<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.gmail-apple-tab-span
{mso-style-name:gmail-apple-tab-span;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>3.2.2.4 only covers domain validation. Perhaps that language could be moved to 3.2.2?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From your comment and given Google’s stance on organizational validation, do your comments apply to the first section and not the second (as the second half of the proposal is only org validation)? <a name="_MailEndCompose"> What is the issue with the language in my proposal? Note that although the proposal is based on the EV Guideline concept, the proposal language is different than the EV Guideline language.<o:p></o:p></a></span></p><p class=MsoNormal><span style='mso-bookmark:_MailEndCompose'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></span></p><p class=MsoNormal><span style='mso-bookmark:_MailEndCompose'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Given that the expiration date must be the same, your example would only permit a one month cert. How do you get a 77 month cert? I understand where the 77 month cert would come from based on the current wording of the BRs, but part of this modification would limit the replacement to the same expiration date. <o:p></o:p></span></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='mso-bookmark:_MailEndCompose'>Jeremy<o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_MailEndCompose'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></span></p><p class=MsoNormal><span style='mso-bookmark:_MailEndCompose'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></span></p><span style='mso-bookmark:_MailEndCompose'></span><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Friday, April 14, 2017 2:47 PM<br><b>To:</b> Jeremy Rowley <jeremy.rowley@digicert.com><br><b>Cc:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Subject:</b> Re: [cabfpub] How a Certificate Is Issued - the Baseline Requirements Version<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Fri, Apr 14, 2017 at 4:30 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Thanks a ton Ryan for putting this together. This is great info.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a name="m_-6131725752303443664__MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>I agree the BRs are missing a re-use of information section, which is odd because the section exists in the EV Guidelines (11.14.1 and 11.14.2).</span></a><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>That's nominally covered in Section 3.2.2.4 as part of the introduction, but it doesn't allow for "previous" versions to be used.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Specifically,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>"Completed<span class=gmail-apple-tab-span> </span>confirmations<span class=gmail-apple-tab-span> </span>of<span class=gmail-apple-tab-span> </span>Applicant<span class=gmail-apple-tab-span> </span>authority<span class=gmail-apple-tab-span> </span>may<span class=gmail-apple-tab-span> </span>be<span class=gmail-apple-tab-span> </span>valid<span class=gmail-apple-tab-span> </span>for<span class=gmail-apple-tab-span> </span>the<span class=gmail-apple-tab-span> </span>issuance<span class=gmail-apple-tab-span> </span>of<span class=gmail-apple-tab-span> </span>multiple<span class=gmail-apple-tab-span> </span>certificates<span class=gmail-apple-tab-span> </span>over<span class=gmail-apple-tab-span> </span><o:p></o:p></p></div><div><p class=MsoNormal>time.<span class=gmail-apple-tab-span> </span>In<span class=gmail-apple-tab-span> </span>all<span class=gmail-apple-tab-span> </span>cases,<span class=gmail-apple-tab-span> </span>the<span class=gmail-apple-tab-span> </span>confirmation<span class=gmail-apple-tab-span> </span>must<span class=gmail-apple-tab-span> </span>have<span class=gmail-apple-tab-span> </span>been<span class=gmail-apple-tab-span> </span>initiated<span class=gmail-apple-tab-span> </span>within<span class=gmail-apple-tab-span> </span>the<span class=gmail-apple-tab-span> </span>time<span class=gmail-apple-tab-span> </span>period<span class=gmail-apple-tab-span> </span>specified<span class=gmail-apple-tab-span> </span>in the<span class=gmail-apple-tab-span> </span>relevant<span class=gmail-apple-tab-span> </span><o:p></o:p></p></div><div><p class=MsoNormal>requirement<span class=gmail-apple-tab-span> </span>(such<span class=gmail-apple-tab-span> </span>as<span class=gmail-apple-tab-span> </span>Section<span class=gmail-apple-tab-span> </span>3.3.1<span class=gmail-apple-tab-span> </span>of<span class=gmail-apple-tab-span> </span>this<span class=gmail-apple-tab-span> </span>document)<span class=gmail-apple-tab-span> </span>prior<span class=gmail-apple-tab-span> </span>to<span class=gmail-apple-tab-span> </span>certificate<span class=gmail-apple-tab-span> </span>issuance.<span class=gmail-apple-tab-span> </span>For<span class=gmail-apple-tab-span> </span>purposes<span class=gmail-apple-tab-span> </span>of<span class=gmail-apple-tab-span> </span>domain<span class=gmail-apple-tab-span> </span><o:p></o:p></p></div><div><p class=MsoNormal>validation,<span class=gmail-apple-tab-span> </span>the<span class=gmail-apple-tab-span> </span>term<span class=gmail-apple-tab-span> </span>Applicant<span class=gmail-apple-tab-span> </span>includes<span class=gmail-apple-tab-span> </span>the<span class=gmail-apple-tab-span> </span>Applicant's<span class=gmail-apple-tab-span> </span>Parent<span class=gmail-apple-tab-span> </span>Company,<span class=gmail-apple-tab-span> </span>Subsidiary<span class=gmail-apple-tab-span> </span>Company,<span class=gmail-apple-tab-span> </span>or<span class=gmail-apple-tab-span> </span>Affiliate.<span class=gmail-apple-tab-span> "</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>I was planning on circulating the following proposal to sync the two requirement docs once the number of pending ballots declined:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Add the following to 3.3.1 (taken from 11.14.2 of the EV Guidelines):<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>A CA may rely on a previously submitted certificate request to issue a new certificate if: <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>(1) The expiration date of the replacement certificate is the same as the expiration date of the Certificate being replaced, and <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>(2) The Subject Information of the Certificate is the same as the Subject in the Certificate that is being replaced.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Add the following to 4.2.1 (sort of taken from 11.14.1) after the third paragraph: <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>If an Applicant has a currently valid Certificate issued by the CA, a CA MAY rely on the prior authentication and verification of: <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>(1) The Applicant's identity under Section 3.2.2.1; <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>(2) The Applicant’s DBA under Section 3.2.2.2;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>(3) The countryName under Section 3.2.2.3;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>(4) The Applicant’s individual identity under Section 3.2.3; and<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>(5) The Applicant’s authorization to issue the Certificate under Section 3.2.5, provided that the CA receives or confirms the request for a Certificate using a Reliable Method of Communication.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Thoughts?</span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I suppose it comes as no surprise that I'm in favor of more verifications, not less, and always to the current Guidelines :)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>There are some real issues with that language in the EVGs, and I'd love to see that stricken.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>For example, given a certificate issued for 39 months, and a request comes in at 38 months, how long can the certificate be valid? I think your intent would be to say "1 month", but I don't think the proposed change would accomplish that. Instead, I fear it would/could allow for 39 months (and then 77 months since the original validation, another 39 month cert be issued)<o:p></o:p></p></div></div></div></div></div></body></html>