<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-2022-jp">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:0in;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1917010366;
mso-list-template-ids:-888865838;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><a name=texteditlink><span lang=EN style='font-family:"Times New Roman",serif;color:black'>This is the revised domain validation ballot based on the feedback received at and after the face to face. Looking for either additional comments or two endorsers.<o:p></o:p></span></a></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>Jeremy<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>-----<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span lang=EN style='font-family:"Times New Roman",serif;color:black'>Revised Validation Requirements</span></b></span><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span lang=EN style='font-family:"Times New Roman",serif;color:black'>Purpose of Ballot:</span></b></span><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'> The purpose of this ballot is to 1) re-introduce the methods removed in ballot 180-182 because of IPR concerns, 2) clarify some issues with the .well-known method, 3) specify how the reuse of information works with respect to the newly adopted methods, and 4) clarify how the reuse of information works with respect to the amendment to BR 4.2.1.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto'><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif'>The following motion has been proposed by Jeremy Rowley of DigiCert and endorsed by the following CA/B Forum member representatives: Entrust Datacard and YYYY to introduce new Final Maintenance Guidelines for the "Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates" (Baseline Requirements).<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span lang=EN style='font-family:"Times New Roman",serif;color:black'>--Motion Begins--</span></b></span><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span lang=EN style='font-family:"Times New Roman",serif;color:black'>Ballot Section 1</span></b></span><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>1) Replace Section 3.2.2.4.1:<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span lang=EN style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.1 Validating the Applicant as a Domain Contact</span></b></span><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>Confirming the Applicant's control over the FQDN by validating the Applicant is the Domain Contact directly with the Domain Name Registrar. This method may only be used if:<o:p></o:p></span></span></p><ol start=1 type=1><li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;line-height:normal;mso-list:l0 level1 lfo1;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif'>The CA authenticates the Applicant's identity under BR Section 3.2.2.1 and the authority of the Applicant Representative under BR Section 3.2.5, OR<o:p></o:p></span></span></li><li class=MsoNormal style='color:black;margin-top:6.0pt;mso-margin-bottom-alt:auto;margin-left:0in;line-height:normal;mso-list:l0 level1 lfo1;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif'>The CA authenticates the Applicant's identity under EV Guidelines Section 11.2 and the agency of the Certificate Approver under EV Guidelines Section 11.8; OR<o:p></o:p></span></span></li><li class=MsoNormal style='color:black;margin-top:6.0pt;mso-margin-bottom-alt:auto;margin-left:0in;line-height:normal;mso-list:l0 level1 lfo1;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif'>The CA is also the Domain Name Registrar, or an Affiliate of the Registrar, of the Base Domain Name.<o:p></o:p></span></span></li></ol><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>2) Replace Section 3.2.2.4.2:<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span lang=EN style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.2 Email, Fax, SMS, or Postal Mail to Domain Contact</span></b></span><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>Confirming the Applicant's control over the FQDN by sending a Random Value via email, fax, SMS, or postal mail and then receiving a confirming response utilizing the Random Value. The Random Value MUST be sent to an email address, fax/SMS number, or postal mail address identified as a Domain Contact.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>Each email, fax, SMS, or postal mail MAY confirm control of multiple Authorization Domain Names.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>The CA or Delegated Third Party MAY send the email, fax, SMS, or postal mail identified under this section to more than one recipient provided that every recipient is identified by the Domain Name Registrar as representing the Domain Name Registrant for every FQDN being verified using the email, fax, SMS, or postal mail.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>The Random Value SHALL be unique in each email, fax, SMS, or postal mail.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>The CA or Delegated Third Party MAY resend the email, fax, SMS, or postal mail in its entirety, including re-use of the Random Value, provided that the communication's entire contents and recipient(s) remain unchanged.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values, in which case the CA MUST follow its CPS.