<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 29, 2017 at 8:03 PM, Kirk Hall via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="m_-7541139769902924714WordSection1">
<p class="MsoNormal">Mads and Doug are still endorsers for the restart of Ballot 190. Doug reminded me of five changes that we had agreed to make to the last version, v7. The changes are shown on the attached v7 in
<span style="background:yellow">yellow</span>, and are also listed below. When we do the restart on Ballot 190, it will be with this v7 version.</p></div></div></blockquote><div><br></div><div>Can you indicate where those v7 changes came from? That is, was this private discussions among the Ballot endorsers, suggestions you made, items from the Validation WG (call or list?), etc?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-7541139769902924714WordSection1"><p class="MsoNormal"><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Here are the changes from v6 that were made in the attached v7:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">1. [In BR 3.2.2.4 introduction]: The CA SHALL confirm that, as of the date the Certificate issues, <<u><span style="background:yellow">is issued</span></u>?></p></div></div></blockquote><div><br></div><div>"is issued" would be past-tense, implying it's a post-issuance activity, rather than a (pre-)issuance activity - right?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-7541139769902924714WordSection1"><p class="MsoNormal"><u></u></p>
<p class="m_-7541139769902924714MsoPlainText">2. [In all 10 validation method Notes:] Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN and have
<u><span style="background:yellow">the same or</span></u> more labels than it. This method is suitable for validating Wildcard Domain Names.<b><u></u><u></u></b></p>
<p class="m_-7541139769902924714MsoListParagraph" style="margin-left:20.4pt">
<u></u><span>-<span style="font:7.0pt "Times New Roman"">
</span></span><u></u>The above note appears in multiple places, all need to be updated.</p></div></div></blockquote><div>It reads fairly clunky - more was clearer as a numeric comparison, but 'the same or more labels than it' leaves ambiguity as to whether it's equality of the labels (which is handled by the preceding clause).</div><div><br></div><div>Beyond the longstanding concerns about expressing the "Notes" here and their impact on normative expressions, I'm not sure the change is actually necessary - that is, the only FQDN that 'ends with all the labels of the validated FQDN and has the same number of labels in it' is, well, the FQDN. Is that actually necessary to express - you're saying that after the FQDN has been validated, Certificates may also be issued for the FQDN.</div><div><br></div><div>The current wording avoids this issue, because 'the current FQDN' will never have more labels in it than the current FQDN :)</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-7541139769902924714WordSection1"><p class="m_-7541139769902924714MsoListParagraph" style="margin-left:20.4pt"><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">3. [In BR 3.2.2.4.6]: The presence of Required Website Content contained in the content of a file
<s><span style="background:yellow">or on a web page in the form of a meta tag</span>.
</s><we agreed that a web page is a file, so no need><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">4. [In BR 3.2.2.4.6]: Missing “T”: “This method is suitable for validating Wildcard Domain Names.”<span style="font-size:12.0pt">
<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">5. [In BR 3.2.2.4.7]: I’ve commented on this multiple times and I think as written it’s not clear:<u></u><u></u></p>
<p class="MsoNormal">From this:<u></u><u></u></p>
<p class="MsoNormal" style="margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;background:white">
Confirming the Applicant's control over the FQDN by confirming the presence of a Random Value or Request Token in a DNS CNAME, TXT or CAA record for an Authorization Domain Name or an Authorization Domain Name that is prefixed with a label that begins with
an underscore character.<u></u><u></u></p>
<p class="MsoNormal">To this:<u></u><u></u></p>
<p class="MsoNormal" style="margin-left:.5in">Confirming the Applicant's control over the FQDN by confirming the presence of a Random Value or Request Token in
<span style="background:yellow">either 1)</span> a DNS CNAME, TXT or CAA record for an Authorization Domain Name or
<span style="background:yellow">2)</span> an Authorization Domain Name that is prefixed with a label that begins with an underscore character.<u></u><u></u></p>
<p class="MsoNormal"><a name="m_-7541139769902924714__MailEndCompose"></a><br></p></div></div></blockquote><div><br></div><div>Kirk,</div><div><br></div><div>Could you highlight where you've commented on 3.2.2.4.7 in the past? I want to make sure I better understand your concerns here.</div><div><br></div><div>I highlight this because the choice of where to place your either/or is significant. You've placed 1) before the "CNAME, TXT, or CAA record" - which means that 2) can be expressed in any way (for example, an MX record would be sufficient, it would seem). That certainly doesn't sound correct, but I want to make sure I'm understanding your concerns.</div><div><br></div><div>The alternative way to express this would be reworded as:</div><div><br></div><div>or Request Token in a DNS CNAME, TXT, or CAA record for either:</div><div> 1) an Authorization Domain Name; or,</div><div> 2) an Authorization Domain Name that is prefixed with a label that begins with an underscore character.</div><div><br></div><div>In this case, we make it clear that the Request Token or Random Value still must appear within those record types.</div><div><br></div><div><br></div></div><br></div></div>