<div style="font:14px/1.5 'Lucida Grande', '微软雅黑';color:#333;"><p style="font:14px/1.5 'Courier New';margin:0;">GDCA votes yes to Ballot 169.</p><span style="font: 14px/1.5 'Lucida Grande';color:#333;"><br></span><div class="foxmail_blockquote_fromhere_element" style="font: 12px/1.5 'Lucida Grande';padding:2px 0 2px 0;"><span style="color:#333;text-decoration:line-through;white-space:pre-wrap;"> </span> 原始邮件 <span style="color:#333;text-decoration:line-through;white-space:pre-wrap;"> </span></div><div style="font: 12px/1.5 'Lucida Grande';background:#efefef;color:#666666;padding:8px;"><div><b style="color:#999;">发件人:</b> Enric Castillo<enric.castillo@anf.es></div><div><b style="color:#999;">收件人:</b> public<public@cabforum.org></div><div><b style="color:#999;">发送时间:</b> 2016年8月5日(周五) 06:24</div><div><b style="color:#999;">主题:</b> Re: [cabfpub] Voting has started for Ballot 169 - RevisedValidation Requirements - ENDS FRIDAY!</div></div><br><div class="mail_quote_114A8DE161CD410C8073E494A123070F" style="font: 14px/1.5 'Lucida Grande';color:#333;">
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
<p>ANF Autoridad de Certificación votes yes.<br>
</p>
<br>
<div class="moz-cite-prefix">El 03/08/2016 a las 16:33, Kirk Hall
escribió:<br>
</div>
<blockquote cite="mid:d7f3ee1c465b4a2db1c60140e33189c3@PMSPEX04.corporate.datacard.com" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
.mail_quote_114A8DE161CD410C8073E494A123070F p.MsoNormal,.mail_quote_114A8DE161CD410C8073E494A123070F li.MsoNormal,.mail_quote_114A8DE161CD410C8073E494A123070F div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
.mail_quote_114A8DE161CD410C8073E494A123070F a:link,.mail_quote_114A8DE161CD410C8073E494A123070F span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
.mail_quote_114A8DE161CD410C8073E494A123070F a:visited,.mail_quote_114A8DE161CD410C8073E494A123070F span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.mail_quote_114A8DE161CD410C8073E494A123070F p.msonormal0,.mail_quote_114A8DE161CD410C8073E494A123070F li.msonormal0,.mail_quote_114A8DE161CD410C8073E494A123070F div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
.mail_quote_114A8DE161CD410C8073E494A123070F p.line867,.mail_quote_114A8DE161CD410C8073E494A123070F li.line867,.mail_quote_114A8DE161CD410C8073E494A123070F div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
.mail_quote_114A8DE161CD410C8073E494A123070F p.line862,.mail_quote_114A8DE161CD410C8073E494A123070F li.line862,.mail_quote_114A8DE161CD410C8073E494A123070F div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
.mail_quote_114A8DE161CD410C8073E494A123070F p.line874,.mail_quote_114A8DE161CD410C8073E494A123070F li.line874,.mail_quote_114A8DE161CD410C8073E494A123070F div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
.mail_quote_114A8DE161CD410C8073E494A123070F span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
.mail_quote_114A8DE161CD410C8073E494A123070F span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
.mail_quote_114A8DE161CD410C8073E494A123070F span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
.mail_quote_114A8DE161CD410C8073E494A123070F span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.mail_quote_114A8DE161CD410C8073E494A123070F .MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
.mail_quote_114A8DE161CD410C8073E494A123070F div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:35013243;
mso-list-template-ids:1919158968;}
@list l1
{mso-list-id:546339688;
mso-list-template-ids:1110631498;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:969944590;
mso-list-template-ids:-59233414;}
@list l3
{mso-list-id:1060589396;
mso-list-template-ids:353244578;}
@list l3:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
.mail_quote_114A8DE161CD410C8073E494A123070F ol
{margin-bottom:0in;}
.mail_quote_114A8DE161CD410C8073E494A123070F ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Voting on this
ballot started July 29, and will end at 2200 UTC (3 pm
Pacific, 6 pm Eastern)
</span><b><u><span style="color:red">this Friday August 5 </span></u></b><span style="color:#1F497D">(that’s just
<u>two days</u> from now). <b>So please vote!</b><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Entrust votes
yes.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b>
<a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ben Wilson<br>
<b>Sent:</b> Thursday, July 28, 2016 11:10 AM<br>
<b>To:</b> CABFPub <a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a><br>
<b>Subject:</b> Re: [cabfpub] Ballot 169 - Revised
