<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.gmail-
{mso-style-name:gmail-;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
p.gmail-m-5450277425296329190msolistparagraph, li.gmail-m-5450277425296329190msolistparagraph, div.gmail-m-5450277425296329190msolistparagraph
{mso-style-name:gmail-m_-5450277425296329190msolistparagraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks Ryan, I just wanted to be sure there was no ambiguity being introduced. I agree with your assessment.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Doug<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></a></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Ryan Sleevi [mailto:sleevi@google.com]
<br>
<b>Sent:</b> Thursday, July 6, 2017 11:54 AM<br>
<b>To:</b> Doug Beattie <doug.beattie@globalsign.com>; CA/Browser Forum Public Discussion List <public@cabforum.org><br>
<b>Cc:</b> Gervase Markham <gerv@mozilla.org><br>
<b>Subject:</b> Re: [cabfpub] Ballot 204: Forbid DTPs from doing Domain/IP Ownership Validation<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Jul 6, 2017 at 11:43 AM, Doug Beattie via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Gerv,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I realize I just missed the review period, but I wanted to ask a question anyway.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Regarding this statement:</span><o:p></o:p></p>
<pre>"The CA SHALL confirm that, as of the date the Certificate issues, the CA has validated each Fully<span style="font-family:"Cambria Math",serif">‐</span>Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below, or is within the Domain Namespace of a Fully-Qualified Domain Name (FQDN) that has been validated using at least one of the methods listed below (not including the method defined in section 3.2.2.4.8)."<o:p></o:p></pre>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Is this a valid example:</span><o:p></o:p></p>
<p class="gmail-m-5450277425296329190msolistparagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">-</span><span style="font-size:7.0pt;color:#1F497D">
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The Applicant requests the FQDN of
<a href="http://shop.example.com" target="_blank">shop.example.com</a></span><o:p></o:p></p>
<p class="gmail-m-5450277425296329190msolistparagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">-</span><span style="font-size:7.0pt;color:#1F497D">
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The CA validates
<a href="http://example.com" target="_blank">example.com</a> (a valid Authorization Domain Name) and approves the FQDN of
<a href="http://www.example.com" target="_blank">www.example.com</a></span><o:p></o:p></p>
<p class="gmail-m-5450277425296329190msolistparagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">-</span><span style="font-size:7.0pt;color:#1F497D">
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The Applicant requests the FQDN of
<a href="http://www.example.com" target="_blank">www.example.com</a></span><o:p></o:p></p>
<p class="gmail-m-5450277425296329190msolistparagraph"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">-</span><span style="font-size:7.0pt;color:#1F497D">
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Since the CA validated
<a href="http://example.com" target="_blank">example.com</a>, then <a href="http://www.example.com" target="_blank">
www.example.com</a> can be issued</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The reason I ask is that the FQDN of
<a href="http://example.com" target="_blank">example.com</a> was never requested, so technically it may not be a value that can be re-used (perhaps only the FQDNs that were previously requested can be reused and since this was never specifically requested maybe
it can’t be reused). I hope it can be reused as in the example above, and as long as we all agree on the interpretation, I’m comfortable voting for the ballot.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Doug</span><o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks for raising this question, Doug.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For context, the current BRs for that section read:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">"The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully<span style="font-family:"Cambria Math",serif">‐</span>Qualified Domain Name (FQDN) listed in the Certificate
using at least one of the methods listed below. "<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Gerv's additional clause (of the "or"), does not normatively add or remove capabilities, since the language of the text (with respect to "Authorization Domain Name") means that all methods supporting an ADN (or Base Domain Name) meet the
first criteria, which is all of them.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On this basis, when the Applicant requests the FQDN of <a href="http://shop.example.com">
shop.example.com</a>, and the CA validates using an ADN, they are entitled to approve
<a href="http://www.example.com">www.example.com</a>. Further, the data or documents used to validate the ADN can be reused for subsequent validations, pursuant with the "Completed confirmations of Applicant authority", as "<a href="http://example.com">example.com</a>"
has a completed confirmation of Applicant authority for that ADN.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Subsequently, for as long as that method remains within the BRs, it's possible to reuse that "Authorization Domain Name authority" to issue additional certificates for subdomains, such as "www". In each case, the FQDN is being authorized
using the "Completed confirmation" of the Authorization Domain Name, and the ADN was validated according to the (current, not previous) BRs.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If the BRs change how the ADN is validated, it would not necessarily constitute a "completed confirmation" - this is the ambiguity as to whether "initiated within the time period specified in the relevant requirement" retroactively grandfathers
in previous validation methods (which CAs would prefer it does, and I would prefer it doesn't, for security reasons).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Hopefully this clarifies how the use of a completed confirmation of an ADN to subsequently validate an FQDN constitutes the CA having the validated the FQDN, even though the ADN authorization was reused.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>