<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">The ‘ballot’ is the thing that includes the ‘redline or comparison’, bylaws section 2.3(a). If it doesn’t have one of those, it’s not a ballot. So the redline is definitely part of the ballot and if there’s some confusion it can be consulted to make it clear what change was voted on.</div><div class=""><br class=""></div><div class="">In addition, the redline has to be against a specific version of the guidelines. If that wasn’t done properly, to the point where there’s a question as to what the ballot means or where votes might have been made based on the incorrect information, then I’d think the ballot would be invalid.</div><br class=""><div><blockquote type="cite" class=""><div class="">On 16 May 2017, at 1:15 pm, Ryan Sleevi via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Yup. I'm curious for Apple's and Amazon's feedback, since they've been most active in bylaw discussions :)<div class=""><br class=""></div><div class="">We've got several paths to clear this up, hence my straw poll outlining options I could think of that would allow us to do so (trying to do so w/in 2 weeks - e.g. prior to the IP Review period expiring)</div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Tue, May 16, 2017 at 3:44 PM, Ben Wilson <span dir="ltr" class=""><<a href="mailto:ben.wilson@digicert.com" target="_blank" class="">ben.wilson@digicert.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple" class=""><div class="m_-3900974792250967014WordSection1"><p class="MsoNormal"><a name="m_-3900974792250967014__MailEndCompose" class="">I think the end goal is to have a version 1.6.3 of the EV Guidelines with the language indicated in the redlined version of Appendix F that I circulated a short while ago. So I’d prefer that we find there was no ambiguity and that Kirk start the review period over with the correct language and we call that good, but of course the cleanest route would be that Ballot 198 be declared defective because of ambiguity and a new ballot be presented for a new vote. Fortunately this issue only affects the EV Guidelines, which doesn’t have any ballots in play, as far as I know. </a><span class=""><u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span class=""><u class=""></u> <u class=""></u></span></p><span class=""></span><p class="MsoNormal"><b class="">From:</b> Ryan Sleevi [mailto:<a href="mailto:sleevi@google.com" target="_blank" class="">sleevi@google.com</a>] <br class=""><b class="">Sent:</b> Tuesday, May 16, 2017 12:39 PM<span class=""><br class=""><b class="">To:</b> CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank" class="">public@cabforum.org</a>><br class=""></span><b class="">Cc:</b> Ben Wilson <<a href="mailto:ben.wilson@digicert.com" target="_blank" class="">ben.wilson@digicert.com</a>><br class=""><b class="">Subject:</b> Re: [cabfpub] Revised Notice of Review Period - Ballot 198 - .Onion Revisions<u class=""></u><u class=""></u></p><div class=""><div class="h5"><p class="MsoNormal"><u class=""></u> <u class=""></u></p><div class=""><p class="MsoNormal">As Ben has highlighted, the result of 198 created a new set of issues.<u class=""></u><u class=""></u></p><div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p></div><div class=""><p class="MsoNormal">Kirk's original message includes the full text of the ballot (MOTION BEGINS), which, unfortunately, used text different from what was adopted in Ballot 144 (and part of the current EVGs) when Jeremy made his modifications.<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p></div><div class=""><p class="MsoNormal">In examining 198 - <a href="https://cabforum.org/pipermail/public/2017-April/010706.html" target="_blank" class="">https://cabforum.org/<wbr class="">pipermail/public/2017-April/<wbr class="">010706.html</a> - it's clear in Jeremy's redlined versions (which, mistakenly, I reviewed as truth), the 'intent' was a small change. See <a href="https://cabforum.org/pipermail/public/attachments/20170424/80683ba2/attachment-0001.pdf" target="_blank" class="">https://cabforum.org/<wbr class="">pipermail/public/attachments/<wbr class="">20170424/80683ba2/attachment-<wbr class="">0001.pdf</a><u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p></div><div class=""><p class="MsoNormal">However, as Balloted, it requires a full replacement of the text adopted in 144, in a way that's structurally incompatible with the ASN.1 encoding.<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p></div><div class=""><p class="MsoNormal">Worse, this is something that was discussed during the voting reform discussions - both situations where redlines and text differ (as in this case) and questions about redlining as 'source of truth'. We tried to address it as best as possible, but also somewhat punted the issue as unlikely :)<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p></div><div class=""><p class="MsoNormal">I think it's worth highlighting this concern broadly, because we have several possible interpretations:<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p></div><div class=""><p class="MsoNormal">1) The MOTION BEGINS/MOTION ENDS is authoritative (e.g. as Kirk has distributed)<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - In this case, we've now introduced a bug into the processing that is not easily undone.<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - Supporting Argument: This is how we've always done things.<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - Solution Suggestion: Hold a ballot immediately to try to fix this before the end of the IP review.<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - Approach 1: Nullify the ballot? That is, to keep the version of the BRs the same.