Validation Requirements<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here is the revised Ballot 169<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="line867"><strong>Ballot 169 - Revised Validation
Requirements</strong> <o:p>
</o:p></p>
<p class="line862">The following motion has been proposed by
Jeremy Rowley of DigiCert and endorsed by Tim Hollebeek of
Trustwave and Doug Beattie of GlobalSign:
<o:p></o:p></p>
<p class="line874"><b>Background:</b> The primary purpose of
this change is to replace Domain Validation item 7 "Using any
other method of confirmation which has at least the same level
of assurance as those methods previously described" with a
specific list of the approved domain validation methods
(including new methods proposed by Members). This ballot also
tightens up and clarifies the existing Domain Validation
methods 1 through 6. This revised BR 3.2.2.4 describes the
methods that CAs may use to confirm domain ownership or
control. Other validation methods can be added in the future.
<o:p></o:p></p>
<p class="line874">The Validation Working Group believes the
domain validation rules should follow the current BR 3.2.2.4
structure as much as possible so the changes are easy to
understand, be worded as simply and clearly as possible so as
to be easily implemented by CAs worldwide, and should avoid
unnecessary complications or additional requirements that
don’t address a realistic security threat. If a Forum Member
believes that any new requirements to these validation methods
should be added, the Validation Working Group would prefer
that the new requirements be proposed and discussed by
separate ballot.
<o:p></o:p></p>
<p class="line874">Attached is a redlined version of the
Baseline Requirements and an explanatory table.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">--Motion Begins--
</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Effective date: Prior to 1 March 2017,
CAs may use either the domain validation methods of BR
3.2.2.4 as they existed before this ballot was approved, or
the domain validation methods as specified in this ballot
(as they may subsequently be further amended), or both.
Effective 1 March 2017, CAs may use only the domain
validation methods of BR 3.2.2.4 as specified in this ballot
(or as such methods may subsequently be further amended).<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Part A.</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif"> In Section 1.6.1 of the Baseline
Requirements INSERT the following definitions
alphabetically: <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Authorization Domain Name:</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif"> The Domain Name used to obtain
authorization for certificate issuance for a given FQDN. The
CA may use the FQDN returned from a DNS CNAME lookup as the
FQDN for the purposes of domain validation. If the FQDN
contains a wildcard character, then the CA MUST remove all
wildcard labels from the left most portion of requested
FQDN. The CA may prune zero or more labels from left to
right until encountering a Base Domain Name and may use any
one of the intermediate values for the purpose of domain
validation.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Authorized Port:</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif"> One of the following ports: 80 (http),
443 (http), 115 (sftp), 25 (smtp), 22 (ssh). <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Base Domain Name:</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif"> The portion of an applied-for FQDN that
is the first domain name node left of a registry-controlled
or public suffix plus the registry-controlled or public
suffix (e.g. "example.co.uk" or "example.com"). For FQDNs
where the right-most domain name node is a gTLD having ICANN
Specification 13 in its registry agreement, the gTLD itself
may be used as the Base Domain Name.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Domain Contact:</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif"> The Domain Name Registrant, technical
contact, or administrative contract (or the equivalent under
a ccTLD) as listed in the WHOIS record of the Base Domain
Name or in a DNS SOA record.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Random Value:</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif"> A value specified by a CA to the
Applicant that exhibits at least 112 bits of entropy. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Request Token:</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif"> A value derived in a method specified by
