<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
How about further specifying that the string '*' (that a Wildcard
Domain Name starts with) is made up of one (1) ASCII character with
code 0x2A ?<br>
<br>
(that is, the Unicode "low asterisk" and "asterisk above" characters
are not acceptable there :) )<br>
<br>
If we are going to clarify things, better be super-clear!<br>
<br>
Adriano<br>
<br>
<br>
<div class="moz-cite-prefix">Il 19/07/2017 04:15, Wayne Thayer via
Public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:EA852019-0DFF-4C51-9C4F-FAFBCFE6B05C@godaddy.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal">Peter – I agree. Adding “starting with” to
the new definition is enough to resolve this concern.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Wayne<o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:12.0pt;color:black">From: </span></b><span
style="font-size:12.0pt;color:black">Peter Bowen
<a class="moz-txt-link-rfc2396E" href="mailto:pzb@amzn.com"><pzb@amzn.com></a><br>
<b>Date: </b>Tuesday, July 18, 2017 at 7:01 PM<br>
<b>To: </b>Wayne Thayer <a class="moz-txt-link-rfc2396E" href="mailto:wthayer@godaddy.com"><wthayer@godaddy.com></a>,
CA/Browser Forum Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a><br>
<b>Subject: </b>Re: [cabfpub] [EXTERNAL]Re: Problems with
Ballot 202<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">Wayne, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Based on Geoff’s recommendation, Ben,
Ryan, and I were going to update the definitions as follows:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b>Domain Label</b>: A label of a
domain name, as defined in RFC 5890 section 2.2; for
example, the domain name "<a
href="http://www.example.com" moz-do-not-send="true">www.example.com</a>"
is composed of three labels: "www", "example", and
"com".<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b>Domain Name</b>: A string which
is a ‘domain name’, as defined in RFC 5890 section
2.2, with labels separated by dots, or a Wildcard
Domain Name. For example “<a
href="http://www.example.com" moz-do-not-send="true">www.example.com</a>”
and “*.<a href="http://example.net"
moz-do-not-send="true">example.net</a>” are domain
names.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><b>Wildcard Domain Name</b>: The
string ‘*.’ followed by a ‘domain name’ with labels
separated by dots, as defined in RFC 5890 section 2.2<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I think you make a good point. How
does this work for Wildcard Domain Name?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><b>Wildcard Domain Name</b>: A string
starting with ‘*.’ followed by a ‘domain name’ with
labels separated by dots, as defined in RFC 5890 section
2.2<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I’m not quite sure how to fit “left”
into the definition proposed by Geoff, but I think
“starting with” should make it clear that “www.*.<a
href="http://example.com" moz-do-not-send="true">example.com</a>”
is not acceptable, as it does not start with “*.”.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Do either of these definitions of
Wildcard Domain Name work for you?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Peter<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Jul 18, 2017, at 6:49 PM, Wayne
Thayer via Public <<a
href="mailto:public@cabforum.org"
moz-do-not-send="true">public@cabforum.org</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">Peter,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Would you consider adding ‘in
the left most Domain Label’ to the definition of
Wildcard Domain Name? While the definition of
Authorization Domain Name contradicts this, it was
pointed out to me that someone unfamiliar with the
history might misinterpret the new definition to
allow something like ‘www.*.<a
href="http://example.com" moz-do-not-send="true">example.com</a>’.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b>Wildcard Domain Name: </b>A
Domain Name consisting of a single asterisk
character ("*") [<i>in the left most Domain Label</i>]
followed by a single full stop character (".")
followed by a Fully-Qualified Domain Name.
