<div dir="ltr">Jeremy,<div><br></div><div>I would be happy to support without the underscore modification. However, so long as that remains, I'm afraid we'd need to vote against this.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 10, 2016 at 10:28 AM, Jeremy Rowley <span dir="ltr"><<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72"><div><p class="MsoNormal">Looking for two endorsers for the following ballot:<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">The following motion has been proposed by Jeremy Rowley, from DigiCert, and endorsed by ____________________:<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">-- MOTION BEGINS –<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Effective immediately, the follow changes are made to the Baseline Requirements:<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p><u></u><span style="font-size:11.0pt"><span>A)<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt">Section 4.2.2 of the Baseline Requirements is replaced with “No Stipulation”<u></u><u></u></span></p><p><span style="font-size:11.0pt"><u></u> <u></u></span></p><p><u></u><span style="font-size:11.0pt"><span>B)<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt">Add the following definition to Section 1.6.1: <u></u><u></u></span></p><p class="MsoNormal"><u>Wildcard Domain Name: A Domain Name formed by prepending '*.' to a FQDN.<u></u><u></u></u></p><p><span style="font-size:11.0pt"><u></u> <u></u></span></p><p><u></u><span style="font-size:11.0pt"><span>C)<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt">Section 7.1.4.2.1 is amended as follows: <u></u><u></u></span></p><p class="MsoNormal"><b>Certificate Field:</b> extensions:subjectAltName <u></u><u></u></p><p class="MsoNormal"><b>Required/Optional:</b> Required <u></u><u></u></p><p class="MsoNormal"><b>Contents:</b> This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully<span style="font-family:"Cambria Math",serif">‐</span>Qualified Domain Name, <u>Wildcard Domain Name,</u> <s>or </s>an iPAddress containing the IP address of a server, <u>or an otherName of type SRVName as defined in RFC4985</u>. <u>An entry MUST NOT be an Internal name or Reserved IP Address.</u> The CA MUST confirm the entry as follows:<u></u><u></u></p><p><u></u><span style="font-size:11.0pt"><span>a)<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><u><span style="font-size:11.0pt">For a</span></u><span style="font-size:11.0pt"> Fully</span><span style="font-size:11.0pt;font-family:"Cambria Math",serif">‐</span><span style="font-size:11.0pt">Qualified Domain Name <u>or Wildcard Domain Name entry, the CA MUST verify the entry in accordance with Section 3.2.2.4;</u><u></u><u></u></span></p><p><u></u><span style="font-size:11.0pt"><span>b)<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><u><span style="font-size:11.0pt">For a SRVName entry, the CA MUST verify the Name portion of the entry in accordance with Section 3.2.2.4; and <u></u><u></u></span></u></p><p><u></u><span style="font-size:11.0pt"><span>c)<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><u><span style="font-size:11.0pt">For</span></u><span style="font-size:11.0pt"> an IP address entry, <u>the CA MUST verify the entry in accordance with Section 3.2.2.5</u> <s>or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate</s>. <s>Wildcard FQDNs are permitted.</s> <u></u><u></u></span></p><p><u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">As exceptions to RFC5280 and X.509, dNSName entries MAY contain Wildcard Domain Names, and FQDNs and Wildcard Domain Names MAY contain the underscore character ("_") in any location where the hyphen character ("-") is allowed. SRVName entries MUST NOT contain Wildcard Domain Names.</span></u><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p><p><u>If a name constrained CA has a dNSName constraint but does not have a constraint for SRVNames, the CA MUST NOT issue certificates containing SRVNames.</u><u></u><u></u></p><p><u></u> <u></u></p><p class="MsoNormal"><s>As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the</s> CA<u>s</u> SHALL NOT issue a certificate <s>with an Expiry Date later than 1 November 2015 </s>with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Name. <s>Effective May 1, 2015, each CA SHALL revoke all unexpired Certificates with an Internal Name using onion as the right</s><s><span style="font-family:"Cambria Math",serif">‐</span>most label in an entry in the subjectAltName Extension or commonName field unless such Certificate was issued in accordance with Appendix F of the EV Guidelines.<u></u><u></u></s></p><p><u></u> <u></u></p><p>---- END BALLOT ----<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p></div></div><br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br></div>