<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-2022-jp"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1799180353;
mso-list-type:hybrid;
mso-list-template-ids:-1499715134 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'>Two arguments:<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'><span style='mso-list:Ignore'>1)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'>It�$B!G�(Bs in the left-most label. If you read left most position as �$B!H�(Blabel�$B!I�(B, the language doesn�$B!G�(Bt require it to be the only character in the left-most label. Therefore, this is a Wildcard Cert in that the wildcard character is in the left-most label of the cert even if it�$B!G�(Bs not the only character. Totally legit reading considering neither label nor position is defined.<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'><span style='mso-list:Ignore'>2)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'>It�$B!G�(Bs not a wildcard cert because it doesn�$B!G�(Bt have a character in the leftmost position of the cert. Therefore, it�$B!G�(Bs not covered by the BR requirements of 3.2.26<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'>�$B!H�(BBefore issuing a certificate with a wildcard character (*) in a CN or subjectAltName of type DNS</span><span style='font-family:"Cambria Math",serif;color:black'>�$B!>�(B</span><span style='color:black'>ID, the CA MUST establish and follow a documented procedure�$B"w�(B that determines if the wildcard character occurs in the first label position to the left of a �$B!H�(Bregistry</span><span style='font-family:"Cambria Math",serif;color:black'>�$B!>�(B</span><span style='color:black'>controlled�$B!I�(B label or �$B!H�(Bpublic suffix�$B!I�(B (e.g. �$B!H�(B*.com�$B!I�(B, �$B!H�(B*.co.uk�$B!I�(B, see RFC 6454 Section 8.2 for further explanation).�$B!I�(B<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>Based on this, I�$B!G�(Bm not seeing where it requires them to only include the wildcard character as the only character. I am happy to endorse a ballot to correct this though.<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>On the other hand the �$B!H�(B*.*.example.com�$B!I�(B certs are much more difficult to explain. <o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'><o:p> </o:p></span></a></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'> Rich Smith [mailto:richard.smith@comodo.com] <br><b>Sent:</b> Thursday, April 21, 2016 4:41 PM<br><b>To:</b> Stephen Davidson<br><b>Cc:</b> Jeremy Rowley; public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] Proposed new ballot on IP Addresses in SANs<o:p></o:p></span></p></div></div><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>Wait, what? How is it arguable that the wildcard is in the left most position in this: lab-rct-*.us.kworld.kpmg.com?<br>Or any of the other certificates indicated in my original email on this?<o:p></o:p></span></p><div><p class=MsoNormal><span style='color:black'>On 4/21/2016 4:38 PM, Stephen Davidson wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'>And it is arguable that the wildcard is in fact �$B!H�(Bin the left-most position�$B!I�(B �$B!D�(B Hence the ballot clarifying that the sole wildcard must constitute the entirety of the left-most label.</span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'> </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'> </span><span style='color:black'><o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black'> <a href="mailto:public-bounces@cabforum.org"><span style='color:black'>public-bounces@cabforum.org</span></a> [<a href="mailto:public-bounces@cabforum.org"><span style='color:black'>mailto:public-bounces@cabforum.org</span></a>] <b>On Behalf Of </b>Jeremy Rowley<br><b>Sent:</b> Thursday, April 21, 2016 2:55 PM<br><b>To:</b> Rich Smith <a href="mailto:richard.smith@comodo.com"><span style='color:black'><richard.smith@comodo.com></span></a><br><b>Cc:</b> <a href="mailto:public@cabforum.org"><span style='color:black'>public@cabforum.org</span></a><br><b>Subject:</b> Re: [cabfpub] Proposed new ballot on IP Addresses in SANs</span><span style='color:black'><o:p></o:p></span></p></div></div><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p><div><div><p class=MsoNormal><span style='color:black'>We don't issue these certs, but the section cited does not sat you can't issue them. That is only a definition of a wildcard cert.<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'><br><br>Rich Smith <<a href="mailto:richard.smith@comodo.com"><span style='color:black'>richard.smith@comodo.com</span></a>> wrote:<o:p></o:p></span></p><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='color:black'>I share Ryan's concerns. I find it deeply troubling that a member of this Forum, whose representative is the current Forum Chair, and which had no small part in drafting the BRs and seeing them through to adoption is willfully issuing certificates in direct contravention of the Requirements. None of us is perfect, but as head of validation for Comodo I make every effort to ensure that certificates issued by Comodo are fully compliant with the BRs and EV Guidelines, business expediency notwithstanding.