<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 5 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Yup, this seems reasonable. Thanks for doing the legwork to come up with a concrete proposal.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-Tim<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Peter Bowen [mailto:pzb@amzn.com] <br>
<b>Sent:</b> Thursday, July 27, 2017 8:23 AM<br>
<b>To:</b> Tim Hollebeek <THollebeek@trustwave.com>; Erwann Abalea <Erwann.Abalea@docusign.com><br>
<b>Cc:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br>
<b>Subject:</b> Re: [cabfpub] Ballot 202 - Underscore and Wildcard Characters<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Tim and Erwann,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I agree with Tim. I think the IP Address situation is similar to Internal Domain Names. We know what is _not_ global pretty well, so we have a definition for Internal Name and explicitly say you cannot have those in certificates.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On the IP Address side, the current language for IPv6 does not parallel this. Notably the definitions point to data tables that focus on regional Internet registry (RIR) allocations. Reservations smaller than /8 for IPv4 and smaller than
/10 for IPv6 are only noted in foot notes. Further, some IP addresses that are global in nature are listed as “reserved” because they are not allocated via the RIR system. Notably, the 6to4 address are “reserved” in IPv6 because they are allocated via the
IPv4 allocation system.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">What would you think about changing the BRs to define Internal IP Address and then use that definition in the one place where Reserved IP Address is used:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="margin-left:30.0pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">Internal IP Address: An IPv4 or IPv6 address that cannot be verified as globally unique within the public Internet at the time of certificate issuance because the IANA has "False" for Globally Reachable in either of the IANA Special-Purpose
IP Address Registries: <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><a href="https://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWazq1nnX42w&s=5&u=https%3a%2f%2fwww%2eiana%2eorg%2fassignments%2fiana-ipv4-special-registry%2fiana-ipv4-special-registry%2exhtml">https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml</a>
or <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><a href="https://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWa2q6zyb62w&s=5&u=https%3a%2f%2fwww%2eiana%2eorg%2fassignments%2fiana-ipv6-special-registry%2fiana-ipv6-special-registry%2exhtml">https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml</a><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">Subject Alternative Name Extension Contents: This extension MUST contain at least one entry. Each entry MUST be one of the following types:<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal">[…]<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">iPAddress: the entry MUST contain an IP address that the CA has validated in accordance with Section 3.2.2.5. The entry MUST NOT contain an Internal IP Address.<o:p></o:p></p>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The Internal IP Address definition is parallels to the existing Internal Name definition:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="margin-left:30.0pt;margin-right:0in">
<div>
<p class="MsoNormal">Internal Name: A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance because
it does not end with a Top Level Domain registered in IANA’s Root Zone Database.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<p class="MsoNormal">What do you think?<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Peter<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Jul 26, 2017, at 9:03 AM, Tim Hollebeek <<a href="mailto:THollebeek@trustwave.com">THollebeek@trustwave.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">I think the definition is the wrong place to handle reserved IPs. What should be true (though I haven’t checked that it actually is) is that it should be impossible to validate an IP that it is impossible to own. Any necessary improvements
to provide that assurance should go in the validation methods.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">-Tim<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Public [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Peter Bowen via Public<br>
<b>Sent:</b> Tuesday, July 25, 2017 3:02 PM<br>
<b>To:</b> Erwann Abalea <<a href="mailto:Erwann.Abalea@docusign.com">Erwann.Abalea@docusign.com</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Subject:</b> Re: [cabfpub] Ballot 202 - Underscore and Wildcard Characters<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">Erwann,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Thank you for your detailed feedback and I appreciate you providing context for your vote.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">With regards to reserved IP addresses, the definition in the current BRs allows a CA to deliver a certificate for 192.0.0.9. They also allow a CA to deliver a certificate for 192.168.1.1. This is because the current language (which has
been in the BRs since at least V1) says “Reserved IP Address” is only defined by the whole /8 being reserved. This means only 0/8, 10/8, 127/8 and 224/3 are currently Reserved IP v4 addresses. While I agree we may be able to further restrict issuance, this
ballot covers the common cases.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The ballot references RFC 5890 section 2.2 for the definition of Domain Label. This RFC is very specific on allowed characters; it is not any character. Notably your example is not valid because ‘*’ (0x2a) is a DISALLOWED character. RFC
