<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Sorry for the misquotation – I left off “*** </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>directly with the Domain Name Registrar,” which is generally what we have been discussing – a WhoIs lookup to see who owns the domain.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>But do you see my point that “</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>validating the <u>Applicant</u> as the <u>Domain Contact</u>” (current language) could simply be confirming a hacker in both roles, but would not be validating the Registrant information as to the organization that owns the domain? Which would not be sufficient to include the Registrant Organization name in the O field of an OV or EV cert. That’s why we made the change, which makes Method 1 more secure in our opinion.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Again, Method 1 was the original validation method starting in the 1990s, and I think it’s proven its worth over the years.</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> geoffk@apple.com [mailto:geoffk@apple.com] <br><b>Sent:</b> Friday, January 19, 2018 11:52 AM<br><b>To:</b> Kirk Hall <Kirk.Hall@entrustdatacard.com><br><b>Cc:</b> CA/Browser Forum Public Discussion List <public@cabforum.org>; Mads Egil Henriksveen <Mads.Henriksveen@buypass.no><br><b>Subject:</b> Re: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Jan 19, 2018, at 11:23 AM, Kirk Hall <<a href="mailto:Kirk.Hall@entrustdatacard.com">Kirk.Hall@entrustdatacard.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>First, I think everyone knows what CAs are supposed to do under Method 1</span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I’m fairly sure this is not the case…<o:p></o:p></p></div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>, and the lack of misissuance reports means CAs are doing it right. Here’s how Method 1 starts now:</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>“Conforming the Applicant's control over the FQDN by validating the Applicant as the Domain Contact by verifying that: ***”</span><o:p></o:p></p></div></div></blockquote><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>You can see why I think CAs might not know what they’re supposed to do, because the above quote is not the actual words from the the Baseline Requirements! Right now, in BR 1.5.4, Method 1 starts with these words:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>Confirming the Applicant's control over the FQDN by validating the Applicant is the Domain Contact directly with the Domain Name Registrar. This method may only be used if:<o:p></o:p></p></div></blockquote><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Your version prescribes a method. The actual current requirements specify an objective and don’t specify a method.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Now, I’m not against prescribing a method, but the method prescribed does need to achieve the original objective, and I think the proposed method is inadequate to do that…<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>