<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.m-3178879151159413396m-3045134859279020391msolistparagraph, li.m-3178879151159413396m-3045134859279020391msolistparagraph, div.m-3178879151159413396m-3045134859279020391msolistparagraph
{mso-style-name:m_-3178879151159413396m-3045134859279020391msolistparagraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.m-3178879151159413396default, li.m-3178879151159413396default, div.m-3178879151159413396default
{mso-style-name:m_-3178879151159413396default;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I’m not sure why we want an email address for a SAN either. If there is a case for an email address, would it be an alternative put it in the subject name instead
of the SAN? I think that this can be done per BR 7.1.4.2.2.j.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Public [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Ryan Sleevi via Public<br>
<b>Sent:</b> Wednesday, January 4, 2017 8:20 PM<br>
<b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br>
<b>Cc:</b> Ryan Sleevi <sleevi@google.com><br>
<b>Subject:</b> Re: [cabfpub] Ballot 184: rfc822Names and otherNames<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">How tied are you to allowing rfc822Name? "Reasonable measures" feels very much like the "any equivalent method", and it also feels very much like it will open up the gates of S/MIME, for which the GovReform is still working through.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For example, can you incorporate language such as 3.2.2.4.2 / 3.2.2.4.4 to specify more explicitly what 'reasonable' means? Can you remove it entirely?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'm still very uncertain about the value proposition of 7.1.4.2.1.3 / 7.1.4.2.1.5 and why it's desirable, at all, to use BR-compliant CAs for that. I'm hoping you can make a compelling case here.<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Jan 4, 2017 at 5:03 PM, Jeremy Rowley via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">Thank you everyone for the feedback so far. Attached is an updated draft based on the comments provided. Apologies for the lack of redlining, but I reformatted
the entire section into various permitted entries (thanks Gerv) which made the entire thing more readable. Let me know what you think.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">Jeremy</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="color:black">7.1.4.2.1. Subject Alternative Name Extension
</span></b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">Certificate Field: extensions:subjectAltName
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">Required/Optional: Required
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">Contents: This extension MUST contain at least one entry where each included entry is one of the following:</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="color:black">7.1.4.2.1.1. dNSName
</span></b><o:p></o:p></p>
<p class="m-3178879151159413396m-3045134859279020391msolistparagraph"><span style="color:black">The subjectAltName extension MAY include one or more dNSName entries provided each entry is either a Fully</span><span style="font-family:"Cambria Math",serif;color:black">‐</span><span style="color:black">Qualified
Domain Name or a Wildcard Domain Name. The CA MUST verify each Fully-Qualified Domain Name and Wildcard Domain Name entry in accordance with Section 3.2.2.4.
</span><o:p></o:p></p>
<p class="m-3178879151159413396m-3045134859279020391msolistparagraph"><span style="color:black">Except where the entry is an Internal Name using onion as the right</span><span style="font-family:"Cambria Math",serif;color:black">‐</span><span style="color:black">most
label in an entry in the subjectAltName Extension or commonName field in accordance with Appendix F of the EV Guidelines, a dNSName entry MUST NOT contain an Internal Name.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="color:black">7.1.4.2.1.2. iPAddress</span></b><o:p></o:p></p>
<p class="m-3178879151159413396m-3045134859279020391msolistparagraph"><span style="color:black">The subjectAltName MAY include one or more iPAddress entries provided each entry is an IP address verified in accordance with Section 3.2.2.5. The entry MUST NOT
contain a Reserved IP Address.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="color:black">7.1.4.2.1.3. rfc822Name</span></b><o:p></o:p></p>
<p class="m-3178879151159413396m-3045134859279020391msolistparagraph"><span style="color:black">The subjectAltName MAY include one or more rfc822Name entries provided each entry is an email address compliant with RFC5280. Prior to including an email address,
the CA MUST take reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate
<em><span style="font-style:normal">or</span></em><i> </i>has been authorized by the email account holder to act on the account holder’s behalf.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="color:black">7.1.4.2.1.4. otherName with SRVName { 1.3.6.1.5.5.7.0.18.8.7 } type-id</span></b><o:p></o:p></p>
<p class="m-3178879151159413396m-3045134859279020391msolistparagraph"><span style="color:black">The subjectAltName MAY include one or more SRVNames (as defined in RFC4986) as an otherName entry with the SRVName type-id. The CA MUST verify the name portion of
the entry in accordance with Section 3.2.2.4. SRVName entries MUST NOT contain Wildcard Domain Names. If a Technically Constrained Subordinate CA Certificate includes a dNSName constraint but does not have a technical constraint for SRVNames, the CA MUST NOT
issue certificates containing SRVNames from the Technically Constrained Subordinate CA Certificate. A Technically Constrained Subordinate CA Certificate that includes a technical constraint for SRVNames MUST include permitted name subtrees and MAY include
excluded name subtrees.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="color:black">7.1.4.2.1.5. otherName with id-wfa-hotspot-friendlyName { 1.3.6.1.4.1.40808.1.1.1 } type-id</span></b><o:p></o:p></p>
<p class="m-3178879151159413396m-3045134859279020391msolistparagraph"><span style="color:black">The subjectAltName MAY include one or more entries of the id-wfa-hotspot-friendlyName type-id. The CA MAY only include id-wfa-hotpost-friendlyName entries compliant
with the Hotspot OSU Certificate Policy as officially published by the Wi-Fi Alliance at
</span><a href="https://www.wi-fi.org/discover-wi-fi/wi-fi-certified-passpoint" target="_blank"><span style="color:black">https://www.wi-fi.org</span></a><span style="color:black">. Prior to including a id-wfa-hotpost-friendlyName entry, the CA MUST:</span><o:p></o:p></p>
<p class="m-3178879151159413396default" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">A)</span><span style="font-size:7.0pt;color:black">
</span><span style="color:black">Authenticate the authority of the certificate requester in accordance with Section 3.2.5;</span><o:p></o:p></p>
<p class="m-3178879151159413396default" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">B)</span><span style="font-size:7.0pt;color:black">
</span><span style="color:black">Authenticate the Subject Identity information in accordance with Section 3.2.2.1; and</span><o:p></o:p></p>
<p class="m-3178879151159413396default" style="margin-left:.5in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">C)</span><span style="font-size:7.0pt;color:black">
</span><span style="color:black">Conduct a trademark search for the entry with the U.S. Patent and Trademark Office and equivalent international trademark office such as the WIPO ROMARIN.
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:11.4pt">
<span style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>