5890 points to RFC 5892 for the full list; <a href="https://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWaza9mXf_gQ&s=5&u=https%3a%2f%2ftools%2eietf%2eorg%2fhtml%2frfc5892%23appendix-B%2e1">https://tools.ietf.org/html/rfc5892#appendix-B.1</a> shows
that the only ASCII characters that are allowed are hyphen-minus, digit 0 to digit 9, and letter a to letter z. Therefore *.*.<a href="http://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWazq9yyStgA&s=5&u=http%3a%2f%2fdomain%2ecom">domain.com</a> is
not a valid Wildcard Domain Name according to the definition in ballot 202.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Peter<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Jul 25, 2017, at 11:39 AM, Erwann Abalea via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">Bonsoir,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">DocuSign France votes No.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">While there are good clarifications around domain names, FQDNs, wildcards, and reserved labels, there are a few drawbacks:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">1. Underscores in SAN:dNSName entries. It’s not the current BR that disallows underscores in dNSNames, it’s X.509 and RFC5280 (and current DNS specifications), and there is no justification about allowing underscores other than « it’s done
by some admins » or « Microsoft allows it ». While domain names can contain anything (even characters such as '[({*$!?" ), dNSName shall contain a host name, and host names shall only be composed of LDH labels. I’d prefer the standards to be changed instead
of explicitly allowing deviations from the standard.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2. « Reserved IP address ». The new definition now allows a CA to deliver a certificate for an obviously invalid IP (I doubt anyone could claim « owning » 192.0.0.9 or 192.0.0.10, and I haven’t fully checked the others).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">3. « Wildcard Domain Name ». The new definition is not robust enough. An FQDN is a sequence of Domain Labels —which can contain any character—, so « *.<a href="http://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWaznoyyH0jw&s=5&u=http%3a%2f%2fdomain%2ecom%2f">domain.com</a> »
is a valid FQDN, so « *.*.<a href="http://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWaznoyyH0jw&s=5&u=http%3a%2f%2fdomain%2ecom%2f">domain.com</a> » is a valid Wildcard Domain Name according to this definition.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Cordialement,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Erwann Abalea<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Le 12 juil. 2017 à 19:24, Ben Wilson via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> a écrit :<o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="line867"><strong><span style="font-family:"Calibri",sans-serif">Ballot 202 - Underscore and Wildcard Characters</span></strong><o:p></o:p></p>
<p class="line874">The current Baseline Requirements do not expressly allow underscore characters in Subject Alternative Names. This ballot seeks to clarify that one or more underscore characters (“_”) are allowed in FQDNs. In many places it also replaces the
term "FQDN" with "Domain Name" because "Domain Name" now means either "FQDN" or "Wildcard Domain Name". The ballot clarifies validation of wildcard domain names. It also cleans up some of the language in Sections 3.2.2.4 and 7.1.4.2.1 of the Baseline Requirements.<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line862">The following motion has been proposed by Ben Wilson of DigiCert and endorsed by Peter Bowen of Amazon and Ryan Sleevi of Google to introduce new Final Maintenance Guidelines for the "Baseline Requirements Certificate Policy for the Issuance
and Management of Publicly-Trusted Certificates" (Baseline Requirements).<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">--Motion Begins--<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">A. In Sections 1.3.2, 1.6 (Base Domain Name), 2.2, 3.2.2.4, 3.2.2.4.5, 3.2.2.4.6, 3.2.2.4.10, 3.2.2.4.11, 4.2.1, 4.9.1.1.6, and 4.9.11 of the Baseline Requirements, REPLACE the words "Fully Qualified Domain Name" and "FQDN" with "Domain Name".<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">B. In Section 1.6.1 of the Baseline Requirements, REPLACE the definition for "Authorization Domain Name" with the following: The Domain Name used to obtain authorization for certificate issuance for a given Domain Name. The CA may use the
FQDN returned from a DNS CNAME lookup as the Domain Name for the purposes of domain validation. If the Domain Name is a Wildcard Domain Name, then the CA MUST remove “*.” from the left most portion of requested Domain Name. The CA may prune zero or more labels
from left to right until encountering a Base Domain Name and may use any one of the intermediate values for the purpose of domain validation.<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">C. In Section 1.6.1 of the Baseline Requirements, INSERT the following definition: "Domain Label: An individual component of a Domain Name."<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">D. In Section 1.6.1 of the Baseline Requirements, REPLACE the definition for "Domain Name" with the following: A set of one or more Domain Labels, each separated by a single full stop character (".").<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">E. In Section 1.6.1 of the Baseline Requirements, REPLACE the definition for "Fully-Qualified Domain Name" with the following: A Domain Name that includes the Domain Labels of all superior nodes in the Internet Domain Name System.<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">F. In Section 1.6.1 of the Baseline Requirements, REPLACE the definition for "Reserved IP Address" with the following: An IPv4 or IPv6 address that the IANA has "False" for Globally Reachable in either of the IANA Special-Purpose IP Address