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>3) Replace Section 3.2.2.4.3:<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span lang=EN style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.3 Phone Contact with Domain Contact</span></b></span><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>Confirming the Applicant's control over the requested FQDN by calling the Domain Name Registrant's phone number and obtaining a response confirming the Applicant's request for validation of the FQDN. The CA or Delegated Third Party MUST place the call to a phone number identified by the Domain Name Registrar as the Domain Contact.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs, provided that the phone number is identified by the Domain Registrar as a valid contact method for every Base Domain Name being verified using the phone call.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>4) Replace Section 3.2.2.4.4:<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span lang=EN style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.4 Constructed Email to Domain Contact</span></b></span><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>Confirm the Applicant's control over the requested FQDN by (i) sending an email to one or more addresses created by using 'admin', 'administrator', 'webmaster', 'hostmaster', or 'postmaster' as the local part, followed by the at-sign ("@"), followed by an Authorization Domain Name, (ii) including a Random Value in the email, and (iii) receiving a confirming response utilizing the Random Value.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>Each email MAY confirm control of multiple FQDNs, provided the Authorization Domain Name used in the email is an Authorization Domain Name for each FQDN being confirmed<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>The Random Value SHALL be unique in each email.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>The email MAY be re-sent in its entirety, including the re-use of the Random Value, provided that its entire contents and recipient SHALL remain unchanged.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values, in which case the CA.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>5) Edit Section 3.2.2.4.6:<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span lang=EN style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.6 Agreed-Upon Change to Website<o:p></o:p></span></b></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif;color:black'>Confirming the Applicant's control over the requested FQDN by confirming <u>the presence of a Request Token or Random Value contained in the content of a file or on a web page in the form of a meta tag</u> <s>one of the following</s> under the "/.well</span></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Cambria Math",serif;color:black'>�$B!>�(J</span></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif;color:black'>known/pki</span></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Cambria Math",serif;color:black'>�$B!>�(J</span></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif;color:black'>validation" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that is accessible by the CA via HTTP/HTTPS over an Authorized Port<u>. The Request Token or Random Value MUST NOT appear in the request for the file or web-page. </u> <s>:</s><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><s><span style='font-family:"Times New Roman",serif;color:black'>1. The presence of Required Website Content contained in the content of a file or on a web page in the form of a meta tag. The entire Required Website Content MUST NOT appear in the request used to retrieve the file or web page, or</span></s></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><s><span style='font-family:"Times New Roman",serif;color:black'>2. The presence of the Request Token or Request Value contained in the content of a file or on a webpage in the form of a meta tag where the Request Token or Random Value MUST NOT appear in the request.</span></s></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif;color:black'>If a Random Value is used, the CA or Delegated Third Party SHALL provide a Random Value unique to the certificate request and SHALL not use the Random Value after the longer of (i) 30 days or (ii) if the Applicant submitted the certificate request, the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 of the EV Guidelines).<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif;color:black'>Note: Examples of Request Tokens include, but are not limited to: (i) a hash of the public key; (ii) a hash of the Subject Public Key Info [X.509]; and (iii) a hash of a PKCS#10 CSR. A Request Token may also be concatenated with a timestamp or other data. If a CA wanted to always use a hash of a PKCS#10 CSR as a Request Token and did not want to incorporate a timestamp and did want to allow certificate key re</span></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Cambria Math",serif;color:black'>�$B!>�(J</span></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif;color:black'>use then the applicant might use the challenge password in the creation of a CSR with OpenSSL to ensure uniqueness even if the subject and key are identical between subsequent requests. This simplistic shell command produces a Request Token which has a timestamp and a hash of a CSR. E.g. </span></span><span style='mso-bookmark:texteditlink'><span lang=EN-GB style='font-family:"Times New Roman",serif'>echo `date -u +%Y%m%d%H%M` `sha256sum <r2.csr` | sed "s/[ -]//g"</span></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif;color:black'>. The script outputs:201602251811c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif;color:black;background:white'>The CA should define in its CPS (or in a document referenced from the CPS) the format of Request Tokens it accepts.