<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:895506829;
mso-list-template-ids:-1621197760;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:1996492577;
mso-list-type:hybrid;
mso-list-template-ids:494168778 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Kirk,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Thank you for providing this detailed summary. It really helps explain things well.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='color:#1F497D'>One slight correction to this statement: “</span>We don’t know, as we have never created a PAG before. The PAG will start its work soon.”<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>Actually we did create a PAG before (you were a member). See enclosed. Perhaps you meant we never created a PAG to do the work scheduled for this PAG.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><br>Dean<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><b>From:</b> Public [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Kirk Hall via Public<br><b>Sent:</b> Sunday, January 08, 2017 6:21 PM<br><b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Cc:</b> Kirk Hall <Kirk.Hall@entrustdatacard.com><br><b>Subject:</b> [cabfpub] Recap of Ballot 180, 181, and 182 results, and next steps<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>As mentioned on earlier messages, Ballots 180 and 181 passed, and Ballot 182 failed. Here is my view of where we are.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><b><u>What Requirements and Guidelines are in effect now?<o:p></o:p></u></b></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><u><o:p><span style='text-decoration:none'> </span></o:p></u></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>Ballot 181 included this provision: “In the event that this Ballot [181] and Ballot 180 are both approved by the Forum, the provisions of this Ballot [181] shall supersede and replace any conflicting provisions of Ballot 180.” <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoPlainText>Ballots 180 and 181 are attached again. As you see, we re-adopted all the provisions of the following requirements and guidelines (except for the amendments as noted below) in conformity with our IPR Policy, and we can now safely adopt amendments (“Maintenance Guidelines” to these “Final Guidelines”) through new ballots in the future:<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates (BRs)<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Guidelines for the Issuance and Management of Extended Validation Certificates (EVGL)<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Guidelines for the Issuance and Management of Extended Validation Code Signing Certificates, and <o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span style='font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Network and Certificate System Security Requirements,<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>We did make limited changes in the BRs and EVGL. Under Ballot 181, BR 3.2.2.4 now reads as follows (effective immediately):<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'>3.2.2.4 Validation of Domain Authorization or Control<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'>This section defines the permitted processes and procedures for validating the Applicant's ownership or control of the domain.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'>The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'>Completed confirmations of Applicant authority may be valid for the issuance of multiple certificates over time. In all cases, the confirmation must have been initiated within the time period specified in the relevant requirement (such as Section 3.3.1 of this document) prior to certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant's Parent Company, Subsidiary Company, or Affiliate.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'>Note: FQDNs may be listed in Subscriber Certificates using dNSNames in the subjectAltName extension or in Subordinate CA Certificates via dNSNames in permittedSubtrees within the Name Constraints extension.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.1 [Reserved] <o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.2 [Reserved] <o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.3 [Reserved]<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.4 [Reserved]<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.5 Domain Authorization Document<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'>Confirming the Applicant's control over the requested FQDN by relying upon the attestation to the authority of the Applicant to request a Certificate contained in a Domain Authorization Document. The Domain Authorization Document MUST substantiate that the communication came from the Domain Contact. The CA MUST verify that the Domain Authorization Document was either (i) dated on or after the date of the domain validation request or (ii) that the WHOIS data has not materially changed since a previously provided Domain Authorization Document for the Domain Name Space.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.6 Agreed-Upon Change to Website<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'>Confirming the Applicant's control over the requested FQDN by confirming one of the following under the "/.well-known/pki-validation" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that is accessible by the CA via HTTP/HTTPS over an Authorized Port:<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;text-indent:-.25in;line-height:normal;mso-list:l0 level1 lfo4;background:white'><![if !supportLists]><span style='font-family:"Times New Roman",serif;color:black'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Times New Roman",serif;color:black'>The presence of Required Website Content contained in the content of a file or on a web page in the form of a meta tag. The entire Required Website Content MUST NOT appear in the request used to retrieve the file or web page, or<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;text-indent:-.25in;line-height:normal;mso-list:l0 level1 lfo4;background:white'><![if !supportLists]><span style='font-family:"Times New Roman",serif;color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-family:"Times New Roman",serif;color:black'>The presence of the Request Token or Request Value contained in the content of a file or on a webpage in the form of a meta tag where the Request Token or Random Value MUST NOT appear in the request.