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Wayne<o:p></o:p></p>
</div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal"><b><span
style="font-size:12.0pt">From: </span></b><span
style="font-size:12.0pt">Public <<a
href="mailto:public-bounces@cabforum.org"
moz-do-not-send="true">public-bounces@cabforum.org</a>>
on behalf of Peter Bowen via Public <<a
href="mailto:public@cabforum.org"
moz-do-not-send="true">public@cabforum.org</a>><br>
<b>Reply-To: </b>Peter Bowen <<a
href="mailto:pzb@amzn.com"
moz-do-not-send="true">pzb@amzn.com</a>>,
CA/Browser Forum Public Discussion List <<a
href="mailto:public@cabforum.org"
moz-do-not-send="true">public@cabforum.org</a>><br>
<b>Date: </b>Monday, July 17, 2017 at 6:48 PM<br>
<b>To: </b>Kirk Hall <<a
href="mailto:Kirk.Hall@entrustdatacard.com"
moz-do-not-send="true">Kirk.Hall@entrustdatacard.com</a>><br>
<b>Cc: </b>CA/Browser Forum Public Discussion
List <<a href="mailto:public@cabforum.org"
moz-do-not-send="true">public@cabforum.org</a>><br>
<b>Subject: </b>Re: [cabfpub] [EXTERNAL]Re:
Problems with Ballot 202</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Kirk,<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">The only new definitions in
ballot 202 are “Domain Label” and “Wildcard
Domain Name”. <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">“Domain Label” was defined so
we could define the characters we wanted to
allow underscores in a label.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">“Wildcard Domain Name” was
defined to help make it very clear that these
are allowed. One of the concerns that has been
heard multiple times is that it is not clear if
“Fully-Qualified Domain Name” includes names
with wildcards. This ballot resolves this
ambiguity by clearly stating that “Domain Name”
means both wildcard and fully-qualified domain
names.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Geoff and my responses
crossed. Geoff suggested:<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b>Domain Label</b>: A
label of a domain name, as defined in RFC
1034.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><b>Domain Name</b>: A
string which is a ‘domain name’ as defined in
RFC 1034 with labels separated by dots, or a
Wildcard Domain Name.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><b>Domain Namespace </b>(of
a domain): All domains which are subdomains of
the referenced domain, as described in RFC
1034.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><b>Fully Qualified Domain
Name</b>: A domain name interpreted relative
to the root. The Fully Qualified Domain Names
used in this document do not end with a
period.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><b>Wildcard Domain Name</b>:
The string ‘*.’ followed by a ‘domain name’
with labels separated by dots as defined in
RFC 1034.<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">I would suggest the following
as slight updates, in order to support
Internationalized Domain Names:<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><b>Domain Label</b>: A label
of a domain name, as defined in RFC 5890 section
2.2; for example, the domain name "<a
href="http://www.example.com/"
moz-do-not-send="true">www.example.com</a>" is
composed of three labels: "www", "example", and
"com".<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b>Domain Name</b>: A
string which is a ‘domain name’, as defined in
RFC 5890 section 2.2, with labels separated by
dots, or a Wildcard Domain Name. For example
“<a href="http://www.example.com/"
moz-do-not-send="true">www.example.com</a>”
and “*.<a href="http://example.net/"
moz-do-not-send="true">example.net</a>” are
domain names.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><b>Wildcard Domain Name</b>:
The string ‘*.’ followed by a ‘domain name’
with labels separated by dots, as defined in
RFC 5890 section 2.2<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal">I suggest we hold any updates
for Fully Qualified Domain Name and Domain
Namespace for ballot 190 and limit the changes
to Authorization Domain Name and Base Domain
Name in this ballot to only remove “Fully
Qualified”. <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Do you feel you could support
this ballot if it had these definitions instead?<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Peter<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">On Jul 17, 2017, at 5:01
PM, Kirk Hall <<a
href="mailto:Kirk.Hall@entrustdatacard.com"
moz-do-not-send="true">Kirk.Hall@entrustdatacard.com</a>>
wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="color:#1F497D">I did know that
some of the definitions were unchanged
from the past – but when you look at the
body of definitions in 202 taken
together (including the new ones that
rely on the old, unchanged, confusing
ones) they seem open to multiple
interpretations and frankly get so
complex that it’s hard to describe the
rules to another person – not good from
a standpoint of uniform applications and
compliance.</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="color:#1F497D"> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="color:#1F497D">I want to think a
bit more about the simplified
definitions just posted by Geoff, but I
much prefer that kind of approach –
short, simple sentences that mostly
stand on their own, and make reference
to RFCs where appropriate – to a series
of “nesting”, ever widening definitions
where each depends on the other.</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="color:#1F497D"> </span><o:p></o:p></p>
</div>
</div>
<div>
<div style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<div>
<p class="MsoNormal"><b>From:</b><span
class="apple-converted-space"> </span>Peter
Bowen [<a href="mailto:pzb@amzn.com"
moz-do-not-send="true"><span
style="color:purple">mailto:pzb@amzn.com</span></a>]<span
class="apple-converted-space"> </span><br>
<b>Sent:</b><span
class="apple-converted-space"> </span>Monday,
July 17, 2017 4:56 PM<br>
<b>To:</b><span
class="apple-converted-space"> </span>Kirk
Hall <<a
href="mailto:Kirk.Hall@entrustdatacard.com"
moz-do-not-send="true"><span
style="color:purple">Kirk.Hall@entrustdatacard.com</span></a>>;
CA/Browser Forum Public Discussion
List <<a
href="mailto:public@cabforum.org"
moz-do-not-send="true"><span
style="color:purple">public@cabforum.org</span></a>><br>
<b>Subject:</b><span
class="apple-converted-space"> </span>[EXTERNAL]Re:
[cabfpub] Problems with Ballot 202<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
<div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">On Jul 17,
2017, at 3:28 PM, Kirk Hall via
Public <<a
href="mailto:public@cabforum.org"
moz-do-not-send="true"><span
style="color:purple">public@cabforum.org</span></a>>
wrote:</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Here are the
difficulties I’m having
understanding the new (very
complex) Ballot 202 definitions
shown below. I can’t imagine
explaining this to our engineering
and vetting teams, and I think
people will make mistakes.
