<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Sorry, I’m not citing existing BR content, I’m proposing new to give weight to a vendor/client relationship. Add a clause to Gerv’s motion that recognizes that a customer can opt out of a CA checking CAA by contract. Require that the CA indicate this choice through presence of a CABF arc CP OID at EE tier, allowing programmatic checking of CAA violation. In all other regards, business as usual without creating N generations of TCSCs for a customer every year and the server installation confusion that causes among even relatively savvy operations.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I’ve drowned out Jody here, but he wants to issue to his affiliates without checking their CAA. As long as we don’t make sport out of finding gaps between each other’s thinking, there are parallels to draw between affiliation and a contract. One is total, the other specific.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Thursday, November 10, 2016 2:16 PM<br><b>To:</b> Steve Medin <Steve_Medin@symantec.com><br><b>Cc:</b> CA/Browser Forum Public Discussion List <public@cabforum.org>; Gervase Markham <gerv@mozilla.org><br><b>Subject:</b> Re: [cabfpub] Draft CAA motion (2)<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Nov 10, 2016 at 10:56 AM, Steve Medin <<a href="mailto:Steve_Medin@symantec.com" target="_blank">Steve_Medin@symantec.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I’m suggesting that contracts like what we’re discussing gain material impact on the BRs through BR mention of them and their associated handling and disclosure of existence rules. </span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Can you point to what rules you're thinking of that require the disclosure or handling? Because I can certainly think of examples with Symantec not disclosing contracts.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I want to allow customers to grant CAs the right to bypass CAA checking, </span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Why? Can we move from talking about things wanted to understanding why? This was discussed at the F2F, but it's particularly helpful to understand why you object, other than it creates more work. I'm not saying that more work is not important, but I want to make sure that if there are reasons other than that it's more work, we've properly considered them.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>and I want to publicly show that the right has been granted (response to Jeremy) so that such behavior can be inspected.</span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The problem with what's proposed is there's a significant and material difference between expressing that in a TCSC - which is technically enforcable - and a general contract proviso.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>If stricter rules about CAA are imposed and they have contractual impact because, given the above, contracts become a constraint and a compliance tool in the BRs, then it would follow that inadequate or out of date contracts would put a CA at risk of non-compliance.</span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I believe we must be talking past eachother, because I don't believe there is anything in the BRs to support your claim here. I'd love to be mistaken - to see actual support for this statement - but I suspect it's moreso borne out of a misunderstanding of the point I was making.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm specifically talking about better controls afforded via CAA - such as the ability to restrict issuance methods that was discussed in the F2F. If the CA/B Forum (or the IETF) introduced such controls, then it bears determining with the customer whether or not they want to continue to opt-out of CAA. Similarly, if CAA affords them more flexibility through some change in the Forum or the IETF, it bears determining with the customer whether or not they want to continue to opt-out of CAA.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm specifically objecting to the notion of 'set it and forget it' - that is, a blanket exclusion that never gets revisited. If the idea of contractual-based exclusions is countenanced, then we should take appropriate steps to ensure its scope is limited. One such way to limit that scope is require the exclusion be reauthorized any time there's a chance in the Forum/IETFs CAA policies.<o:p></o:p></p></div></div></div></div></div></div></body></html>