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.75in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'>If a Random Value is used, the CA or Delegated Third Party SHALL provide a Random Value unique to the certificate request and SHALL not use the Random Value after the longer of (i) 30 days or (ii) if the Applicant submitted the certificate request, the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 of the EV Guidelines).<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'>Note: Examples of Request Tokens include, but are not limited to: (i) a hash of the public key; (ii) a hash of the Subject Public Key Info [X.509]; and (iii) a hash of a PKCS#10 CSR. A Request Token may also be concatenated with a timestamp or other data. If a CA wanted to always use a hash of a PKCS#10 CSR as a Request Token and did not want to incorporate a timestamp and did want to allow certificate key re-use then the applicant might use the challenge password in the creation of a CSR with OpenSSL to ensure uniqueness even if the subject and key are identical between subsequent requests. This simplistic shell command produces a Request Token which has a timestamp and a hash of a CSR. E.g. echo date -u +%Y%m%d%H%M sha256sum <r2.csr | sed "s/[ -]//g" The script outputs: 201602251811c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f The CA should define in its CPS (or in a document referenced from the CPS) the format of Request Tokens it accepts.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.7 [Reserved]<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.8 [Reserved]<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.9 [Reserved]<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.10. TLS Using a Random Number<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'>Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value within a Certificate on the Authorization Domain Name which is accessible by the CA via TLS over an Authorized Port.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.11 Other Methods<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'>The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate </span><span style='font-family:"Times New Roman",serif'>by using any method of confirmation, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant is the Domain Name Registrant or has control over the Fully Qualified Domain Name (FQDN).<span style='color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>Under Ballot 180, EVGL 11.7.1 now reads as follows (effective immediately):<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><b><span style='font-family:"Times New Roman",serif'>11.7.1. Verification Requirements<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><b><span style='font-family:"Times New Roman",serif'><o:p> </o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-family:"Times New Roman",serif'>(1) For each Fully-Qualified Domain Name listed in a Certificate, other than a Domain Name with .onion in the rightmost label of the Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant’s Parent Company, Subsidiary Company, or Affiliate, collectively referred to as “Applicant” for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements. For a Certificate issued to a Domain Name with .onion in the right-most label of the Domain Name, the CA SHALL confirm, as of the date the Certificate was issued, the Applicant’s control over the .onion Domain Name in accordance with Appendix F.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-family:"Times New Roman",serif'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><span style='font-family:"Times New Roman",serif'>(2) <b>Mixed Character Set Domain Names: </b>EV Certificates MAY include Domain Names containing mixed character sets only in compliance with the rules set forth by the domain registrar. The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>We will generate a new version of the BRs and EVGL very soon to reflect these amendments.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><b><u>What happened to the other domain verification methods? What happened to Ballot 169?<o:p></o:p></u></b></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>You will notice that in Ballot 181 we re-adopted domain validation methods 5, 6, and 10 from Ballot 169. <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>Methods 1-4, and 7-9 were included in Ballot 182 because they had previously resulted in IP Exclusion Notices, and we expected they would generate Exclusion Notices again – and we wanted to send those validation methods and the IP Exclusion Notice claims to a Patent Advisory Group (PAG) in accordance with our IPR Policy. Once the Exclusion Notices for Ballot 182 were filed during the IP Review Period, the Members decided not to vote on Ballot 182 and so the Ballot failed. That means the version of BR 3.2.2.4 in Ballot 181 is the version that has been adopted.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>In effect, Ballot 169 has been rescinded and replaced by Ballot 181. There is no longer a March 1, 2017 deadline to follow Ballot 169.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><b><u>Does this mean that CAs can only use domain validations methods 5, 6, and 10 under BR 3.2.2.4?<o:p></o:p></u></b></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>No – in Ballot 181, we also adopted a new Method 11 which is similar to our old method 7 – “any other method”. <o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>Here is new Method 11, which is effective immediately – it allows CAs to use “any method of confirmation”, but please note the requirement that the CA must maintain “<u>documented evidence</u> that <u>the method of confirmation establishes</u> that the Applicant is the Domain Name Registrant or has control over the Fully Qualified Domain Name (FQDN).”