Assuming these definitions parse
out, at a bare minimum we should
give easy examples for each
definition. These are arranged in
a logical order, not
alphabetically.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">Kirk,</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">Thank you for
the feedback. I’ve added comments
inline, but I one overarching note
is that many of the definitions you
list are unchanged in this ballot.
In several of the other cases the
portion of the definition that seems
to be causing concern is from the
current BRs. I tried hard to avoid
changing definitions and minimize
changes to existing ones.</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">Also – we won’t
really know if these definitions are
good and useful unless we compare
them to the new text of BR 3.2.2.4,
which defines how we are to do
validation. Last week when we
pulled back Ballot 190 it was to
allow Peter time to tune up the
definition of Authorized Domain Name
in Ballot 190 the context of BR
3.2.2.4 (so we could remove the
Notes that had been added to Ballot
190), but to my surprise, the new
definitions have shown up in Ballot
202 instead – I think that’s a
mistake. <o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">This ballot
has been in discussion for months.
As noted below, terms like
“Authorization Domain Name” are not
included in this ballot; the text
quoted is from the current BRs and
is unmodified.</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"
style="margin-bottom:8.0pt;line-height:11.55pt;background:white;background-position:initial
initial;background-repeat:initial initial">
As recently as July 4, Ben said this
Ballot 202 would cover the following four
subjects: (1) adds dnQualifier as an
allowed attribute for all certificate
types (including DV), (2) adds ASN.1 info
on the EV jurisdiction attribute types,
(3) adds language to the EV guidelines to
clarify that CAs may limit their aggregate
liabilities, (4) allows underscores in
domain names and clarifies what can go in
common names. Why did the authors decide
to include changes to crucial definitions
applicable to domain validation at the
same time, but not allow discussion in a
pre-ballot?<o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">At this point,
Entrust is inclined to vote no – not
because we necessarily oppose the
ballot’s aims, but because there are
some questions and no time to
resolve them before voting starts.<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">This ballot
only covers (4). I would ask that
you please double check the current
BRs to confirm that many of the
definitions are already present and
are not introduced in the ballot.</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">Here are our
concerns about the new definitions.