Registries:<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line867"><a href="https://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWazq1nnX42w&s=5&u=https%3a%2f%2fwww%2eiana%2eorg%2fassignments%2fiana-ipv4-special-registry%2fiana-ipv4-special-registry%2exhtml"><span style="color:#954F72">https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml</span></a><span class="apple-converted-space"> </span>or<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line867"><a href="https://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWa2q6zyb62w&s=5&u=https%3a%2f%2fwww%2eiana%2eorg%2fassignments%2fiana-ipv6-special-registry%2fiana-ipv6-special-registry%2exhtml"><span style="color:#954F72">https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml</span></a><o:p></o:p></p>
<p class="line874">G. In Section 1.6.1 of the Baseline Requirements, REPLACE the definition for "Wildcard Certificate" with the following: A Certificate containing a Wildcard Domain Name in any of the Subject Alternative Names in the Certificate.<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">H. In Section 1.6.1 of the Baseline Requirements, INSERT the following definition: "Wildcard Domain Name: A Domain Name consisting of a single asterisk character ("*") followed by a single full stop character (".") followed by a Fully-Qualified
Domain Name."<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">I. In Section 2.2 of the Baseline Requirements, INSERT the word "requested" in the fourth sentence between the words "processing CAA records for" and "Domain Names" so that it reads, "processing CAA records for requested Domain Names".<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">J. REPLACE the second paragraph of Section 3.2.2.4 of the Baseline Requirements so that it reads, "The CA SHALL confirm that, as of the date the Certificate issues, the CA has validated each Domain Name listed in the Certificate using at
least one of the methods listed below, or is within the Domain Namespace of a Fully Qualified Domain Name (FQDN) that has been validated using at least one of the methods listed below (not including the method defined in section 3.2.2.4.8)."<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">K. REPLACE Section 3.2.2.6 of the Baseline Requirements in its entirety with:<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">3.2.2.6. Additional Validation for Wildcard Certificates<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">Before issuing a Wildcard Certificate, the CA MUST establish and follow a documented procedure[^pubsuffix] that determines if the FQDN portion of any Wildcard Domain Name in the certificate is “registry-controlled” or is a “public suffix”
(e.g. “*.com”, “*.<a href="http://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWaza_myH_3Q&s=5&u=http%3a%2f%2fco%2euk%2f"><span style="color:#954F72">co.uk</span></a>”, see RFC 6454 Section 8.2 for further explanation).<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">If the FQDN portion of any Wildcard Domain Name in the certificate is "registry-controlled" or is a "public suffix", CAs MUST refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST
NOT issue "*.<a href="http://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWaza_myH_3Q&s=5&u=http%3a%2f%2fco%2euk%2f"><span style="color:#954F72">co.uk</span></a>" or "*.local", but MAY issue "*.<a href="http://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWazi5mXCq3g&s=5&u=http%3a%2f%2fexample%2ecom%2f"><span style="color:#954F72">example.com</span></a>"
to Example Co.).<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line862">[^pubsuffix] Determination of what is “registry-controlled” versus the registerable portion of a Country Code Top-Level Domain Namespace is not standardized at the time of writing and is not a property of the DNS itself. Current best practice
is to consult a “public suffix list” such as<span class="apple-converted-space"> </span><a href="http://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWaz26myau2Q&s=5&u=http%3a%2f%2fpublicsuffix%2eorg%2f"><span style="color:#954F72">http://publicsuffix.org/</span></a><span class="apple-converted-space"> </span>(PSL),
and to retrieve a fresh copy regularly. If using the PSL, a CA SHOULD consult the "ICANN DOMAINS" section only, not the "PRIVATE DOMAINS" section. The PSL is updated regularly to contain new gTLDs delegated by ICANN, which are listed in the "ICANN DOMAINS"
section. A CA is not prohibited from issuing a Wildcard Certificate to the Registrant of an entire gTLD, provided that control of the entire namespace is demonstrated in an appropriate way.<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">L. REPLACE Section 7.1.4.2.1 of the Baseline Requirements in its entirety with:<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">7.1.4.2.1 Subject Alternative Name Extension<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">Certificate Field: extensions:subjectAltName<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">Required/Optional: Required<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">Contents: This extension MUST contain at least one entry. Each entry MUST be one of the following types:<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">1. dNSName: the entry MUST contain either a Fully-Qualified Domain Name or Wildcard Domain Name that the CA has validated in accordance with section 3.2.2.4. FQDNs and the FQDN portion of Wildcard DNs must comply with RFC 5280 section 4.2.1.6
with the following exception: underscore characters ("_") are allowed in Domain Labels such that replacing all underscore characters with hyphen characters ("-") would result in a valid Domain Label. CAs MUST NOT include Domain Labels which have hyphens as
the third and fourth characters unless the first character is "x" or "X", the second character is "n" or "N", and the fifth and later characters are a valid Punycode string. CAs MUST additionally validate that Wildcard DNs are consistent with section 3.2.2.6.
