<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Good points. I’m thinking we should just wait until October to make the internal name changes and separately ballot the SRV names instead.<o:p></o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></a></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Wednesday, May 25, 2016 5:00 AM<br><b>To:</b> Jeremy Rowley <jeremy.rowley@digicert.com><br><b>Cc:</b> Tim Hollebeek <THollebeek@trustwave.com>; Richard Barnes <rbarnes@mozilla.com>; Dean Coclin <Dean_Coclin@symantec.com>; public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] FW: BR – Contradiction on gTLDs<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Replacing 4.2.2 with "No Stipulation" sooner than 2016-10-01 introduces new risk. <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>2016-10-01 is the "revoke all Internal name certificates" (see 7.1.4.2.1). The current Section 4.2.2 includes an "advance revocation" timeline for names that ICANN is contracting with. I suspect further massaging is necessary to retain that paragraph. (While I'm aware that even if we passed a ballot two weeks from now, it would be after 1 October 2016, I'm concerned for the set of domains approved by ICANN whose 120 day period would occur between now and 1 October 2016)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm sure this level of pedantry comes as no surprise.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The other is still the desire to decouple underscores from the wildcard bits. The underscores in the DNS are gross, not permitted today, and cause enough interoperability trouble that even if some are using them, aren't something to be encouraged. People who absolutely insist on such certificates can be met with wildcards, but again, it's something that should be deprecated, not encouraged.<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Wed, May 25, 2016 at 3:39 AM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Sounds great. Thanks Tim.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a name="m_-1214395072066104633__MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span></a><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Tim Hollebeek [mailto:<a href="mailto:THollebeek@trustwave.com" target="_blank">THollebeek@trustwave.com</a>] <br><b>Sent:</b> Wednesday, May 25, 2016 4:10 AM<br><b>To:</b> Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>>; Richard Barnes <<a href="mailto:rbarnes@mozilla.com" target="_blank">rbarnes@mozilla.com</a>>; Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>><br><b>Cc:</b> Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>>; <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br><b>Subject:</b> RE: [cabfpub] FW: BR – Contradiction on gTLDs</span><o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>How about replacing:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p><u>As exceptions to RFC5280 and X.509, Wildcard Domain Names are permitted in dNSName entries and the underscore character ("_") is permitted in FQDNs and Wildcard Domain Names in any location where the hyphen character ("-") is allowed. Wildcard Domain Names are not allowed in SRVName entries.</u><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>With:</span><o:p></o:p></p><p> <o:p></o:p></p><p><u>As exceptions to RFC5280 and X.509, dNSName entries MAY contain Wildcard Domain Names, and FQDNs and Wildcard Domain Names MAY contain the underscore character ("_") in any location where the hyphen character ("-") is allowed. SRVName entries MUST NOT contain Wildcard Domain Names.</u><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Just to make it clear these are requirements.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>-Tim</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Jeremy Rowley<br><b>Sent:</b> Wednesday, May 25, 2016 11:59 AM<br><b>To:</b> Richard Barnes; Ryan Sleevi<br><b>Cc:</b> Dean Coclin; <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] FW: BR – Contradiction on gTLDs</span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>Could we combine this with Peter’s SRV ballot since they affect the same section? Here’s a first draft of a potential ballot:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>The following motion has been proposed by ___________________ and endorsed by ____________________:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>-- MOTION BEGINS –</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>Effective immediately, the follow changes are made to the Baseline Requirements:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> </span><o:p></o:p></p><p><span style='font-size:11.0pt'>A)</span><span style='font-size:7.0pt'> </span><span style='font-size:11.0pt'>Section 4.2.2 of the Baseline Requirements is replaced with “No Stipulation”</span><o:p></o:p></p><p><span style='font-size:11.0pt'> </span><o:p></o:p></p><p><span style='font-size:11.0pt'>B)</span><span style='font-size:7.0pt'> </span><span style='font-size:11.0pt'>Add the following definition to Section 1.6.1: </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><u><span style='font-size:11.0pt'>Wildcard Domain Name: A Domain Name formed by prepending '*.' to a FQDN.</span></u><o:p></o:p></p><p><span style='font-size:11.0pt'> </span><o:p></o:p></p><p><span style='font-size:11.0pt'>C)</span><span style='font-size:7.0pt'> </span><span style='font-size:11.0pt'>Section 7.1.4.2.1 is amended as follows: </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:11.0pt'>Certificate Field:</span></b><span style='font-size:11.0pt'> extensions:subjectAltName </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:11.0pt'>Required/Optional:</span></b><span style='font-size:11.0pt'> Required </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:11.0pt'>Contents:</span></b><span style='font-size:11.0pt'> This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully</span><span style='font-size:11.0pt;font-family:"Cambria Math",serif'>‐</span><span style='font-size:11.0pt'>Qualified Domain Name, <u>Wildcard Domain Name,</u> <s>or </s>an iPAddress containing the IP address of a server, <u>or an otherName of type SRVName as defined in RFC4985</u>. <u>An entry MUST NOT be an Internal name or Reserved IP Address.