<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Doesn’t Ryan and Dimitris’ fix handle that? Direct communication with the registrar is easy if you are the registrar.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal><a name="_MailEndCompose"><o:p> </o:p></a></p><span style='mso-bookmark:_MailEndCompose'></span><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Peter Bowen [mailto:pzb@amzn.com] <br><b>Sent:</b> Monday, January 8, 2018 9:49 PM<br><b>To:</b> Wayne Thayer <wthayer@mozilla.com>; CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Cc:</b> Tim Hollebeek <tim.hollebeek@digicert.com><br><b>Subject:</b> Re: [cabfpub] Ballot 218: Remove validation methods #1 and #5<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Jan 8, 2018, at 9:20 AM, Wayne Thayer via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Mon, Jan 8, 2018 at 9:46 AM, Tim Hollebeek via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p><div><div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I’m not sure there are other valid cases (in fact I suspect there are not), but Wayne mentioned on the validation WG call that he’s concerned that this change could be very disruptive if not handled carefully, and I’m sympathetic to that concern. Especially since on the same call he also pointed out the same flaw that Dimitris did …<o:p></o:p></p><div><p class=MsoNormal> <o:p></o:p></p></div></div></div></blockquote></div><p class=MsoNormal>My concern is based on a small sample size, but in reviewing CPS' I've noted that government CAs often rely on 3.2.2.4.1. Other than Dimitris, they are not participating in this discussion and may not be aware of it. That isn't a good excuse to delay needed fixes, but I do think that the outright elimination of method #1 on Mar 1st will catch a number of these CAs by surprise and we'll see compliance issues. The approach that Ryan and Dimitris are discussing helps to address my concern.<o:p></o:p></p></div></div></div></blockquote><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I know I’m really late to this conversation, but I think we need to split 3.2.2.4.1. It currently has one very strong validation method combined with two that are under discussion.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>While I know it does not apply to many CAs, I think option 3 in 3.2.2.4.1 is excellent validation when available. If the CA is also the registry or registrar, then they can have a very high assurance that a certificate requester has control of the domain. I would hate to see this method go away, as I personally see this as the potentially the strongest proof of domain control.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal>Peter<o:p></o:p></p></div></div></div></body></html>