<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - Approach 2: Direct the Chair not to publish any new versions of the BRs (thus triggering compliance for CAs) until the matter is resolved<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - Approach 3: Introduce a new ballot with a new OID for the service descriptor that restores the 144 text<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - Implications:<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - If folks don't vote on this, we're stuck in a bad place (effectively, no one should issue EV onion certs, because they'd post a compat/interop risk)<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p></div><div class=""><p class="MsoNormal">2) The redline text is authoritative (e.g. as Ben has distributed)<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - In this case, we're saying that the PDFs, not the ballot text, are what is authoritative.<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - This means you can no longer read ballots on our website "as is", but must ALSO view/post the supporting materials<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - Supporting Argument: The Bylaws seem to support this with respect to Section 2.3(a).<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - Solution Suggestion: Hold a ballot to agree on this interpretation for this specific ballot<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - Solution Suggestion p2: Hold a (same/different?) ballot to the bylaws clarify this for future ballots<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - Implications:<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - We should figure out what this means for future ballots if we go this route.<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - It also means our ballot postings to the website are probably incomplete<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p></div><div class=""><p class="MsoNormal">3) The ballot is invalid (due to the inconsistency)<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - In this case, we're saying the ballot is null because of the mismatch<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - Supporting Argument: The Bylaws in 2.3(a) indicate that a Draft Guideline Ballot proposing a Final Maintenance Guideline will include a redline or comparison, and that such redline or comparison be made against the Final Guideline section(s) as they exist at the time the ballot is proposed. Jeremy's redline was not against that section, ergo, was not a valid ballot.<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - Solution Suggestion: Hold a ballot to agree on this interpretation for this specific ballot<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"> - Solution Suggestion p2: Adopt it fixed<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p></div><div class=""><p class="MsoNormal">In short, I think we should probably resolve this with a ballot - which can be completed in two weeks. The IP Review Notice has been triggered, but its unclear as to whether Review Notices need to also include the Ballot text itself (e.g. the Ballot is, presumably, what was posted to <a href="mailto:public@cabforum.org" target="_blank" class="">public@cabforum.org</a> and voted on - which included the redline changes). That is, it's unclear whether the text Kirk included in the Review Notice - which is different than the ballot (since it omits the redlines) - supersedes/replaces the Ballot itself.<u class=""></u><u class=""></u></p></div><div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p></div><div class=""><p class="MsoNormal">Does this capture every possible interpretation? Are the others?<u class=""></u><u class=""></u></p></div></div><div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p><div class=""><p class="MsoNormal">On Tue, May 16, 2017 at 1:00 PM, Ben Wilson via Public <<a href="mailto:public@cabforum.org" target="_blank" class="">public@cabforum.org</a>> wrote:<u class=""></u><u class=""></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in" class=""><div class=""><div class=""><p class="MsoNormal"><a name="m_-3900974792250967014_m_-8540200511719743534__MailEndCompose" class="">All,</a><u class=""></u><u class=""></u></p><p class="MsoNormal">Attached is the redlined version of Appendix F of the EV Guidelines (v.1.6.3) based on the language of the ballot. There was a discrepancy between the earlier PDF attachment to the ballot and the text in email that announced the ballot. It appears that the PDF was based on an old, out-of-date version of Appendix F . <u class=""></u><u class=""></u></p><p class="MsoNormal">In the attached redlined version I have tried to preserve the intent of Ballot 198. I will be posting version 1.6.3 of the EV Guidelines to the CA/Browser Forum website shortly. All versions (PDF/Word/redlined/w-o redlining) will be uploaded to here <a href="https://cabforum.org/wiki/EV" target="_blank" class="">https://cabforum.org/wiki/EV</a> on the wiki as well.<u class=""></u><u class=""></u></p><p class="MsoNormal">Yours truly,<u class=""></u><u class=""></u></p><p class="MsoNormal">Ben Wilson <u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><div class=""><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal"><b class="">From:</b> Public [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank" class="">public-bounces@<wbr class="">cabforum.org</a>] <b class="">On Behalf Of </b>Kirk Hall via Public<br class=""><b class="">Sent:</b> Monday, May 8, 2017 5:18 PM<br class=""><b class="">To:</b> CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank" class="">public@cabforum.org</a>><br class=""><b class="">Cc:</b> Kirk Hall <<a href="mailto:Kirk.Hall@entrustdatacard.com" target="_blank" class="">Kirk.Hall@entrustdatacard.com</a><wbr class="">><br class=""><b class="">Subject:</b> [cabfpub] Revised Notice of Review Period - Ballot 198 - .Onion Revisions<u class=""></u><u class=""></u></p></div></div><div class=""><div class=""><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="color:#1f497d" class="">Sorry, got end date wrong before. End date in June 8 at 01:00 UTC.