<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>SSC votes: "Yes".</p>
    <p>Thanks,</p>
    <p>M.D.<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 7/28/2016 9:09 PM, Ben Wilson wrote:<br>
    </div>
    <blockquote
      cite="mid:a2525660cdf1467d9be9683f1218c1f0@EX1.corp.digicert.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
p.line867, li.line867, div.line867
        {mso-style-name:line867;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
p.line862, li.line862, div.line862
        {mso-style-name:line862;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
p.line874, li.line874, div.line874
        {mso-style-name:line874;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.EmailStyle21
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.EmailStyle23
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.EmailStyle24
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:257905037;
        mso-list-template-ids:-1266132554;}
@list l1
        {mso-list-id:546339688;
        mso-list-template-ids:1110631498;}
@list l1:level1
        {mso-level-tab-stop:.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level2
        {mso-level-tab-stop:1.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level3
        {mso-level-tab-stop:1.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level4
        {mso-level-tab-stop:2.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level5
        {mso-level-tab-stop:2.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level6
        {mso-level-tab-stop:3.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level7
        {mso-level-tab-stop:3.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level8
        {mso-level-tab-stop:4.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level9
        {mso-level-tab-stop:4.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2
        {mso-list-id:722220637;
        mso-list-template-ids:-1604010570;}
@list l3
        {mso-list-id:1060589396;
        mso-list-template-ids:353244578;}
@list l3:level1
        {mso-level-tab-stop:.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level2
        {mso-level-tab-stop:1.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level3
        {mso-level-tab-stop:1.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level4
        {mso-level-tab-stop:2.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level5
        {mso-level-tab-stop:2.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level6
        {mso-level-tab-stop:3.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level7
        {mso-level-tab-stop:3.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level8
        {mso-level-tab-stop:4.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level9
        {mso-level-tab-stop:4.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal">Here is the revised Ballot 169<o:p></o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="line867"><strong>Ballot 169 - Revised Validation
            Requirements</strong> <o:p></o:p></p>
        <p class="line862">The following motion has been proposed by
          Jeremy Rowley of DigiCert and endorsed by Tim Hollebeek of
          Trustwave and Doug Beattie of GlobalSign: <o:p></o:p></p>
        <p class="line874"><b>Background:</b>  The primary purpose of
          this change is to replace Domain Validation item 7 "Using any
          other method of confirmation which has at least the same level
          of assurance as those methods previously described" with a
          specific list of the approved domain validation methods
          (including new methods proposed by Members). This ballot also
          tightens up and clarifies the existing Domain Validation
          methods 1 through 6. This revised BR 3.2.2.4 describes the
          methods that CAs may use to confirm domain ownership or
          control. Other validation methods can be added in the future.
          <o:p></o:p></p>
        <p class="line874">The Validation Working Group believes the
          domain validation rules should follow the current BR 3.2.2.4
          structure as much as possible so the changes are easy to
          understand, be worded as simply and clearly as possible so as
          to be easily implemented by CAs worldwide, and should avoid
          unnecessary complications or additional requirements that
          don’t address a realistic security threat. If a Forum Member
          believes that any new requirements to these validation methods
          should be added, the Validation Working Group would prefer
          that the new requirements be proposed and discussed by
          separate ballot. <o:p></o:p></p>
        <p class="line874">Attached is a redlined version of the
          Baseline Requirements and an explanatory table.<o:p></o:p></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">--Motion Begins-- </span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"><o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Effective date: Prior to 1 March 2017, 
            CAs may use either the domain validation methods of BR
            3.2.2.4 as they existed before this ballot was approved, or
            the domain validation methods as specified in this ballot
            (as they may subsequently be further amended), or both. 
