<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 27, 2017 at 6:04 PM, Kirk Hall via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="m_-6450745321111088823WordSection1">
<p class="MsoNormal"><span style="color:rgb(80,0,80)">Gerv, I have a question on the actual implementation of your proposal – would your proposal require all aspects of domain validation to be done by employees of the CA? </span></p></div></div></blockquote><div><br></div><div>Yes</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-6450745321111088823WordSection1"><p class="MsoNormal"><span style="color:rgb(80,0,80)">Is everyone who is not an employee considered a DTP?</span></p></div></div></blockquote><div><br></div><div>As required in the Baseline Requirements, yes.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-6450745321111088823WordSection1"><p class="MsoNormal"><br></p><div><div class="h5"><p class="MsoNormal"><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">At Trend Micro, when validating some governments and enterprises in Central and South America, we relied on law firms in the countries involved to (1) obtain necessary validation documents confirming the legal name(s) of the applicants
(sometimes they had more than one legal name), and then (2) comparing the legal name with the name information in WhoIs. It was invaluable to get the help and interpretation of people in-country, who will know what common abbreviations mean, whether Plaza
de la Republica is the same as Bolivar Avenue, etc. Likewise, abbreviations in the WhoIs name may be easy for local people to interpret against the confirmed identity names, but harder for someone who speaks Spanish living in Cupertino or Ottawa to interpret.
It makes for much more accurate domain vetting. Their research and findings (and recommendations) would be translated to English and bundled up for our vetting teams, then included in the vetting files and were subject to audits. </p></div></div></div></div></blockquote><div><br></div><div>None of this is impacted by Gerv's proposal.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-6450745321111088823WordSection1"><div><div class="h5"><p class="MsoNormal">
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Is a local law firm in that case a DTP, and would CAs be prohibited from using them to verify domains? (By the way – for some large enterprises and government agencies, the idea that they can respond to emails to verify domains or put
something on their web page is just not practical – the people ordering the certs often aren’t sure how to make that happen, and prefer a WhoIs lookup.)</p></div></div></div></div></blockquote><div><br></div><div>Yes, it would be. </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-6450745321111088823WordSection1"><div class="h5">
<p class="MsoNormal">Law firms aside, suppose MegaCA has a growing number of customers in Freedonia. Again, you will get much better and more accurate results from someone in-country in Freedonia (who is a native and local speaker of Freedonian, knows customs
in names and addresses, abbreviations, etc.) than an employee of MegaCA who lives in Cupertino or Ottawa and speaks fairly good Freedonian. I have seen this with Japanese vetters – the ones in Japan can give a more accurate result (based on local knowledge),
like knowing which neighborhood in Tokyo should go in the L field, etc.</p></div></div></div></blockquote><div><br></div><div>And this would not be affected.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-6450745321111088823WordSection1"><div class="h5">
<p class="MsoNormal">Which also brings up domain verification in places that use non-Roman alphabets – local is better.</p></div></div></div></blockquote><div><br></div><div>Can you please explain why you believe this to be, considering that domains are expressed as A-labels using IDNA syntax (aka Punycode)? </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-6450745321111088823WordSection1"><div class="h5">
<p class="MsoNormal">Would all of these cases, using local people to do portions of the domain verification work, be outlawed under your ballot?</p></div></div></div></blockquote><div><br></div><div>No</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-6450745321111088823WordSection1"><div class="h5">
<p class="MsoNormal">Also, please consider that not all companies (including CAs) want to make everyone who does work for them an employee. </p></div></div></div></blockquote><div><br></div><div>That's great. Please consider that I think all companies, hopefully including CAs, want systems to be secure. This only affects the domain validation portion, which, through the power of a global Internet, is something that does not require being in Freedonia or speaking Freedonian to support.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-6450745321111088823WordSection1"><div class="h5">
<p class="MsoNormal">So you see, the situation is more complex than we ever discussed at the F2F meeting.<u></u><u></u></p>
</div></div>
</div>
</blockquote></div><br></div><div class="gmail_extra">Actually, these points were discussed during the F2F meeting, and I am once again saddened by the non-participation.</div></div>