</u> The CA MUST confirm the entry as follows:</span><o:p></o:p></p><p><span style='font-size:11.0pt'>a)</span><span style='font-size:7.0pt'> </span><u><span style='font-size:11.0pt'>For a</span></u><span style='font-size:11.0pt'> Fully</span><span style='font-size:11.0pt;font-family:"Cambria Math",serif'>‐</span><span style='font-size:11.0pt'>Qualified Domain Name <u>or Wildcard Domain Name entry, the CA MUST verify the entry in accordance with Section 3.2.2.4;</u></span><o:p></o:p></p><p><span style='font-size:11.0pt'>b)</span><span style='font-size:7.0pt'> </span><u><span style='font-size:11.0pt'>For a SRVName entry, the CA MUST verify the Name portion of the entry in accordance with Section 3.2.2.4; and </span></u><o:p></o:p></p><p><span style='font-size:11.0pt'>c)</span><span style='font-size:7.0pt'> </span><u><span style='font-size:11.0pt'>For</span></u><span style='font-size:11.0pt'> an IP address entry, <u>the CA MUST verify the entry in accordance with Section 3.2.2.5</u> <s>or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate</s>. <s>Wildcard FQDNs are permitted.</s> </span><o:p></o:p></p><p> <o:p></o:p></p><p><u>As exceptions to RFC5280 and X.509, Wildcard Domain Names are permitted in dNSName entries and the underscore character ("_") is permitted in FQDNs and Wildcard Domain Names in any location where the hyphen character ("-") is allowed. Wildcard Domain Names are not allowed in SRVName entries.</u><o:p></o:p></p><p> <o:p></o:p></p><p><u>If a name constrained CA has a dNSName constraint but does not have a constraint for SRVNames, the CA MUST NOT issue certificates containing SRVNames where the Name portion is in an excluded dNSName subtree. Such a CA also MUST NOT issue certificates containing SRVNames where the Name portion is not in a permitted dNSName subtree if at least one permitted dNSName subtree exists.</u><o:p></o:p></p><p> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><s><span style='font-size:11.0pt'>As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Name. Effective May 1, 2015, each CA SHALL revoke all unexpired Certificates with an Internal Name using onion as the right</span></s><s><span style='font-size:11.0pt;font-family:"Cambria Math",serif'>‐</span></s><s><span style='font-size:11.0pt'>most label in an entry in the subjectAltName Extension or commonName field unless such Certificate was issued in accordance with Appendix F of the EV Guidelines.</span></s><o:p></o:p></p><p> <o:p></o:p></p><p>---- END BALLOT ----<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Richard Barnes<br><b>Sent:</b> Tuesday, May 24, 2016 6:59 AM<br><b>To:</b> Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>><br><b>Cc:</b> Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>>; <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] FW: BR – Contradiction on gTLDs</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> </span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>+1</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> </span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>On Tue, May 24, 2016 at 6:08 AM, Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>> wrote:</span><o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>Yes, this is just one of the 'legacy leftovers' that could be cleaned up in a subsequent ballot. CAs MUST NOT issue certificates for Internal Names now.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> </span><o:p></o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>On Tue, May 24, 2016 at 2:52 AM, Dean Coclin <<a href="mailto:Dean_Coclin@symantec.com" target="_blank">Dean_Coclin@symantec.com</a>> wrote:</span><o:p></o:p></p></div></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'>Forum-Please review this question.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'><br>Dean</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Adam, Daniel (US - San Francisco) <br><b>Sent:</b> Friday, May 20, 2016 3:59 AM<br><b>To:</b> Sheehy, Don <br><b>Subject:</b> Can you send this to the CA/B Forum public list?</span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:11.0pt'>Subject: BR – Contradiction on gTLDs</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:11.0pt'>Baseline Requirements 1.3.4 defines an ‘Internal Name’ as: <i>A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance because it does not end with a Top Level Domain registered in IANA’s Root Zone Database.</i></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span lang=EN-GB style='font-size:11.0pt'> </span></i><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:11.0pt'>Section 4.2.2 states that CAs SHOULD NOT issue certificates containing new gTLDs under consideration by ICANN and warn the applicant of this etc.. This suggests that, although not recommended, it is still permissible for CAs to issue these type of certificates. However, this appears to be contradicted in Section 7.1.4.2.1 which states that CAs SHALL NOT issue certificates containing an Internal Name that expire later than 1 November 2015. Since we are well past that date, this is interpreted as CAs SHALL NOT issue any more certificates containing Internal Names, which includes any gTLDs that are under consideration by ICANN as those are publically unresolvable (and by definition, an ‘Internal Name’) until the day they are included in the IANA Root Zone.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:11.0pt'>Therefore, isn’t this criterion in 4.2.2 redundant as these certificates are not supposed to be issued anymore?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-GB style='font-size:11.0pt'> </span><o:p></o:p></p><p><span lang=ES-US style='font-size:11.0pt'> </span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> </span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:11.0pt'>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br><a href="http://scanmail.trustwave.com/?c=4062&d=iPfF1xNvY-Di6rdPKoXw30G5ElNV25Leun0oJee3Ug&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic" target="_blank">https://cabforum.org/mailman/listinfo/public</a></span><o:p></o:p></p></blockquote></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> </span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-size:11.0pt'><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br><a href="http://scanmail.trustwave.com/?c=4062&d=iPfF1xNvY-Di6rdPKoXw30G5ElNV25Leun0oJee3Ug&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic" target="_blank">https://cabforum.org/mailman/listinfo/public</a></span><o:p></o:p></p></blockquote></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> </span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=5 width="100%" align=center></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:7.5pt;font-family:"Arial",sans-serif;color:gray'><br>This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.</span><o:p></o:p></p></div></div></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>