the CA which binds this demonstration of control to the
certificate request.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The Request Token SHALL incorporate the
key used in the certificate request.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">A Request Token MAY include a timestamp
to indicate when it was created.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">A Request Token MAY include other
information to ensure its uniqueness.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">A Request Token that includes a timestamp
SHALL remain valid for no more than 30 days from the time of
creation.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">A Request Token that includes a timestamp
SHALL be treated as invalid if its timestamp is in the
future.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">A Request Token that does not include a
timestamp is valid for a single use and the CA SHALL NOT
re-use it for a subsequent validation. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The binding SHALL use a digital signature
algorithm or a cryptographic hash algorithm at least as
strong as that to be used in signing the certificate
request. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Required Website Content:</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif"> Either a Random Value or a Request
Token, together with additional information that uniquely
identifies the Subscriber, as specified by the CA.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Test Certificate:</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif"> A Certificate with a maximum validity
period of 30 days and which: (i) includes a critical
extension with the specified Test Certificate CABF OID, or
(ii) is issued under a CA where there are no certificate
paths/chains to a root certificate subject to these
Requirements.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Part B.</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif"> DELETE Section 3.2.2.4 of the Baseline
Requirements in its entirety and INSERT the following: <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">3.2.2.4 Validation of Domain
Authorization or Control</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">This section defines the permitted
processes and procedures for validating the Applicant's
ownership or control of the domain. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The CA SHALL confirm that, as of the date
the Certificate issues, either the CA or a Delegated Third
Party has validated each Fully-Qualified Domain Name (FQDN)
listed in the Certificate using at least one of the methods
listed below.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Completed confirmations of Applicant
authority may be valid for the issuance of multiple
certificates over time. In all cases, the confirmation must
have been initiated within the time period specified in the
relevant requirement (such as Section 3.3.1 of this
document) prior to certificate issuance. For purposes of
domain validation, the term Applicant includes the
Applicant's Parent Company, Subsidiary Company, or
Affiliate. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Note: FQDNs may be listed in Subscriber
Certificates using dNSNames in the subjectAltName extension
or in Subordinate CA Certificates via dNSNames in
permittedSubtrees within the Name Constraints extension.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">3.2.2.4.1 Validating the Applicant as a
Domain Contact</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Confirming the Applicant's control over
the FQDN by validating the Applicant is the Domain Contact
directly with the Domain Name Registrar. This method may
only be used if: <o:p></o:p></span></p>
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level1 lfo3">
<span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The CA authenticates the Applicant's
identity under BR Section 3.2.2.1 and the authority of the
Applicant Representative under BR Section 3.2.5, OR
<o:p></o:p></span></li>
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level1 lfo3">
<span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The CA authenticates the Applicant's
identity under EV Guidelines Section 11.2 and the agency
of the Certificate Approver under EV Guidelines Section
11.8; OR
<o:p></o:p></span></li>
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1
level1 lfo3">
<span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The CA is also the Domain Name
Registrar, or an Affiliate of the Registrar, of the Base
Domain Name.