Again, it would be nice to have more
time to discuss, and not start
voting on Wednesday.<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b>Domain
Label:<span
class="apple-converted-space"> </span></b>An
individual component of a Domain
Name. <span
class="apple-converted-space"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">[What does
this mean – “component”? Is a
period a Domain Label? A couple
of letters? This seems circular
with the Domain Name definition
below. Did you mean “node” and
not “component”? At a minimum,
give examples – “In<span
class="apple-converted-space"> </span><a
href="http://mail.example.com/" moz-do-not-send="true"><span
style="color:#954F72">mail.example.com</span></a>,
the components are “mail”,
“example”, and “com”. The
period “.” is not a component,
nor are characters that are less
than a full node such as “exa”.]</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">This is the
terminology from RFC 5890 section
2.2: <b>DNS-Related Terminology.</b>
It is the characters between
periods; the period itself is not
included in the component. See <a
href="https://tools.ietf.org/html/rfc5890#section-2.2"
moz-do-not-send="true"><span
style="color:purple">https://tools.ietf.org/html/rfc5890#section-2.2</span></a></span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"><b> </b><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b>Domain Name: <span
class="apple-converted-space"> </span></b>A
set of one or more Domain Labels,
each separated by a single full stop
character ("."). Fully-Qualified
Domain Names and Wildcard Domain
Names are Domain Names. <o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">[Again, somewhat
circular – Domain Label says it’s
a component of a Domain Name, and
Domain Name says it’s made up of
Domain Labels… never fully
defined. </span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">Also, saying
that FQDNs and Wildcard DNs are
DNs might work, but need to study
the rest of the text. </span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">Also, this
definition does not require a
domain name to end in a gTLD or
ccTLD, so server1.mail qualifies
as a Domain Name? Might cause
trouble with other definitions.]</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">You are
correct, “server1.mail” is a Domain
Name. I’m open to refining this
definition to avoid the circular
terminology.</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"><b>Domain
Namespace:</b> The set of all
possible Domain Names that are
subordinate to a single node in the
Domain Name System.<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">[Unclear –
“subordinate to a single node in
the Domain Name System”. So for<span
class="apple-converted-space"> </span><a
href="http://server1.mail.example.com/" moz-do-not-send="true"><span
style="color:#954F72">server1.mail.example.com</span></a>,
is “com” part of the Domain
Namespace, or only
server1.mail.example? Also, you
say in the definition of Domain
Name that an FQDN is a Domain
Name, so under the Definition of
Domain Namespace, is the entire
FQDN (including .com) meant to be
subordinate to a single node in
the Domain Name System? Would
that require<span
class="apple-converted-space"> </span><a
href="http://server1.mail.example.com.com/" moz-do-not-send="true"><span
style="color:#954F72">server1.mail.example.com.</span></a><b><a
href="http://server1.mail.example.com.com/" moz-do-not-send="true"><span
style="color:#954F72">com</span></a></b>,
with the second “.com” being the
single node?</span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">In the example<span
class="apple-converted-space"> </span><a
href="http://server1.mail.example.com/" moz-do-not-send="true"><span
style="color:#954F72">server1.mail.example.com</span></a>,
“server1” and “mail” are
subordinate to “example”, so does
that mean “server1.mail” is a
Domain Namespace that is
subordinate to the node “example”?</span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">Also – we never
use Domain Namespace in the rest
of the definitions. Where is it
used, and does this definition
make sense there?]</span> <o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">This
definition is from the current BRs
and is unmodified in this ballot.</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"><b>Fully-Qualified
Domain Name: <span
class="apple-converted-space"> </span></b>A
Domain Name that includes the Domain
Labels of all superior nodes in the
Internet Domain Name System.<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">[Again unclear.
The reference to “all superior
nodes” begs the question –
superior to what? A gTLD or
ccTLD? In the example<span
class="apple-converted-space"> </span><a
href="http://server1.mail.example.com/" moz-do-not-send="true"><span
style="color:#954F72">server1.mail.example.com</span></a>,
is “server1.mail.example” itself
an FQDN, because it includes all
“superior nodes” to .com? Or did
you mean to include .com as well
to make it an FQDN?]</span><o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">This
definition is from the current BRs
and is unmodified in this ballot.</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"><b> </b><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b>Wildcard
Domain Name:</b><span
class="apple-converted-space"> </span>A
Domain Name consisting of a single
asterisk character ("*") followed by
a single full stop character (".")
followed by a Fully-Qualified Domain
Name.<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">[This is
confusing because it starts with
Domain Name, then talks about an
FQDN – the “*” itself doesn’t turn
a Domain Name into an FQDN so why
are you using both terms? ]</span><o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">Yes, a
Wildcard Domain Name is a type of
Domain Name. It is made up of “*.”
+ a FQDN. For example “*.<a
href="http://blogspot.com/"
moz-do-not-send="true"><span
style="color:purple">blogspot.com</span></a>”
or “*.<a
href="http://signin.aws.amazon.com/"
moz-do-not-send="true"><span
style="color:purple">signin.aws.amazon.com</span></a>"</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"><b>Base Domain
Name:</b><span
class="apple-converted-space"> </span>The
portion of an applied-for Domain
Name that is the first domain name
node left of a registry-controlled
or public suffix plus the
registry-controlled or public suffix
(e.g. "<a
href="http://example.co.uk/"
moz-do-not-send="true"><span
style="color:#954F72">example.co.uk</span></a>"
or "<a href="http://example.com/"
moz-do-not-send="true"><span
style="color:#954F72">example.com</span></a>").<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">For Domain Names
where the right-most domain name
node is a gTLD having ICANN
Specification 13 in its registry
agreement, the gTLD itself may be
used as the Base Domain Name.<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">[Ballot 190
stripped out “requested” in front
of FQDN wherever it existed, as it
seems to get into a CA’s business
processes – what the customer
requests, as opposed to a domain
the CA decides to validate - and
adds nothing but confusion. I
recall discussion that used the
word “requested” to limit what a
CA could do – e.g., using
“requested” might limit CA so they
could only verify an FQDN the
customer “requested” (<a
href="http://server1.mail.example.com/"
moz-do-not-send="true"><span
style="color:#954F72">server1.mail.example.com</span></a>)
and not the FQDN the CA wanted to
verify to fill the customer’s
order (<a
href="http://example.com/"
moz-do-not-send="true"><span
style="color:#954F72">example.com</span></a>).