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="color:#1f497d" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal"><b class=""><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">NOTICE OF REVIEW PERIOD – BALLOT 198</span></b><u class=""></u><u class=""></u></p><p class="MsoNormal" align="center" style="text-align:center"><b class=""><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class=""> </span></b><u class=""></u><u class=""></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1.2). This Review Period is for Final Maintenance Guidelines (30 day Review Period). </span><span style="font-size:12.0pt;font-family:TimesNewRomanPSMT" class="">A complete draft of the Draft Guideline that is the subject of this Review Notice is attached.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.25in"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">Date Review Notice Sent: May 8, 2017</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.25in"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.25in"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">Ballot for Review: Ballot 198 - .Onion Revisions</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.25in"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.25in"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">Start of Review Period: May 9, 2017 at 01:00 UTC</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.25in"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.25in"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">End of Review Period: June <span style="color:#1f497d" class="">8</span>, 2017 at 01:00 UTC</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.25in"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">Please forward any Exclusion Notice relating to Essential Claims to the Chair by email to </span><a href="mailto:kirk.hall@entrustdatacard.com" target="_blank" class=""><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">kirk.hall@entrustdatacard.com</span></a><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class=""> before the end of the Review Period. See current version of CA/Browser Forum Intellectual Property Rights Policy for details. </span><i class=""><span style="font-family:"Arial",sans-serif" class="">(Optional form of Exclusion Notice is attached)</span></i><u class=""></u><u class=""></u></p><p class="m_-3900974792250967014m-8540200511719743534line867"><strong class=""><span style="font-family:"Arial",sans-serif" class="">Ballot 198 - .Onion Revisions</span></strong><u class=""></u><u class=""></u></p><p class="m_-3900974792250967014m-8540200511719743534line874" style="background:white"><span style="font-family:"Arial",sans-serif" class="">-- MOTION BEGINS –</span><u class=""></u><u class=""></u></p><p class="m_-3900974792250967014m-8540200511719743534line874" style="background:white"><span style="font-family:"Arial",sans-serif" class="">Revise Appendix F, Section 1 to read as follows:</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><b class=""><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">Appendix F – Issuance of Certificates for .onion Domain Names</span></b><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">A CA may issue an EV Certificate containing the .onion Domain Name provided that issuance complies with the requirements set forth in this Appendix:</span><u class=""></u><u class=""></u></p><ol start="1" type="1" class=""><li class="MsoNormal" style="margin-left:0in"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">CAB Forum Tor Service Descriptor Hash extension (2.23.140.1.31)</span><u class=""></u><u class=""></u></li></ol><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">The CAB Forum extension in of the TBSCertificate to convey hashes of keys related to .onion addresses. The CA MUST include the Tor Service Descriptor Hash extension using the following format:</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">cabf-TorServiceDescriptorHash OBJECT IDENTIFIER ::= { 2.23.140.1.31 }</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">TorServiceDescriptorHash:: = SEQUENCE { </span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="text-indent:.5in"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">algorithm AlgorithmIdentifier</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="text-indent:.5in"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">subjectPublicKeyHash BIT STRING }</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif" class="">Where the AlgorithmIdentifier is a hashing algorithm (defined in RFC 6234) performed over the raw Public Key of the .onion service and SubjectPublicKeyHash is the value of the hash output of the raw Public Key.</span><u class=""></u><u class=""></u></p><p class="m_-3900974792250967014m-8540200511719743534line874" style="background:white"><span style="font-family:"Arial",sans-serif" class="">--Motion Ends--</span><u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p></div></div></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br class="">______________________________<wbr class="">_________________<br class="">Public mailing list<br class=""><a href="mailto:Public@cabforum.org" target="_blank" class="">Public@cabforum.org</a><br class=""><a href="https://cabforum.org/mailman/listinfo/public" target="_blank" class="">https://cabforum.org/mailman/<wbr class="">listinfo/public</a><u class=""></u><u class=""></u></p></blockquote></div><p class="MsoNormal"><u class=""></u> <u class=""></u></p></div></div></div></div></div></blockquote></div><br class=""></div>
_______________________________________________<br class="">Public mailing list<br class=""><a href="mailto:Public@cabforum.org" class="">Public@cabforum.org</a><br class="">https://cabforum.org/mailman/listinfo/public<br class=""></div></blockquote></div><br class=""></body></html>