<o:p></o:p></span></li>
</ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">3.2.2.4.2 Email, Fax, SMS, or Postal
Mail to Domain Contact</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Confirming the Applicant's control over
the FQDN by sending a Random Value via email, fax, SMS, or
postal mail and then receiving a confirming response
utilizing the Random Value. The Random Value MUST be sent to
an email address, fax/SMS number, or postal mail address
identified as a Domain Contact.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Each email, fax, SMS, or postal mail MAY
confirm control of multiple Authorization Domain Names.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The CA or Delegated Third Party MAY send
the email, fax, SMS, or postal mail identified under this
section to more than one recipient provided that every
recipient is identified by the Domain Name Registrar as
representing the Domain Name Registrant for every FQDN being
verified using the email, fax, SMS, or postal mail.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The Random Value SHALL be unique in each
email, fax, SMS, or postal mail.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The CA or Delegated Third Party MAY
resend the email, fax, SMS, or postal mail in its entirety,
including re-use of the Random Value, provided that the
communication's entire contents and recipient(s) remain
unchanged.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The Random Value SHALL remain valid for
use in a confirming response for no more than 30 days from
its creation. The CPS MAY specify a shorter validity period
for Random Values, in which case the CA MUST follow its CPS.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">3.2.2.4.3 Phone Contact with Domain
Contact</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Confirming the Applicant's control over
the requested FQDN by calling the Domain Name Registrant's
phone number and obtaining a response confirming the
Applicant's request for validation of the FQDN. The CA or
Delegated Third Party MUST place the call to a phone number
identified by the Domain Name Registrar as the Domain
Contact.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Each phone call SHALL be made to a single
number and MAY confirm control of multiple FQDNs, provided
that the phone number is identified by the Domain Registrar
as a valid contact method for every Base Domain Name being
verified using the phone call.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">3.2.2.4.4 Constructed Email to Domain
Contact</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Confirming the Applicant's control over
the requested FQDN by (i) sending an email to one or more
addresses created by using 'admin', 'administrator',
'webmaster', 'hostmaster', or 'postmaster' as the local
part, followed by the at-sign ("@"), followed by an
Authorization Domain Name, (ii) including a Random Value in
the email, and (iii) receiving a confirming response
utilizing the Random Value. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Each email MAY confirm control of
multiple FQDNs, provided the Authorization Domain Name used
in the email is an Authorization Domain Name for each FQDN
being confirmed <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The Random Value SHALL be unique in each
email.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The email MAY be re-sent in its entirety,
including the re-use of the Random Value, provided that its
entire contents and recipient SHALL remain unchanged. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The Random Value SHALL remain valid for
use in a confirming response for no more than 30 days from
its creation. The CPS MAY specify a shorter validity period
for Random Values, in which case the CA.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">3.2.2.4.5 Domain Authorization Document</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Confirming the Applicant's control over
the requested FQDN by relying upon the attestation to the
authority of the Applicant to request a Certificate
contained in a Domain Authorization Document. The Domain
Authorization Document MUST substantiate that the
communication came from the Domain Contact. The CA MUST
verify that the Domain Authorization Document was either (i)
dated on or after the date of the domain validation request
or (ii) that the WHOIS data has not materially changed since
a previously provided Domain Authorization Document for the
Domain Name Space.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">3.2.2.4.6 Agreed-Upon Change to Website</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Confirming the Applicant's control over
the requested FQDN by confirming one of the following under
the "/.well-known/pki-validation" directory, or another path
registered with IANA for the purpose of Domain Validation,