            Effective 1 March 2017, CAs may use only the domain
            validation methods of BR 3.2.2.4 as specified in this ballot
            (or as such methods may subsequently be further amended).<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">Part A.</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> In Section 1.6.1 of the Baseline
            Requirements INSERT the following definitions
            alphabetically: <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">Authorization Domain Name:</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> The Domain Name used to obtain
            authorization for certificate issuance for a given FQDN. The
            CA may use the FQDN returned from a DNS CNAME lookup as the
            FQDN for the purposes of domain validation. If the FQDN
            contains a wildcard character, then the CA MUST remove all
            wildcard labels from the left most portion of requested
            FQDN. The CA may prune zero or more labels from left to
            right until encountering a Base Domain Name and may use any
            one of the intermediate values for the purpose of domain
            validation. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">Authorized Port:</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> One of the following ports: 80 (http),
            443 (http), 115 (sftp), 25 (smtp), 22 (ssh). <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">Base Domain Name:</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> The portion of an applied-for FQDN that
            is the first domain name node left of a registry-controlled
            or public suffix plus the registry-controlled or public
            suffix (e.g. "example.co.uk" or "example.com").   For FQDNs
            where the right-most domain name node is a gTLD having ICANN
            Specification 13 in its registry agreement, the gTLD itself
            may be used as the Base Domain Name.<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">Domain Contact:</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> The Domain Name Registrant, technical
            contact, or administrative contract (or the equivalent under
            a ccTLD) as listed in the WHOIS record of the Base Domain
            Name or in a DNS SOA record. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">Random Value:</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> A value specified by a CA to the
            Applicant that exhibits at least 112 bits of entropy. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">Request Token:</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> A value derived in a method specified by
            the CA which binds this demonstration of control to the
            certificate request. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">The Request Token SHALL incorporate the
            key used in the certificate request. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">A Request Token MAY include a timestamp
            to indicate when it was created. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">A Request Token MAY include other
            information to ensure its uniqueness. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">A Request Token that includes a timestamp
            SHALL remain valid for no more than 30 days from the time of
            creation. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">A Request Token that includes a timestamp
            SHALL be treated as invalid if its timestamp is in the
            future. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">A Request Token that does not include a
            timestamp is valid for a single use and the CA SHALL NOT
            re-use it for a subsequent validation. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">The binding SHALL use a digital signature
            algorithm or a cryptographic hash algorithm at least as
            strong as that to be used in signing the certificate
            request. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">Required Website Content:</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> Either a Random Value or a Request
            Token, together with additional information that uniquely
            identifies the Subscriber, as specified by the CA. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">Test Certificate:</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> A Certificate with a maximum validity
            period of 30 days and which: (i) includes a critical
            extension with the specified Test Certificate CABF OID, or
            (ii) is issued under a CA where there are no certificate
            paths/chains to a root certificate subject to these
            Requirements.<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">Part B.</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> DELETE Section 3.2.2.4 of the Baseline
            Requirements in its entirety and INSERT the following: <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">3.2.2.4 Validation of Domain
              Authorization or Control</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">This section defines the permitted
            processes and procedures for validating the Applicant's
            ownership or control of the domain. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">The CA SHALL confirm that, as of the date
            the Certificate issues, either the CA or a Delegated Third
            Party has validated each Fully-Qualified Domain Name (FQDN)
            listed in the Certificate using at least one of the methods
            listed below. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Completed confirmations of Applicant
            authority may be valid for the issuance of multiple
            certificates over time. In all cases, the confirmation must
            have been initiated within the time period specified in the
            relevant requirement (such as Section 3.3.1 of this
            document) prior to certificate issuance. For purposes of
            domain validation, the term Applicant includes the
            Applicant's Parent Company, Subsidiary Company, or
            Affiliate. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Note: FQDNs may be listed in Subscriber
            Certificates using dNSNames in the subjectAltName extension
            or in Subordinate CA Certificates via dNSNames in
            permittedSubtrees within the Name Constraints extension. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">3.2.2.4.1 Validating the Applicant as a
              Domain Contact</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Confirming the Applicant's control over
            the FQDN by validating the Applicant is the Domain Contact
            directly with the Domain Name Registrar. This method may
            only be used if: <o:p></o:p></span></p>
        <ol start="1" type="1">
          <li class="MsoNormal"
            style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
            level1 lfo3"><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">The CA authenticates the Applicant's
              identity under BR Section 3.2.2.1 and the authority of the
              Applicant Representative under BR Section 3.2.5, OR <o:p></o:p></span></li>
          <li class="MsoNormal"
            style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
            level1 lfo3"><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">The CA authenticates the Applicant's
              identity under EV Guidelines Section 11.2 and the agency
              of the Certificate Approver under EV Guidelines Section
              11.8; OR <o:p></o:p></span></li>
          <li class="MsoNormal"
            style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
            level1 lfo3"><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">The CA is also the Domain Name
              Registrar, or an Affiliate of the Registrar, of the Base
              Domain Name. <o:p></o:p></span></li>
        </ol>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">3.2.2.4.2 Email, Fax, SMS, or Postal
              Mail to Domain Contact</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Confirming the Applicant's control over
            the FQDN by sending a Random Value via email, fax, SMS, or
            postal mail and then receiving a confirming response
            utilizing the Random Value. The Random Value MUST be sent to
            an email address, fax/SMS number, or postal mail address
            identified as a Domain Contact. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Each email, fax, SMS, or postal mail MAY
            confirm control of multiple Authorization Domain Names. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">The CA or Delegated Third Party MAY send
            the email, fax, SMS, or postal mail identified under this
            section to more than one recipient provided that every
            recipient is identified by the Domain Name Registrar as
            representing the Domain Name Registrant for every FQDN being
            verified using the email, fax, SMS, or postal mail. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">The Random Value SHALL be unique in each
            email, fax, SMS, or postal mail. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">The CA or Delegated Third Party MAY
            resend the email, fax, SMS, or postal mail in its entirety,
            including re-use of the Random Value, provided that the
            communication's entire contents and recipient(s) remain
            unchanged. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">The Random Value SHALL remain valid for
            use in a confirming response for no more than 30 days from
            its creation. The CPS MAY specify a shorter validity period
            for Random Values, in which case the CA MUST follow its CPS.