</span></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>6) Add Section 3.2.2.4.7:<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span lang=EN style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.7 DNS Change</span></b></span><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value or Request Token in a DNS <u>CNAME,</u> TXT, or CAA record for an Authorization Domain Name or an Authorization Domain Name that is prefixed with a label that begins with an underscore character.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>If a Random Value is used, the CA or Delegated Third Party SHALL provide a Random Value unique to the certificate request and SHALL not use the Random Value after (i) 30 days or (ii) if the Applicant submitted the certificate request, the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 of the EV Guidelines).<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>7) Add Section 3.2.2.4.8:<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span lang=EN style='font-family:"Times New Roman",serif;color:black'>3.2.2.4.8 IP Address</span></b></span><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>Confirming the Applicant's control over the requested FQDN by confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the FQDN in accordance with section 3.2.2.5.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>8) Add Section 3.2.2.4.9:<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span style='font-family:"Times New Roman",serif'>3.2.2.4.9 Test Certificate</span></b></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif'> <o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif'>Confirming the Applicant's control over the requested FQDN by confirming the presence of a non</span></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Cambria Math",serif'>�$B!>�(J</span></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif'>expired Test Certificate issued by the CA on the Authorization Domain Name and which is accessible by the CA via TLS over an Authorized Port for the purpose of issuing a Certificate with the same Public Key as in the Test Certificate.</span></span><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>9) Delete Section 3.2.2.4.11<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>10) Delete the definition of �$B!H�(JRequired Website Content�$B!I�(J<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'>11) </span></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif;color:black;background:white'>Replace the reference to Section 3.3.1 with a reference to Section 4.2.1 in the third paragraph under Section 3.2.2.4.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif;color:black;background:white'>12) Revised the definition of �$B!H�(JAuthorized Ports�$B!I�(J as follows:<o:p></o:p></span></span></p><p class=MsoNormal><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif'>One of the following ports: 80 (http), 443 (http), <s>115 (sftp), </s>25 (smtp), 22 (ssh).<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif'>13) Revise the definition of Test Certificate as follows:<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span style='font-family:"Times New Roman",serif'>Test Certificate</span></b></span><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif'>: A Certificate with a maximum validity period of 30 days and which: (i) includes a critical extension with the specified Test Certificate CABF OID <u>(2.23.140.2.1)</u>, or (ii) is issued under a CA where there are no certificate paths/chains to a root certificate subject to these Requirements</span></span><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><p class=MsoNormal><span style='mso-bookmark:texteditlink'><b><u><span style='font-family:"Times New Roman",serif'>Ballot Section 2<o:p></o:p></span></u></b></span></p><p class=MsoNormal><span style='mso-bookmark:texteditlink'><span style='font-family:"Times New Roman",serif'>This provisions of Ballot Section 1 will apply only to the validation of domain names occurring after this Ballot 190�$B!G�(Js effective date. Validation of domain names that occurs before this Ballot�$B!G�(Js effective date and the resulting validation data may continue to be used for the periods specified in BR 4.2.1 and EVGL 11.14.3 so long as the validations were conducted in compliance with the BR Section 3.2.2.4 validation methods in effect at the time of each validation.<o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:normal;background:white'><span style='mso-bookmark:texteditlink'><b><span lang=EN style='font-family:"Times New Roman",serif;color:black'>--Motion Ends--</span></b></span><span style='mso-bookmark:texteditlink'><span lang=EN style='font-family:"Times New Roman",serif;color:black'><o:p></o:p></span></span></p><span style='mso-bookmark:texteditlink'></span><p class=line874 style='margin:0in;margin-bottom:.0001pt'><span style='font-size:11.0pt'>The procedure for approval of this Final Maintenance Guideline ballot is as follows (exact start and end times may be adjusted to comply with applicable Bylaws and IPR Agreement):<o:p></o:p></span></p><p class=line874 style='margin:0in;margin-bottom:.0001pt'><span style='font-size:11.0pt'> <o:p></o:p></span></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 style='border-collapse:collapse'><tr><td width=306 valign=top style='width:229.25pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=line874 style='margin:0in;margin-bottom:.0001pt;line-height:105%'><span style='font-size:11.0pt;line-height:105%'>BALLOT 190<o:p></o:p></span></p><p class=line874 style='margin:0in;margin-bottom:.0001pt;line-height:105%'><span style='font-size:11.0pt;line-height:105%'>Status: Final Maintenance Guideline<o:p></o:p></span></p></td><td width=110 valign=top