<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 1, 2017 at 4:50 PM, Ryan Sleevi <span dir="ltr"><<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div>It's unclear whether you disagree with the substance of my analysis, and are thus stating it was intentional to weaken the Baseline Requirements, or if you're simply providing clarification for the intent, for which the weakening of the Baseline Requirements was unintentional?<br></div><div><br></div><div>If this was unintentional, we can work to resolve this in a way that achieves the intended resolve. However, if this was intentional, we will continue to disagree, and thus will find it necessary to vote against this ballot. I can only hope that, like Ballot 188, this was merely an unintentional side-effect, and hopefully one we can resolve through collaboration.<br></div></div></div></div>
</blockquote></div><br></div><div class="gmail_extra"><div class="gmail_extra">It was pointed out that my description of the issues may not have been clear for some members, so I'll try to restate the various ways in which this proposal, whether intentional or not, weakens the current security guarantees provided by the Baseline Requirements.</div><div class="gmail_extra"><br></div><div class="gmail_extra">In the effort of providing greater clarity, I have created several new threads to help inform this discussion.</div><div><br></div></div><div class="gmail_extra"><br></div><div class="gmail_extra">Proposed for Section 4.2.1<br></div><div class="gmail_extra"><div class="gmail_extra">"If an Applicant has a currently valid Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of the Applicant's right to use the specified Domain Name under Section 3.2.2.4, provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the existing Certificate."</div><div class="gmail_extra"><br></div><div class="gmail_extra">Problem Summary: This paragraph is presented without any linkage to the overall intent or preceding paragraphs. As such, when compared to the immediately preceding two paragraphs, it creates ambiguity as whether they represent "AND" or "OR" conjunctions. This would allow CAs to create 'perma-certificates', provided the WHOIS information does not change.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Explanation: By lacking in prosaic text that establishes a relationship with the previous conditions, a CA may indefinitely rely on a domain authorization, despite it no longer belonging to the Applicant, and well beyond the 825 period proposed in modification. That is, if a CA reads the above text as an "OR" interpretation, than any party who obtained a certificate once may continue to do so indefinitely, provided that they ensure the WHOIS information does not change.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Conclusion: The consequence of such certificates would significantly undermine public trust, by allowing a chain of certificates to continue well beyond the defined period.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Suggestion: Remove this entire section.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div></div></div>