            <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">3.2.2.4.3 Phone Contact with Domain
              Contact</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Confirming the Applicant's control over
            the requested FQDN by calling the Domain Name Registrant's
            phone number and obtaining a response confirming the
            Applicant's request for validation of the FQDN. The CA or
            Delegated Third Party MUST place the call to a phone number
            identified by the Domain Name Registrar as the Domain
            Contact. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Each phone call SHALL be made to a single
            number and MAY confirm control of multiple FQDNs, provided
            that the phone number is identified by the Domain Registrar
            as a valid contact method for every Base Domain Name being
            verified using the phone call. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">3.2.2.4.4 Constructed Email to Domain
              Contact</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Confirming the Applicant's control over
            the requested FQDN by (i) sending an email to one or more
            addresses created by using 'admin', 'administrator',
            'webmaster', 'hostmaster', or 'postmaster' as the local
            part, followed by the at-sign ("@"), followed by an
            Authorization Domain Name, (ii) including a Random Value in
            the email, and (iii) receiving a confirming response
            utilizing the Random Value. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Each email MAY confirm control of
            multiple FQDNs, provided the Authorization Domain Name used
            in the email is an Authorization Domain Name for each FQDN
            being confirmed <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">The Random Value SHALL be unique in each
            email. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">The email MAY be re-sent in its entirety,
            including the re-use of the Random Value, provided that its
            entire contents and recipient SHALL remain unchanged. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">The Random Value SHALL remain valid for
            use in a confirming response for no more than 30 days from
            its creation. The CPS MAY specify a shorter validity period
            for Random Values, in which case the CA. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">3.2.2.4.5 Domain Authorization Document</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Confirming the Applicant's control over
            the requested FQDN by relying upon the attestation to the
            authority of the Applicant to request a Certificate
            contained in a Domain Authorization Document. The Domain
            Authorization Document MUST substantiate that the
            communication came from the Domain Contact. The CA MUST
            verify that the Domain Authorization Document was either (i)
            dated on or after the date of the domain validation request
            or (ii) that the WHOIS data has not materially changed since
            a previously provided Domain Authorization Document for the
            Domain Name Space. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">3.2.2.4.6 Agreed-Upon Change to Website</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Confirming the Applicant's control over
            the requested FQDN by confirming one of the following under
            the "/.well-known/pki-validation" directory, or another path
            registered with IANA for the purpose of Domain Validation,
            on the Authorization Domain Name that is accessible by the
            CA via HTTP/HTTPS over an Authorized Port: <o:p></o:p></span></p>
        <ol start="1" type="1">
          <li class="MsoNormal"
            style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3
            level1 lfo6"><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">The presence of Required Website
              Content contained in the content of a file or on a web
              page in the form of a meta tag. The entire Required
              Website Content MUST NOT appear in the request used to
              retrieve the file or web page, or <o:p></o:p></span></li>
          <li class="MsoNormal"
            style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3
            level1 lfo6"><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">The presence of the Request Token or
              Request Value contained in the content of a file or on a
              webpage in the form of a meta tag where the Request Token
              or Random Value MUST NOT appear in the request. <o:p></o:p></span></li>
        </ol>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">If a Random Value is used, the CA or
            Delegated Third Party SHALL provide a Random Value unique to
            the certificate request and SHALL not use the Random Value
            after the longer of (i) 30 days or (ii) if the Applicant
            submitted the certificate request, the timeframe permitted
            for reuse of validated information relevant to the
            certificate (such as in Section 3.3.1 of these Guidelines or
            Section 11.14.3 of the EV Guidelines). <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Note: Examples of Request Tokens include,
