<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.m-9154426271699803564default, li.m-9154426271699803564default, div.m-9154426271699803564default
{mso-style-name:m_-9154426271699803564default;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.m-9154426271699803564msoplaintext, li.m-9154426271699803564msoplaintext, div.m-9154426271699803564msoplaintext
{mso-style-name:m_-9154426271699803564msoplaintext;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#44546A;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#44546A;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.EmailStyle23
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:441385697;
mso-list-type:hybrid;
mso-list-template-ids:1117653796 67698711 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-number-format:alpha-lower;
mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'>Kirk, in my years with VeriSign and Symantec, I also can’t recall a domain owner asking for more info about a cert that we had issued, but<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'><span style='mso-list:Ignore'>a)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'>The request probably would not have come to or through me<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'><span style='mso-list:Ignore'>b)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'>It’s a lot more likely to happen today because of CT<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'>The first example you gave is (in my opinion) relatively easy to resolve. The more challenging one is the second. I’m trying to see if we can agree that, for example, the CA should not necessarily give out details about the subscriber to the requester. Peter suggested a list of things that the requester should and should not expect to get. I agree with most of that but need to re-read it more carefully.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'>-Rick<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Kirk Hall [mailto:Kirk.Hall@entrust.com] <br><b>Sent:</b> Wednesday, October 12, 2016 6:14 PM<br><b>To:</b> Rick Andrews <Rick_Andrews@symantec.com>; Ryan Sleevi <sleevi@google.com><br><b>Cc:</b> public@cabforum.org<br><b>Subject:</b> RE: [cabfpub] Recourse for domain owners who discover unknown certificates issued to their domain<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>In roughly 15 years of involvement with 4 CAs, I don’t recall any domain owner asking for more information about a cert we had issued that the domain owner (presumably) didn’t recognize. I suppose if Foo Corp. is actually your customer, and Anne Jones of Foo Corp. (whom you can verify) asks “Did we order this server2.foo.com cert? No one remembers that”, it would be ok for the CA to look in its systems and see what it can find.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>If someone from Foo Corp. contacts the CA and says “Foo Corp. is not a customer of your CA – why did you issue a cert for server2.foo.com?”, the CA would likely treat that as a Certificate Problem Report under BR 4.9.2, investigate according to the CA’s own procedures, and revoke if justified.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I’m reluctant to create new requirements for how the CA responds to questions about an unrecognized cert until we know more whether this situation is likely to occur. It seems to me the current BRs already cover problem reports and revocation requests from third parties.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Rick Andrews [<a href="mailto:Rick_Andrews@symantec.com">mailto:Rick_Andrews@symantec.com</a>] <br><b>Sent:</b> Wednesday, October 12, 2016 5:56 PM<br><b>To:</b> Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>>; Kirk Hall <<a href="mailto:Kirk.Hall@entrust.com">Kirk.Hall@entrust.com</a>><br><b>Cc:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> RE: [cabfpub] Recourse for domain owners who discover unknown certificates issued to their domain<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'>Ryan, as I stated in my initial post, this is not about redaction. I’d prefer to keep that out of the discussion, and focus on a use case where a domain owner learns about a fully-disclosed certificate (maybe they see it on a public-facing website) and wants to learn more about it.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'>-Rick<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#44546A'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Public [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ryan Sleevi via Public<br><b>Sent:</b> Tuesday, October 11, 2016 6:35 PM<br><b>To:</b> Kirk Hall <<a href="mailto:Kirk.Hall@entrust.com">Kirk.Hall@entrust.com</a>><br><b>Cc:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] Recourse for domain owners who discover unknown certificates issued to their domain<o:p></o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><o:p> </o:p></p><div><p class=MsoNormal style='margin-left:1.0in'>Kirk,<o:p></o:p></p><div><p class=MsoNormal style='margin-left:1.0in'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:1.0in'>The point is to remove the degree of "CA discretion" that you suggest, to ensure there's a normalized, reasonable, and reliable set of options for domain holders. As Rick noted in the introduction, this is certainly one of the concerns with allowing redaction.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.0in'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:1.0in'>For example, it would be undesirable for a CA to allow redacted certificates, and then say "No, we won't revoke, because that's what our privacy policy says." The concern is related to CA's interpretation of those sections, and ensuring that we avoid any areas for CAs to interpret in a way conflicting with community norms.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:1.0in'><br>So I don't believe the current sections provide sufficient recourse - especially as discussed in the discussions Rick linked to.<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-left:1.0in'><o:p> </o:p></p><div><p class=MsoNormal style='margin-left:1.0in'>On Tue, Oct 11, 2016 at 6:22 PM, Kirk Hall via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=m-9154426271699803564default style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>As I read through the string, remember that we all have a Privacy Policy (BR 9.4 covers this, although we presently have no BR stipulations on privacy policies). So whatever we decide to do in responding to information requests from claimed domain owners will have to comply with our individual Privacy Policies (which may need to be modified). </span><o:p></o:p></p><p class=m-9154426271699803564default style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p><p class=m-9154426271699803564default style='margin-left:1.0in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>WebTrust for CAs has this general statement: “The Certification Authority must disclose its key and certificate life cycle management business and information privacy practices” and Requirement 6.6 on Certificate Revocation says “The CA maintains controls to provide reasonable assurance that certificates are revoked, based on authorized and validated certificate revocation requests within the time frame in accordance with the CA’s disclosed business practices.“</span><o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>We already have some BR provisions 4.9.2 through 4.9.5 on who can request revocation, and the process the CA is required to follow. See below. Does this adequately cover your straw man situations below? Don’t many of your situations fit within the language for reporting Certificate Problem Reports? (“I see this cert you issued for a domain I own – I don’t remember or recognize it.”) I think it may be best for the CA to set up its own internal procedures for how it will respond to this type of Report, and then make sure the Subscriber Agreement and Privacy Policy allow what the CA wants to do.