<br><br>In checking through certlint to try to find certificates issued with improperly formatted IP addresses, in order that I might better understand this issue, imagine my surprise to find several wildcard certificates, also issued by Symantec, and also in direct contravention of the BRs:<br><br>lab-rct-*.us.kworld.kpmg.com<br>lab-rct-*.us.kpmg.com<br>rct-*.us.kpmg.com<br><br>See: <a href="https://crt.sh/?cablint=65&iCAID=1449&opt=cablint"><span style='color:black'>https://crt.sh/?cablint=65&iCAID=1449&opt=cablint</span></a><br><br>The BRs state, in definitions section:<br><br><b>Wildcard Certificate:</b> A Certificate containing an asterisk (*) in the <b>left-most position</b> <i>[emphasis mine] </i>of any of the Subject Fully-Qualified Domain Names contained in the Certificate.<br><br>Regards,<br>Rich Smith<br>Validation Manager<br>Comodo<o:p></o:p></span></p><div><p class=MsoNormal><span style='color:black'>On 4/21/2016 8:23 AM, Ryan Sleevi wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p><div><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p><div><p class=MsoNormal><span style='color:black'>On Thu, Apr 21, 2016 at 6:13 AM, Jody Cloutier <<a href="mailto:jodycl@microsoft.com" target="_blank"><span style='color:black'>jodycl@microsoft.com</span></a>> wrote:<o:p></o:p></span></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='background:white'><span style='font-family:"Calibri",sans-serif;color:black'>Ryan, I'm not sure I understand why Google is so intent on this new course of public shaming on this matter and others currently under discussion, but if it helps to do the right thing, then fine. The fact is that the requirement was not addressed, and we need to figure out how to fix the issue for all of our customers. Microsoft has addressed this in Windows 10, but we are not currently planning on back-porting this change to previous operating systems. As such, this change is needed or all of our customers will be affected. </span><span style='color:black'><o:p></o:p></span></p></div></div></blockquote><div><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'>Jody,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'>Symantec has 8 months to investigate a solution that doesn't require violating the BRs nor require violating RFC 5280. They've admitted, by Rick, that they've instead chosen to continue to violate the BRs, and are looking to change the BRs to retroactively make this behaviour acceptable. That is unquestionably deserving of censure, on its own merits, regardless of the option.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'>Had Symantec shown that the solution provided to them - which would have functioned properly for all Microsoft users - was not in fact viable, in a timely fashion, and for reasons they could explain, that's certainly worthy of consideration. But that's clearly not the case here, and that's unacceptable behaviour for a publicly trusted CA.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'>The burden of demonstrating why the proposed solution doesn't work should exist with Symantec: They're the only one that can speak to their customers needs, they're the only ones who can investigate the technical viability (as a publicly trusted CA), and they're the only ones who can speak as to why such a solution may not be possible. If the reasons are "because we don't want to", that should seriously inform the response to a ballot, but if there are reasons such as "This doesn't work for reason X", then that could be a meaningfully compelling reason.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'>However, the idea that a Forum member would actively, intentionally, and knowingly violate the BRs in order that they may continue to sell certificates to customers, participating in defining standards that their competitors are obligated to follow but which they themselves do not intend to, and potentially profiting off the customers for which their competitors are obligated to refuse but for which they will clearly accept (in contravention of the BRs), speaks seriously to acting in bad faith and in an anti-competitive manner. And that's deeply troubling.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:black'>To be clear: The censure is for the behaviour, not for the proposal. Given that this proposal was raised in the past, addressed in the past, and in the 8 months sense, either no good-faith effort was put forward OR no good-faith effort is communicated, is a serious and egregious breach of public trust, and thus deserving of strong and direct response, because if that pattern is practiced and encouraged, it undermines and eliminates any value in the Forum itself.<o:p></o:p></span></p></div></div><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p></div></div><p class=MsoNormal><span style='color:black'><br><br><br><o:p></o:p></span></p><pre><span style='color:black'>_______________________________________________<o:p></o:p></span></pre><pre><span style='color:black'>Public mailing list<o:p></o:p></span></pre><pre><span style='color:black'><a href="mailto:Public@cabforum.org"><span style='color:black'>Public@cabforum.org</span></a><o:p></o:p></span></pre><pre><span style='color:black'><a href="https://cabforum.org/mailman/listinfo/public"><span style='color:black'>https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></span></pre></blockquote><p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p></div></blockquote><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p></div></body></html>