on the Authorization Domain Name that is accessible by the
CA via HTTP/HTTPS over an Authorized Port:
<o:p></o:p></span></p>
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3
level1 lfo6">
<span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The presence of Required Website
Content contained in the content of a file or on a web
page in the form of a meta tag. The entire Required
Website Content MUST NOT appear in the request used to
retrieve the file or web page, or <o:p></o:p></span></li>
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3
level1 lfo6">
<span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The presence of the Request Token or
Request Value contained in the content of a file or on a
webpage in the form of a meta tag where the Request Token
or Random Value MUST NOT appear in the request. <o:p></o:p></span></li>
</ol>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">If a Random Value is used, the CA or
Delegated Third Party SHALL provide a Random Value unique to
the certificate request and SHALL not use the Random Value
after the longer of (i) 30 days or (ii) if the Applicant
submitted the certificate request, the timeframe permitted
for reuse of validated information relevant to the
certificate (such as in Section 3.3.1 of these Guidelines or
Section 11.14.3 of the EV Guidelines). <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Note: Examples of Request Tokens include,
but are not limited to: (i) a hash of the public key; (ii) a
hash of the Subject Public Key Info [X.509]; and (iii) a
hash of a PKCS#10 CSR. A Request Token may also be
concatenated with a timestamp or other data. If a CA wanted
to always use a hash of a PKCS#10 CSR as a Request Token and
did not want to incorporate a timestamp and did want to
allow certificate key re-use then the applicant might use
the challenge password in the creation of a CSR with OpenSSL
to ensure uniqueness even if the subject and key are
identical between subsequent requests. This simplistic shell
command produces a Request Token which has a timestamp and a
hash of a CSR. E.g. echo date -u +%Y%m%d%H%M sha256sum
<r2.csr | sed "s/[ -]//g" The script outputs:
201602251811c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f
The CA should define in its CPS (or in a document referenced
from the CPS) the format of Request Tokens it accepts.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">3.2.2.4.7 DNS Change</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Confirming the Applicant's control over
the requested FQDN by confirming the presence of a Random
Value or Request Token in a DNS TXT or CAA record for an
Authorization Domain Name or an Authorization Domain Name
that is prefixed with a label that begins with an underscore
character.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">If a Random Value is used, the CA or
Delegated Third Party SHALL provide a Random Value unique to
the certificate request and SHALL not use the Random Value
after (i) 30 days or (ii) if the Applicant submitted the
certificate request, the timeframe permitted for reuse of
validated information relevant to the certificate (such as
in Section 3.3.1 of these Guidelines or Section 11.14.3 of
the EV Guidelines). <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">3.2.2.4.8 IP Address</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Confirming the Applicant's control over
the requested FQDN by confirming that the Applicant controls
an IP address returned from a DNS lookup for A or AAAA
records for the FQDN in accordance with section 3.2.2.5.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">3.2.2.4.9 Test Certificate</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Confirming the Applicant's control over
the requested FQDN by confirming the presence of a
non-expired Test Certificate issued by the CA on the
Authorization Domain Name and which is accessible by the CA
via TLS over an Authorized Port for the purpose of issuing a
Certificate with the same Public Key as in the Test
Certificate.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">3.2.2.4.10. TLS Using a Random Number</span></b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Confirming the Applicant's control over
the requested FQDN by confirming the presence of a Random
Value within a Certificate on the Authorization Domain Name
which is accessible by the CA via TLS over an Authorized
Port.
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">--Motion Ends—<o:p></o:p></span></b></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">The review period for this ballot shall
commence immediately and close at 2200 UTC on Friday, 29
July 2016. Unless the motion is withdrawn during the review
period, the voting period will start immediately thereafter
and will close at 2200 UTC on Friday, 5 August 2016. Votes
