<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:903873730;
mso-list-template-ids:1972560748;}
@list l1
{mso-list-id:2076736013;
mso-list-template-ids:409506864;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">One other comment. Remember that for the last few months, new Methods 1-4 and 7-10 were actually included under Method 11 “any other method” after Ballot 181’s
effective date, and that situation will continue until the effective date of Ballot 190. Also, the same is true for any validations that followed old Method 7 “any other method” prior to the effective date of Ballot 169. So be very careful in saying anything
in Ballot 190 that would invalidate validations done prior to Ballot 190 under “any other method” so long as they complied with any of Methods 1-10 of the new methods or Methods 1-6 of the old methods.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I would be open to saying that any prior vetting done under old Method 7 or more recent Method 11 “any other method” must be revalidated upon the effective date
of Ballot 190 IF they did not follow EITHER Methods 1-6 (as the existed before Ballot 169) or Methods 1-10 (as put forward in Ballot 169). In other words, the ONLY validations that have to be redone before the expiration of the re-use period are validations
that were done that did not comply with either old Methods 1-6 or new Methods 1-10. That should flush out any unknown and unsecure validations that occurred in the past.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Public [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Wayne Thayer via Public<br>
<b>Sent:</b> Thursday, April 27, 2017 8:53 PM<br>
<b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org>; Ryan Sleevi <sleevi@google.com><br>
<b>Cc:</b> Wayne Thayer <wthayer@godaddy.com><br>
<b>Subject:</b> [EXTERNAL]Re: [cabfpub] Ballot 190<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Jeremy,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">>>If there are still concerns, should we drop the reuse language altogether?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">I would support this ballot regardless of what explicit reuse language is included, but I would like to see some explicit statement on reuse included, even if the statement
is “you can’t reuse data/documents from non-compliant methods”.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Given the desire to remove “any other method” from the BRs ASAP, I think either of the compromises you proposed is preferable to a delayed effective date for the entire ballot,
which is what I suspect would be required to gain consensus if the reuse language was dropped.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Wayne
<o:p></o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-family:"Calibri",sans-serif;color:black">From:
</span></b><span style="font-family:"Calibri",sans-serif;color:black">Public <<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>> on behalf of Jeremy Rowley via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Reply-To: </b>CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Date: </b>Thursday, April 27, 2017 at 3:35 PM<br>
<b>To: </b>Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>>, CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Cc: </b>Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>><br>
<b>Subject: </b>Re: [cabfpub] Ballot 190<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Sorry – that was pretty confusing. I revised the questions in way that I think answers most of your question:</span><o:p></o:p></p>
<div>
<div>
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<ol start="1" type="1">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3">
If we include the validation WG proposed language in Section 3.2.2.4, does that adequately address the concerns with the previous version of ballot 190?<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3">
If there are still concerns, should we drop the reuse language altogether? Note that this will require revalidation of all information prior to issuance of new certificates if the original validation was not in accordance with one of these ten sections.<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3">
If we add the language to Section 3.2.2.4, would you vote against the ballot because of the document reuse?<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3">
If the reuse language proposed was dropped altogether and re-validation became required, would you vote against the ballot?<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo3">
If you’d vote against the ballot, is there some middle ground that we can reach? For example, could we say that all previous validation information not complaint with the 10 methods must expire 13 months from the date of the ballot? Alternatively, everything
under section 7 expires immediately while documents affected by a modification to 1-6 will remain valid for 825 days? Other proposals.<o:p></o:p></li></ol>
</div>
</div>
</blockquote>
</div>
</div>
<div>
<p class="MsoNormal">Basically, we’re at an impasse on the ballot, and I’m not sure which way the vote would go.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">A couple of comments:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">“I think the general language proposal is a bit awkward - I would rather see it pegged to an explicit minimum version (for example, BRs 1.4.1) and explicitly forbid using a previous "any other method" validation. Is that problematic?”<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">This seems reasonable to me, but I’ll let others chime in.<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">“I think if we're still unable to agree on a timeline such as that - requiring revalidation consistent with the current-3.2.2.4 for anything that was validated under a previous-3.2.2.4 that is no longer permitted - my only other suggestion
would be to require an explicit expression within the certificate that it complies with the current version of 3.2.2.4 at the time of issuance. This would help give Relying Parties the necessary assurances that the CA is committed to security.”<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">This seems reasonable to me as well.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>