<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Ryan,</div><div class=""><br class=""></div><div class="">I presume Google has internal controls in place that cover who can sign contracts and under what circumstances. I am inclined to side with Bruce on this one — a signed contract should be prima facie evidence of authorized issuance when the domain registrant is the signer.</div><div class=""><br class=""></div><div class="">I think we should add clear notification requirements and domain registrant rights to the BRs, but I think allowing contract signature is a reasonable mitigation. Maybe we tie validation in this case to the EV guidelines — that is the CA must follow the EV guidelines to confirm the contract? Maybe also require CT logging of the CA certificate prior to issuing end-entity certificates and possibly require a waiting period before issuing EE certs?</div><div class=""><br class=""></div><div class="">The objective we all have here is to do the right thing for customers. Browsers (including Chrome) roll things out gradually and have rollback options. Can we have that here, have a way to require CAA checking but have a “rollback” option in the form of contracts with public notification when such rollback action is being taken?</div><div class=""><br class=""></div><div class="">Thanks,</div><div class="">Peter</div><div class=""><br class=""></div><div class=""><br class=""></div><div><blockquote type="cite" class=""><div class="">On Nov 9, 2016, at 9:04 AM, Ryan Sleevi via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div dir="ltr" class="">Bruce,<div class=""><br class=""></div><div class="">What would prevent a random person in Google Marketing from executing a contract with Entrust? How would Entrust determine that person is or is not authorized? How would that be normalized across the industry? How would Google signal to Entrust that such a person was not authorized to sign contracts on Google's behalf?</div><div class=""><br class=""></div><div class="">These are all things for which your reply is, ultimately, based on how Entrust does its business, and other CAs may differ in practices or rigor - which is why it is very much the realm of CA policy in how it executes such agreements, and subscribers have no way to prevent CAs from being fooled or signalling that they're making a mistake.</div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Wed, Nov 9, 2016 at 8:25 AM, Bruce Morton via Public <span dir="ltr" class=""><<a href="mailto:public@cabforum.org" target="_blank" class="">public@cabforum.org</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">This doesn't make CAA in the realm of CA policy. This puts certificate issuance in the realm of certificate Subscriber policy, which I think we all respect through our BR and EV documents.<br class="">
<br class="">
Bruce.<br class="">
<span class="im HOEnZb"><br class="">
-----Original Message-----<br class="">
From: Public [mailto:<a href="mailto:public-bounces@cabforum.org" class="">public-bounces@<wbr class="">cabforum.org</a>] On Behalf Of Gervase Markham via Public<br class="">
</span><span class="im HOEnZb">Sent: Wednesday, November 9, 2016 10:12 AM<br class="">
To: Doug Beattie <<a href="mailto:doug.beattie@globalsign.com" class="">doug.beattie@globalsign.com</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>><br class="">
Cc: Gervase Markham <<a href="mailto:gerv@mozilla.org" class="">gerv@mozilla.org</a>><br class="">
</span><span class="im HOEnZb">Subject: Re: [cabfpub] Draft CAA motion<br class="">
<br class="">
<br class="">
</span><span class="im HOEnZb">I'm sorry, but that moves CAA from the realm of enforced site policy to the realm of CA policy, which defeats much of the point. We have discussed this recently on this list, I believe.<br class="">
<br class="">
<br class="">
</span><div class="HOEnZb"><div class="h5">______________________________<wbr class="">_________________<br class="">
Public mailing list<br class="">
<a href="mailto:Public@cabforum.org" class="">Public@cabforum.org</a><br class="">
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank" class="">https://cabforum.org/mailman/<wbr class="">listinfo/public</a><br class="">
</div></div></blockquote></div><br class=""></div>
_______________________________________________<br class="">Public mailing list<br class=""><a href="mailto:Public@cabforum.org" class="">Public@cabforum.org</a><br class="">https://cabforum.org/mailman/listinfo/public<br class=""></div></blockquote></div><br class=""></body></html>