<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>4.9.2. Who Can Request Revocation<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>The Subscriber, RA, or Issuing CA can initiate revocation. Additionally, Subscribers, Relying Parties,<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>Application Software Suppliers, and other third parties may submit Certificate Problem Reports informing the<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>issuing CA of reasonable cause to revoke the certificate.<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>4.9.3. Procedure for Revocation Request<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>The CA SHALL provide a process for Subscribers to request revocation of their own Certificates. The process<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>MUST be described in the CA’s Certificate Policy or Certification Practice Statement. The CA SHALL maintain a<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>continuous 24x7 ability to accept and respond to revocation requests and related inquiries.<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>The CA SHALL provide Subscribers, Relying Parties, Application Software Suppliers, and other third parties with<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>clear instructions for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud,<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>compromise, misuse, inappropriate conduct, or any other matter related to Certificates. The CA SHALL publicly<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>disclose the instructions through a readily accessible online means.<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>4.9.4. Revocation Request Grace Period<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>No stipulation.<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>4.9.5. Time within which CA Must Process the Revocation Request<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>The CA SHALL begin investigation of a Certificate Problem Report within twenty-four hours of receipt, and decide<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>whether revocation or other appropriate action is warranted based on at least the following criteria:<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>1. The nature of the alleged problem;<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>2. The number of Certificate Problem Reports received about a particular Certificate or Subscriber;<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>3. The entity making the complaint (for example, a complaint from a law enforcement official that a Web site is<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>engaged in illegal activities should carry more weight than a complaint from a consumer alleging that she didn’t<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>receive the goods she ordered); and<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.5in'>4. Relevant legislation. <o:p></o:p></p><div><div><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>-----Original Message-----<br>From: Public [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>] On Behalf Of Peter Bowen via Public<br>Sent: Monday, October 10, 2016 8:35 PM<br>To: Rick Andrews <<a href="mailto:Rick_Andrews@symantec.com" target="_blank">Rick_Andrews@symantec.com</a>><br>Cc: <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br>Subject: Re: [cabfpub] Recourse for domain owners who discover unknown certificates issued to their domain<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>> On Oct 10, 2016, at 5:31 PM, <a href="mailto:public@cabforum.org" target="_blank"><span style='color:windowtext;text-decoration:none'>public@cabforum.org</span></a> wrote:<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>> During the discussions about CT name redaction ([1], [2]), it became <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>> clear that there is no formal policy regarding what actions a CA <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>> should take if a domain owner approached the CA to get information <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>> about a certificate issued by the CA for a domain owned by the domain <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>> owner. We'd like to start a discussion to craft such a policy. Note <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>> that this is not specific to name redaction. A domain owner might <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>> discover a non-redacted certificate in a CT log or public web crawl, <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>> and if the owner doesn't recognize the certificate, they should be <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>> able to get detailed information from the CA so that the domain owner <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>> can determine if the cert was properly issued, and request revocation if it was not.<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>Rick,<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>Before we discuss how we authenticate the domain registrant, I think need to discuss what a CA must do when so asked by a domain registrant.<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>As a straw man, I’m going to suggest that an authenticated domain registrant can do the following:<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>- Require revocation of a certificate containing a FQDN or Wildcard DN under their registered domain by providing the CA the issuer DN and serial number of the certificate<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>- Require revocation of all certificates containing a FQDN or Wildcard DN under their registered domain or a portion of the namespace under their registered domain<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>- Authorize the issuance of certificates containing a FQDN or Wildcard DN under their registered domain <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>- Require the CA to only allow certain named people or email addresses to authorize future issuance<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>The registrant cannot:<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>- Require the CA to provide a list of all certificates containing a FQDN or Wildcard DN under their registered domain<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>- Require the CA to provide details on the applicant/subscriber for a certificate containing a FQDN or Wildcard DN under their registered domain<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>- Require the CA to provide an unredacted version of a redacted certificate containing a FQDN or Wildcard DN under their registered domain<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>To come up with this list, I considered the situation where domain foo.example is registered to Alice (potentially using a proxy as the registrant). Mallory is a nefarious individual and wants to bring harm to Alice or Alice’s organization. Mallory manages to take over foo.example (either due to Alice letting it expire or via domain transfer fraud) and then proceeds to contact CAs to get info about foo.example and Alice. What should a CA be required to release?<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>Thanks,<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>Peter<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'> <o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>_______________________________________________<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'>Public mailing list<o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'><a href="mailto:Public@cabforum.org" target="_blank"><span style='color:windowtext;text-decoration:none'>Public@cabforum.org</span></a><o:p></o:p></p><p class=m-9154426271699803564msoplaintext style='margin-left:1.0in'><a href="https://cabforum.org/mailman/listinfo/public" target="_blank"><span style='color:windowtext;text-decoration:none'>https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.0in'><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></blockquote></div><p class=MsoNormal style='margin-left:1.0in'><o:p> </o:p></p></div></div></body></html>