<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><b><span style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.11 Other Methods<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;background:white'><span style='font-family:"Times New Roman",serif;color:black'>The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate </span><span style='font-family:"Times New Roman",serif'>by using any method of confirmation, provided that the CA maintains documented evidence that the method of confirmation establishes that the Applicant is the Domain Name Registrant or has control over the Fully Qualified Domain Name (FQDN).<span style='color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>Please note that this new Method 11 is likely only temporary – once the PAG finishes its work, a new Ballot will likely be developed to readopt some version of Methods 1-4, and 7-9 from Ballot 169. At that point, this new Method 11 will likely be eliminated.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>As a “safe harbor”, CAs may want to limit themselves to Methods 1-4, and 7-9 from Ballot 169 if they are going to rely on new Method 11 (“any other method”) while the work of the PAG goes forward. However, this is not a requirement of the BRs as they exist today.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><b><u>What domain validation methods are now permitted for EV certificates?<o:p></o:p></u></b></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>As you see from revised EVGL 11.7.1 above, the EV Guidelines now require that CAs perform domain validation for EV certificates “using a procedure specified in Section 3.2.2.4 of the Baseline Requirements.” Under the current BRs, that means domain validation Methods 5, 6, 10, and 11.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><b><u>How long will it take the PAG to complete its work and amend the domain validation methods of BR 3.2.2.4?<o:p></o:p></u></b></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><b><u><o:p><span style='text-decoration:none'> </span></o:p></u></b></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'>We don’t know, as we have never created a PAG before. The PAG will start its work soon.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'>In this case, several Exclusion Notices were filed by Members, and it may take some weeks or months to evaluate the Exclusion Notices. The IPR Policy states that the Forum has a goal “to issue Guidelines that can be implemented on a Royalty-Free (RF) basis subject to the conditions of this policy.” The PAG will examine the IP contained in the Exclusion Notices against the domain validation methods in Ballot 182, and where there is a conflict the PAG may then provide conclusions and recommendations to the Forum on how to “resolve any conflicts.”<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><span style='font-family:"Times New Roman",serif'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><b><span style='font-family:"Times New Roman",serif'>IPR Policy 7.3.2. Possible PAG Conclusions<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-family:"Times New Roman",serif'>After appropriate consultation, the PAG may conclude:<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-family:"Times New Roman",serif'>a. The initial concern has been resolved, enabling the work on the Guideline to continue.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-family:"Times New Roman",serif'>b. The CAB Forum should be instructed to consider designing around the identified claims.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-family:"Times New Roman",serif'>c. The PAG should seek further information and evaluation, including and not limited to evaluation of the patents in question or the terms under which CAB Forum RF licensing requirements may be met.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-family:"Times New Roman",serif'>d. The project relating to the Draft Guideline in question should be terminated.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal;text-autospace:none'><span style='font-family:"Times New Roman",serif'>e. The Final Guideline or Final Maintenance Guideline should be rescinded.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;line-height:normal'><span style='font-family:"Times New Roman",serif'>f. Alternative licensing terms should be considered.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><b><u>What happens after the PAG completes its work?<o:p></o:p></u></b></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>We don’t know for sure, but the next steps after the PAG’s conclusions will likely be guided by the new voting rules we are developing under draft Ballot 183 (see current discussion and the procedures described in draft Ballot 183, including the process flow diagram provided with the draft Ballot). This Ballot is intended to clarify the interaction between our Ballot voting rules in the Bylaws and the requirements of our IPR Policy.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>It is likely a new domain validation procedure Ballot will be drafted after the PAG completes its work to readopt domain validation methods 1-4 and 7-10 in some form, and to delete new Method 11. That new Ballot will then be subject to a discussion period, vote, IP Review Period, etc. according to whatever new voting rules we may adopt.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><b><u>What about ballots on other subjects? Can we proceed now?<o:p></o:p></u></b></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>Yes, we can proceed with Ballots on other subjects now that we have re-adopted the various requirements and guidelines via Ballots 180 and 181. A Ballot that only amends our Bylaws can proceed now following our existing Bylaws voting rules (7 days discussion followed by 7 days voting, but no Review Period because no Maintenance Guidelines are affected), and we are trying to get to a vote on new voting rules in Ballot 183 as soon as possible.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>It will be best to defer any new ballots on ballots that affect the BRs, EVGL, etc. until after we have clarified our voting rules via Ballot 183. However, as soon as Ballot 183 (in some form) is adopted, then we can proceed on all the other pending ballots we have in the queue. With luck, that will happen later this month.<o:p></o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;line-height:normal'>Thanks to everyone for their patience and cooperation.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>