Now we see the words “applied for”
– take it out, it’s not relevant
and could restrict what CAs can
do.]</span><o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">This
definition is from the current BRs
and is unmodified in this ballot.
We can change it in Ballot 190, as
you suggest, but I don’t think
modifying it in this ballot makes
sense.</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><b>Authorization
Domain Name:</b><span
class="apple-converted-space"> </span>The
Domain Name used to obtain<span
class="apple-converted-space"> </span><span
style="background:yellow">authorization</span><span
class="apple-converted-space"> </span>for
certificate issuance for a given
Domain Name.<span
class="apple-converted-space"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">The CA may use
the FQDN returned from a DNS CNAME
lookup as the Domain Name for the
purposes of domain validation.<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">If the Domain
Name is a Wildcard Domain Name, then
the CA MUST remove “*.” from the
left most portion of<span
class="apple-converted-space"> </span><span
style="background:yellow">requested</span>Domain
Name.<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">The CA may prune
zero or more labels from left to
right until encountering a Base
Domain Name and may use any one of
the intermediate values for the
purpose of domain validation.<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">[First, the word
“authorization” does not seem
correct – validation (used in BR
3.2.2.4) might make more sense. A
simple WhoIs lookup by itself
doesn’t seem like authorization,
only validation of a request.</span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">The first
sentence is somewhat circular by
using Domain Name twice in one
sentence. The Domain Name used…
for a given Domain Name. ??</span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">Assuming that
server1.mail is a Domain Name, can
it be an Authorization Domain Name
for something?</span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">The second
sentence again goes from FQDN to
Domain Name – not clear why.</span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">The third
sentence again talks about the
“requested Domain Name” –
requested by the customer? Please
remove “requested”. Also, why are
you saying the * must be removed –
do you mean to add something at
the end of the sentence like
“before the validation is
obtained”, or “before a
certificate is issued”, or..? I
don’t understand the purpose of
this sentence in this definition.</span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div style="margin-left:.5in">
<div>
<div>
<p class="MsoNormal"><span
style="color:red">The final
sentence is unclear as to what
domain name is being pruned – the
Authorization Domain Name? (The
sentence is in that definition.)
Or is the requested domain name
being pruned (probably). This
might be one place where it makes
sense to use “requested” simply to
show a CA can choose to prune and
then validate what’s left. But
why is this rule in the definition
of Authorization Domain Name?
Shouldn’t it be in BR 3.2.2.4
itself?]</span><o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">Authorization
Domain Name is already defined in
the current BRs. The current
definition in the BRs is:</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">"The Domain
Name used to obtain authorization
for certificate issuance for a given
FQDN. The CA may use the FQDN
returned from a DNS CNAME lookup as
the FQDN for the purposes of domain
validation. If the FQDN contains a
wildcard character, then the CA MUST
remove all wildcard labels from the
left most portion of requested FQDN.
The CA may prune zero or more labels
from left to right until
encountering a Base Domain Name and
may use any one of the intermediate
values for the purpose of domain
validation."</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">The term
“authorization” is in the current
BRs and is unmodified. The term
“requested” is in the current BRs
and is unmodified. The third
sentence is almost identical to the
existing language but says “*.”
instead of “wildcard labels”. The
last sentence is unmodified from the
current BRs.</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">I appreciate
that some of the existing language
is could use improvement, but the
objective of Ballot 202 is not to
clean up every issue in the BRs. We
still have Ballot 190 to go and we
can have further changes in future
ballots. I tried hard to keep the
scope of Ballot 202 constrained, and
I hope the above explanations help
demonstrate the constrained nature.</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif"> </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">Thanks,</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman",serif">Peter</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org"
moz-do-not-send="true">Public@cabforum.org</a><br>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>