must be cast by posting an on-list reply to this thread.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">A vote in favor of the motion must
indicate a clear 'yes' in the response. A vote against must
indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear
responses will not be counted. The latest vote received from
any representative of a voting member before the close of
the voting period will be counted. Voting members are listed
here: <a moz-do-not-send="true" href="https://cabforum.org/members/">https://cabforum.org/members/</a><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">In order for the motion to be adopted,
two thirds or more of the votes cast by members in the CA
category and greater than 50% of the votes cast by members
in the browser category must be in favor. Quorum is
currently ten (10) members– at least ten members must
participate in the ballot, either by voting in favor, voting
against, or abstaining.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<meta charset="UTF-8">
<title></title>
<table border="0" cellpadding="5" cellspacing="0">
<tbody>
<tr>
<td> <img title="ANF AC - Autoridad de certificación" alt="ANF AC - Autoridad de certificación" src="cid:part2.9E3C80DB.AAC1DD1E@anf.es" width="140" style="width: 140px; height: 92px; " modifysize="92%"> </td>
<td> <b><font style="font-family:arial" color="#1C1C1C" size="3"> Enric Castillo </font></b><br>
<font style="font-family:arial" color="#6e6e6e" size="-1"><i>
Director Técnico </i><br>
ANF Autoridad de Certificación </font> <br>
<font style="font-family:arial" color="#424242" size="-1">
<img title="Teléfono" src="cid:part3.F11448F4.18469B7F@anf.es" height="15" width="15" style="width: 15px; height: 15px; " modifysize="50%"> +34 626818285 <font size="-2"><i>(Celular)</i></font>
<br>
<font style="font-family:arial" color="#424242" size="-1"> <img title="Dirección" src="cid:part4.225F4F0D.28777A24@anf.es" height="15" width="15" style="width: 15px; height: 15px; " modifysize="50%"> Gran Vía de Les Corts Catalanes 996,
Barcelona <br>
<font style="font-family:arial" color="#424242" size="-1"> <img title="Teléfono" src="cid:part3.F11448F4.18469B7F@anf.es" height="15" width="15" style="width: 15px; height: 15px; " modifysize="50%"> +593 0 996483798 <font size="-2"><i>(Celular)</i></font> <br>
<font style="font-family:arial" color="#424242" size="-1"> <img title="Teléfono" src="cid:part3.F11448F4.18469B7F@anf.es" height="15" width="15" style="width: 15px; height: 15px; " modifysize="50%"> +593 2 2550002<!--font size="-2"><i>(llamada nacional)</i></font-->
<br>
<font style="font-family:arial" color="#424242" size="-1"> <img title="Dirección" src="cid:part4.225F4F0D.28777A24@anf.es" height="15" width="15" style="width: 15px; height: 15px; " modifysize="50%"> Av. 12 de Octubre
N24-562 y Luis Cordero, Edif. World Trade
Center, Torre A, Piso 11, Ofi. 1102, Quito <br>
<font style="font-family:arial" size="-1"> <img title="Dirección de Skype" src="cid:part8.89D40A10.30F51AA5@anf.es" height="15" width="15" style="width: 15px; height: 15px; " modifysize="50%"> castillo.enric </font>
<br>
<font style="font-family:arial" size="-1"> <img title="Dirección de correo electrónico" src="cid:part9.9F0A4127.2C8FCC4D@anf.es" height="15" width="15" style="width: 15px; height: 15px; " modifysize="50%">
<a class="moz-txt-link-abbreviated" href="mailto:enric.castillo@anf.es">enric.castillo@anf.es</a> </font> <br>
<font style="font-family:arial" size="-1"> <img title="Dirección Web" src="cid:part10.CC5A7BF7.1F4D28D1@anf.es" height="15" width="15" style="width: 15px; height: 15px; " modifysize="50%"> <a class="moz-txt-link-abbreviated" href="http://www.anf.es">www.anf.es</a> </font>
</font></font></font></font></font></td>
</tr>
<tr>
<td widh="150"><br>
</td>
<td align="left"> <img src="cid:part11.AA942444.FA115779@anf.es" width="215" style="width: 215px; height: 27px; " modifysize="51%"> </td>
</tr>
</tbody>
</table>
<font style="font-family:arial" color="#666666" size="-2"> <b>AVISO</b><br>
</font> <font style="font-family:arial" color="#666666" size="1">
Este mensaje se dirige exclusivamente a su destinatario y puede
contener información privilegiada o confidencial y/o datos de
carácter personal, cuya difusión está regulada por la Ley
Orgánica de Protección de Datos y la Ley de Servicios de la
Sociedad de la Información. Si usted no es el destinatario
indicado (o el responsable de la entrega al mismo), no debe
copiar o entregar este mensaje a terceros bajo ningún concepto.
Si ha recibido este mensaje por error o lo ha conseguido por
otros medios, le rogamos que nos lo comunique inmediatamente por
esta misma vía y proceda a su eliminación irreversible. Las
opiniones, conclusiones y demás informaciones incluidas en este
mensaje que no estén relacionadas con asuntos profesionales de
ANF Autoridad de Certificación no están respaldadas por la
empresa. </font> </div>
</div>
</div></div>