<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mv="http://macVmlSchemaUri" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.emailquote, li.emailquote, div.emailquote
{mso-style-name:emailquote;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:1.0pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Yes - It would be up to the author of the ballot to increment the version number when a material change is made to any of the methods.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Kirk Hall <Kirk.Hall@entrustdatacard.com><br>
<b>Date: </b>Tuesday, August 1, 2017 at 4:54 PM<br>
<b>To: </b>Wayne Thayer <wthayer@godaddy.com>, Ben Wilson <ben.wilson@digicert.com>, CA/Browser Forum Public Discussion List <public@cabforum.org>, Gervase Markham <gerv@mozilla.org><br>
<b>Subject: </b>RE: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR Version Number<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D">So Wayne, if a change is made to Method 8 only by a ballot, once effective would the text be changed to “VERSION 2 OF”? Then, later, if changes are made to Methods 2, 3, and 4 by a single ballot, the text would
be changed to “VERSION 3 OF”, etc.?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">That is certainly a simpler solution than I had understood (and is right in the substantive BR 3.2.2.4 language itself), and I can see the value of it.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Wayne Thayer [mailto:wthayer@godaddy.com] <br>
<b>Sent:</b> Tuesday, August 1, 2017 3:39 PM<br>
<b>To:</b> Ben Wilson <ben.wilson@digicert.com>; CA/Browser Forum Public Discussion List <public@cabforum.org>; Gervase Markham <gerv@mozilla.org>; Kirk Hall <Kirk.Hall@entrustdatacard.com><br>
<b>Subject:</b> Re: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR Version Number<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Ben – here’s a simple approach to versioning the entire section with changes in ALL CAPS:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b><i>3.2.2.4. Validation of Domain Authorization or Control
</i></b><o:p></o:p></p>
<p class="MsoNormal">This section defines VERSION 1 OF the permitted processes and procedures for validating the Applicant's ownership or control of the domain.
<o:p></o:p></p>
<p class="MsoNormal">The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully‐Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.
<o:p></o:p></p>
<p class="MsoNormal">Completed confirmations of Applicant authority may be valid for the issuance of multiple certificates over time. In all cases, the confirmation must have been initiated within the time period specified in the relevant requirement (such
as Section 3.3.1 of this document) prior to certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant's Parent Company, Subsidiary Company, or Affiliate.
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><i>[WT] the following sentence is added by ballot 190:</i><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">CAs SHALL maintain a record of which domain validation method, INCLUDING RELEVANT VERSION NUMBER OF THE PERMITTED PROCESSES AND PROCEDURES FOR VALIDATING THE APPLICANT’S OWNERSHIP OR CONTROL OF THE DOMAIN, they used to validate every domain.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Note: FQDNs may be listed in Subscriber Certificates using dNSNames in the subjectAltName extension or in Subordinate CA Certificates via dNSNames in permittedSubtrees within the Name Constraints extension.
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Ben Wilson <<a href="mailto:ben.wilson@digicert.com">ben.wilson@digicert.com</a>><br>
<b>Date: </b>Tuesday, August 1, 2017 at 3:15 PM<br>
<b>To: </b>Wayne Thayer <<a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>>, CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>>, Gervase Markham <<a href="mailto:gerv@mozilla.org">gerv@mozilla.org</a>>,
Kirk Hall <<a href="mailto:Kirk.Hall@entrustdatacard.com">Kirk.Hall@entrustdatacard.com</a>><br>
<b>Subject: </b>RE: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR Version Number</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Wayne,<br>
Can you give an example of what embedding would look like?<br>
Thanks,<br>
Ben<o:p></o:p></p>
</div>
</div>
<div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b>From: </b><a href="mailto:wthayer@godaddy.com">Wayne Thayer</a><br>
<b>Sent: </b>8/1/2017 3:58 PM<br>
<b>To: </b><a href="mailto:ben.wilson@digicert.com">Ben Wilson</a>; <a href="mailto:public@cabforum.org">
CA/Browser Forum Public Discussion List</a>; <a href="mailto:gerv@mozilla.org">Gervase Markham</a>;
<a href="mailto:Kirk.Hall@entrustdatacard.com">Kirk Hall</a><br>
<b>Subject: </b>Re: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR Version Number<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt">The original concern I raised was with the ballot 190 requirement that CAs begin to log the BR version number associated with the validation method used on each request. My concerns
are:<br>
1. The BR version doesn’t clearly indicate when a validation method has changed. As has been stated, the BR version number will surely increment for many reasons unrelated to validation methods. BR version 1.8.3 is likely to have the same meaning as version
2.1.6 in terms of validation methods.<br>
2. CAs will review changes to the validation methods and come to different conclusions as to what changes require the BR version number to be incremented in their logs. Is a wording change material, even though I’m not updating the code? The ballot author should
decide this.<br>
3. CAs generally need to implement changes to methods prior to a BR version number even being assigned. I closely review ballots, but I don’t track BR version numbers.<br>
<br>
This led me to propose a version number embedded in section 3.2.2.4 of the BRs that covers either all validation methods or one for each method – it doesn’t matter to me. This approach:<br>
1. Provides clear guidance that the CA must update the version number they’re logging as part of implementing a particular change<br>
2. 2. Allows CAs to make changes based on approved ballots rather than being dependent on BR version numbers<br>
3. Doesn’t require a separate section of the BRs to be updated and kept in synch<br>
4. Can easily be added to ballot 190 while we’re waiting for ballot 202<br>
<br>
Thanks,<br>
<br>
Wayne<br>
<br>
<br>
On 8/1/17, 9:28 AM, "Public on behalf of Ben Wilson via Public" <<a href="mailto:public-bounces@cabforum.org%20on%20behalf%20of%20public@cabforum.org">public-bounces@cabforum.org on behalf of public@cabforum.org</a>> wrote:<br>
<br>
There are two sides to this - one is with the CAs, where they record what <br>
method was used, and the other is at the CA/Browser Forum level, where someone
<br>
maintains a chart, or whatever, of validation methods in effect, and <br>
historically which ones were effective during which periods.<br>
<br>
<br>
-----Original Message-----<br>
From: Gervase Markham [<a href="mailto:gerv@mozilla.org">mailto:gerv@mozilla.org</a>]<br>
Sent: Tuesday, August 1, 2017 10:06 AM<br>
To: Ben Wilson <<a href="mailto:ben.wilson@digicert.com">ben.wilson@digicert.com</a>>; CA/Browser Forum Public Discussion
<br>
List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>>; Kirk Hall <<a href="mailto:Kirk.Hall@entrustdatacard.com">Kirk.Hall@entrustdatacard.com</a>><br>
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot 190 - Recording BR Version Number<br>
<br>
On 01/08/17 17:00, Ben Wilson wrote:<br>
> Are we talking about what the CA records in its database for the<br>
> validation method used, or are we talking about annotating the BRs<br>
> with a record of when a change was made?<br>
<br>
I am raising the problem that if there is a list of changes made and it goes <br>
out of sync with reality, then what do I, at Mozilla, do if a CA says "well, I
<br>
didn't realise that change had been made because it wasn't added to the <br>
official list"?<br>
<br>
There should be one and exactly one method of knowing when changes are made.<br>
<br>
Earlier, although perhaps not in this thread, someone suggested independent <br>
version numbers for each of the methods. That has a similar issue - there <br>
should be one and exactly one method of recording what validation method was <br>
used.<br>
<br>
Gerv<br>
</span><o:p></o:p></p>
</div>
</div>
</body>
</html>