The entry MUST NOT contain an Internal Name.<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">2. iPAddress: the entry MUST contain an IP address that the CA has validated in accordance with Section 3.2.2.5. The entry MUST NOT contain a Reserved IP Address.<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">M. REPLACE subsection a. of Section 7.1.4.2.2 of the Baseline Requirements with:<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">a. Certificate Field: subject:commonName (OID 2.5.4.3)<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">Required/Optional: Deprecated (Discouraged, but not prohibited)<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">Contents: If present, this field MUST contain a single IP address or Domain Name that is one of the values contained in the Certificate’s subjectAltName extension (see Section 7.1.4.2.1). When including a Domain Name in a common name, CAs
MUST only use LDH labels as defined in RFC 5890 and MUST NOT use U-labels. When including an IPv6 address in a common name, CAs MUST use a format conforming to Section 4 or Section 5 of RFC 5952. When including an IPv4 address in a common name, CAs MUST encode
the name as an IPv4Address as defined in RFC 3986.<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">--Motion Ends--<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">The procedure for approval of this Final Maintenance Guideline ballot is as follows (exact start and end times may be adjusted to comply with applicable Bylaws and IPR Agreement):<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">BALLOT 202 Status: Final Maintenance Guideline Start time (22:00 UTC) End time (22:00 UTC)<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">Discussion (7 to 14 days) July 12, 2017 to July 19, 2017<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">Vote for approval (7 days) July 19, 2017 to July 26, 2017<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">If a vote of the Forum approves this ballot, the Chair will initiate a 30-day IPR Review Period by sending out an IPR Review Notice.<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">After 30 days of announcing the IPR Review period by the Chair:<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">(a) If Exclusion Notice(s) are filed, this ballot approval is rescinded and a PAG will be created; or (b) If no Exclusion Notices are filed, this ballot becomes effective at end of the IPR Review Period.<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line874">From Bylaw 2.3: If the Draft Guideline Ballot is proposing a Final Maintenance Guideline, such ballot will include a redline or comparison showing the set of changes from the Final Guideline section(s) intended to become a Final Maintenance
Guideline, and need not include a copy of the full set of guidelines. Such redline or comparison shall be made against the Final Guideline section(s) as they exist at the time a ballot is proposed, and need not take into consideration other ballots that may
be proposed subsequently, except as provided in Bylaw Section 2.3(j).<span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="line862">Votes must be cast by posting an on-list reply to this thread on the Public list. A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must
indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here:<span class="apple-converted-space"> </span><a href="https://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWazq1l3Ct3A&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmembers%2f"><span style="color:#954F72">https://cabforum.org/members/</span></a><o:p></o:p></p>
<p class="line874">In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is half of the number of currently
active Members, which is the average number of Member organizations that have participated in the previous three Forum-wide meetings (both teleconferences and face-to-face meetings). Under Bylaw 2.2(g), at least the required quorum number must participate
in the ballot for the ballot to be valid, either by voting in favor, voting against, or abstaining.<span class="apple-converted-space"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"><Ballot 202.pdf><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">_______________________________________________<br>
Public mailing list<br>
</span><a href="mailto:Public@cabforum.org"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954F72">Public@cabforum.org</span></a><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
</span><a href="https://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWa2rpynX7iA&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954F72">https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://scanmail.trustwave.com/?c=4062&d=rdv52bHvekS093Vjpcbk0nuzxHXT3LoWa2rpynX7iA&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>