<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I’m suggesting that contracts like what we’re discussing gain material impact on the BRs through BR mention of them and their associated handling and disclosure of existence rules. I want to allow customers to grant CAs the right to bypass CAA checking, and I want to publicly show that the right has been granted (response to Jeremy) so that such behavior can be inspected.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>If stricter rules about CAA are imposed and they have contractual impact because, given the above, contracts become a constraint and a compliance tool in the BRs, then it would follow that inadequate or out of date contracts would put a CA at risk of non-compliance.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Thursday, November 10, 2016 1:39 PM<br><b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Cc:</b> Gervase Markham <gerv@mozilla.org>; Steve Medin <Steve_Medin@symantec.com><br><b>Subject:</b> Re: [cabfpub] Draft CAA motion (2)<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Nov 10, 2016 at 10:29 AM, Steve Medin via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>> -----Original Message-----<br>> From: Gervase Markham [mailto:<a href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>]<br>> Sent: Thursday, November 10, 2016 12:40 PM<br>> To: Steve Medin <<a href="mailto:Steve_Medin@symantec.com">Steve_Medin@symantec.com</a>>; CA/Browser Forum Public<br>> Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>> Subject: Re: [cabfpub] Draft CAA motion (2)<br>><br>> But here's another suggestion. Instead of mandating CAA in Mozilla policy,<br>> we'll just say that issuing in the face of an adverse CAA record is a<br>> serious<br>> misissuance. Then, you'd be free to not check it as often as you liked,<br>> relying<br>> on your systems and contracts to save you - and the first time they went<br>> wrong, we'd untrust your intermediate or remove your EV indicator or some<br>> other sanction. How would that be? :-)<br>><br>> Gerv<br><br>Well, that depends on the validity of a contract from the customer that<br>absolves the CA from the requirement to check CAA within their service.<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I don't really understand why you feel this way - that is, the validity of the contract doesn't seem to have any material impact on the BRs. Or, put differently, contracts neither replace nor reduce the scope of the BRs. So if Gerv put forward a ballot that said "caveat CA", and even if you had a contract that said you didn't have to, if the customer - or anyone else who checked the CAA record - pointed out to the contrary, then it would be treated as a serious misissuance. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>So how does the contract matter?<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>Let customers opt out when they trust their CA and its audits and it's no<br>longer CA policy or browsers trusting CAs. Let customers adopt CAA to block<br>other CAs that do not hold such a contract.<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Let's imagine we accept this argument. Would you be open to requiring that the contract must be renegotiated any time there is a change in CAA, to ensure that, at all times, the customer is making an informed decision? Quite frankly, sometimes it takes browsers to protect users from predatory CAs, and so if say there was a change that affected or improved the security of CAA checking, the customer should be informed. Such a renegotiating-of-agreement clause would help prevent CAs from misrepresenting CAA (as some have), allow the customer flexibility, and put a burden of effort on the CA in order to replace the stronger technical guarantee. <o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></div></body></html>