style='width:82.4pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt'><p class=line874 align=center style='margin:0in;margin-bottom:.0001pt;text-align:center;line-height:105%'><span style='font-size:11.0pt;line-height:105%'>Start time (23:00 UTC)<o:p></o:p></span></p></td><td width=106 valign=top style='width:79.35pt;border:solid windowtext 1.0pt;border-left:none;padding:0in 5.4pt 0in 5.4pt'><p class=line874 align=center style='margin:0in;margin-bottom:.0001pt;text-align:center;line-height:105%'><span style='font-size:11.0pt;line-height:105%'>End time (23:00 UTC)<o:p></o:p></span></p></td></tr><tr><td width=306 valign=top style='width:229.25pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=line874 style='margin:0in;margin-bottom:.0001pt;line-height:105%'><span style='font-size:11.0pt;line-height:105%'>Discussion (7 to 14 days)<o:p></o:p></span></p></td><td width=110 valign=top style='width:82.4pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=line874 align=center style='margin:0in;margin-bottom:.0001pt;text-align:center;line-height:105%'><span style='font-size:11.0pt;line-height:105%'><o:p> </o:p></span></p></td><td width=106 valign=top style='width:79.35pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal align=center style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:center'><span style='font-family:"Times New Roman",serif'><o:p> </o:p></span></p></td></tr><tr><td width=306 valign=top style='width:229.25pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=line874 style='margin:0in;margin-bottom:.0001pt;line-height:105%'><span style='font-size:11.0pt;line-height:105%'>Vote for approval (7 days)<o:p></o:p></span></p></td><td width=110 valign=top style='width:82.4pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal align=center style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:center'><span style='font-family:"Times New Roman",serif'><o:p> </o:p></span></p></td><td width=106 valign=top style='width:79.35pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal align=center style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:center'><span style='font-family:"Times New Roman",serif'><o:p> </o:p></span></p></td></tr><tr><td width=306 valign=top style='width:229.25pt;border:solid windowtext 1.0pt;border-top:none;padding:0in 5.4pt 0in 5.4pt'><p class=line874 style='margin:0in;margin-bottom:.0001pt;line-height:105%'><span style='font-size:11.0pt;line-height:105%'>If vote approves ballot: Review Period (Chair to send Review Notice) (30 days). <o:p></o:p></span></p><p class=line874 style='margin:0in;margin-bottom:.0001pt;line-height:105%'><span style='font-size:11.0pt;line-height:105%'>If Exclusion Notice(s) filed, ballot approval is rescinded and PAG to be created.<o:p></o:p></span></p><p class=line874 style='margin:0in;margin-bottom:.0001pt;line-height:105%'><span style='font-size:11.0pt;line-height:105%'>If no Exclusion Notices filed, ballot becomes effective at end of Review Period.<o:p></o:p></span></p></td><td width=110 valign=top style='width:82.4pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal align=center style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:center'><span style='font-family:"Times New Roman",serif'>Upon filing of Review Notice by Chair<o:p></o:p></span></p></td><td width=106 valign=top style='width:79.35pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt'><p class=MsoNormal align=center style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-align:center'><span style='font-family:"Times New Roman",serif'>30 days after filing of Review Notice by Chair<o:p></o:p></span></p></td></tr></table><p class=line874 style='margin:0in;margin-bottom:.0001pt'><span style='font-size:11.0pt'> </span><span style='font-size:11.0pt;color:black'><o:p></o:p></span></p><p class=line874 style='margin:0in;margin-bottom:.0001pt'><span style='font-size:11.0pt'>From Bylaw 2.3: If the Draft Guideline Ballot is proposing a Final Maintenance Guideline, such ballot will include a redline or comparison showing the set of changes from the Final Guideline section(s) intended to become a Final Maintenance Guideline, and need not include a copy of the full set of guidelines. Such redline or comparison shall be made against the Final Guideline section(s) as they exist at the time a ballot is proposed, and need not take into consideration other ballots that may be proposed subsequently, except as provided in Bylaw Section 2.3(j).<o:p></o:p></span></p><p class=line874 style='margin:0in;margin-bottom:.0001pt'><span style='font-size:11.0pt'> <o:p></o:p></span></p><p class=line862 style='margin:0in;margin-bottom:.0001pt'><span style='font-size:11.0pt'>Votes must be cast by posting an on-list reply to this thread on the Public list. A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: </span><a href="https://cabforum.org/members/"><span style='font-size:11.0pt;color:windowtext'>https://cabforum.org/members/</span></a><span style='font-size:11.0pt'> <o:p></o:p></span></p><p class=line862 style='margin:0in;margin-bottom:.0001pt'><span style='font-size:11.0pt'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Times New Roman",serif'>In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. <span style='background:white'>Quorum is shown on CA/Browser Forum wiki. Under Bylaw 2.2(g), at least the required quorum number must participate in the ballot for the ballot to be valid, either by voting in favor, voting against, or abstaining.</span><o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Times New Roman",serif'><br><br><br><o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Times New Roman",serif'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>