            but are not limited to: (i) a hash of the public key; (ii) a
            hash of the Subject Public Key Info [X.509]; and (iii) a
            hash of a PKCS#10 CSR. A Request Token may also be
            concatenated with a timestamp or other data. If a CA wanted
            to always use a hash of a PKCS#10 CSR as a Request Token and
            did not want to incorporate a timestamp and did want to
            allow certificate key re-use then the applicant might use
            the challenge password in the creation of a CSR with OpenSSL
            to ensure uniqueness even if the subject and key are
            identical between subsequent requests. This simplistic shell
            command produces a Request Token which has a timestamp and a
            hash of a CSR. E.g. echo date -u +%Y%m%d%H%M sha256sum
            <r2.csr | sed "s/[ -]//g" The script outputs:
201602251811c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f
            The CA should define in its CPS (or in a document referenced
            from the CPS) the format of Request Tokens it accepts. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">3.2.2.4.7 DNS Change</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Confirming the Applicant's control over
            the requested FQDN by confirming the presence of a Random
            Value or Request Token in a DNS TXT or CAA record for an
            Authorization Domain Name or an Authorization Domain Name
            that is prefixed with a label that begins with an underscore
            character. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">If a Random Value is used, the CA or
            Delegated Third Party SHALL provide a Random Value unique to
            the certificate request and SHALL not use the Random Value
            after (i) 30 days or (ii) if the Applicant submitted the
            certificate request, the timeframe permitted for reuse of
            validated information relevant to the certificate (such as
            in Section 3.3.1 of these Guidelines or Section 11.14.3 of
            the EV Guidelines). <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">3.2.2.4.8 IP Address</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Confirming the Applicant's control over
            the requested FQDN by confirming that the Applicant controls
            an IP address returned from a DNS lookup for A or AAAA
            records for the FQDN in accordance with section 3.2.2.5. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">3.2.2.4.9 Test Certificate</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Confirming the Applicant's control over
            the requested FQDN by confirming the presence of a
            non-expired Test Certificate issued by the CA on the
            Authorization Domain Name and which is accessible by the CA
            via TLS over an Authorized Port for the purpose of issuing a
            Certificate with the same Public Key as in the Test
            Certificate. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">3.2.2.4.10. TLS Using a Random Number</span></b><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif"> <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">Confirming the Applicant's control over
            the requested FQDN by confirming the presence of a Random
            Value within a Certificate on the Authorization Domain Name
            which is accessible by the CA via TLS over an Authorized
            Port. <o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
              style="font-size:12.0pt;font-family:"Times New
              Roman",serif">--Motion Ends—<o:p></o:p></span></b></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">The review period for this ballot shall
            commence immediately and close at 2200 UTC on Friday, 29
            July 2016. Unless the motion is withdrawn during the review
            period, the voting period will start immediately thereafter
            and will close at 2200 UTC on Friday, 5 August 2016. Votes
            must be cast by posting an on-list reply to this thread.<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">A vote in favor of the motion must
            indicate a clear 'yes' in the response. A vote against must
            indicate a clear 'no' in the response. A vote to abstain
            must indicate a clear 'abstain' in the response. Unclear
            responses will not be counted. The latest vote received from
            any representative of a voting member before the close of
            the voting period will be counted. Voting members are listed
            here: <a moz-do-not-send="true"
              href="https://cabforum.org/members/">https://cabforum.org/members/</a><o:p></o:p></span></p>
        <p class="MsoNormal"
          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
            style="font-size:12.0pt;font-family:"Times New
            Roman",serif">In order for the motion to be adopted,
            two thirds or more of the votes cast by members in the CA
            category and greater than 50% of the votes cast by members
            in the browser category must be in favor. Quorum is
            currently ten (10) members– at least ten members must
            participate in the ballot, either by voting in favor, voting
            against, or abstaining.<o:p></o:p></span></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal"><o:p> </o:p></p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>