibited plus the signer approval step). Are you recommending we not allow companies to add domains to their certs with domain control and that they must “own” the domain?<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Doug<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Dean Coclin<br><b>Sent:</b> Thursday, February 4, 2016 5:26 PM<br><b>To:</b> CABFPub <public@cabforum.org><br><b>Subject:</b> [cabfpub] F2F Topic details: What should be represented in the "O" field?<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>As requested on today’s call, please publish ahead of time any background reading material for a topic which has your name next to it.<o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On Day 2 the subject topic is scheduled. Here is some background:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>At the last F2F meeting we discussed what should go in the certificate “O” field and what the definition of “applicant” should be. Ryan succinctly summarized it and I transformed into the following example:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Who can request a cert for dean.example.com:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><ol style='margin-top:0in' start=1 type=1><li class=MsoNormal style='mso-list:l1 level1 lfo3'>Dean Coclin, author of the content and logical operator of the <u>dean.example.com</u> origin<o:p></o:p></li><li class=MsoNormal style='mso-list:l1 level1 lfo3'>Example.com, provider of hosting services for Dean Coclin<o:p></o:p></li><li class=MsoNormal style='mso-list:l1 level1 lfo3'>CDN Corp, a CDN that provides SSL/TLS front-end services for <u>example.com</u>, which does not offer them directly<o:p></o:p></li><li class=MsoNormal style='mso-list:l1 level1 lfo3'>Marketing Inc, the firm responsible for designing and maintaining the website on behalf of Dean Coclin<o:p></o:p></li><li class=MsoNormal style='mso-list:l1 level1 lfo3'>Payments LLC, the payment processing firm responsible for handling orders and financial details on <u>dean.example.com</u><o:p></o:p></li><li class=MsoNormal style='mso-list:l1 level1 lfo3'>DNS Org, the company who operates the DNS services on behalf of Dean Coclin<o:p></o:p></li><li class=MsoNormal style='mso-list:l1 level1 lfo3'>Mail Corp, the organization who handles the MX records that dean.example.com responds to<o:p></o:p></li></ol><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>At the last meeting, there was a debate between some who thought it should be #1 and those that thought it should be whoever holds the private key. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>My position (and those of some others at the meeting) is that it should be #1. The rationale is that this is what is of interest to relying parties. I don’t believe relying parties care who holds the private key nor who the site’s payment processor or DNS operator are. Relying parties want to know who is responsible for the site content and, in case of problems, who they should contact. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I would like to open and continue a discussion of this topic (at the meeting, not here)so that we can try and come to some consensus on this issue. Of course, if you have a viewpoint that you’d like to elaborate ahead of time, please feel free to do so.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks<o:p></o:p></p><p class=MsoNormal>Dean<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>