<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font face="Calibri">It seems to me that the premise of this
ballot is wrong. The various methods under section 3.2.2.4, with
the exception of #1 and #5, only validate domain control - not
ownership. I cannot see how they validate ownership.<br>
</font></p>
<p><font face="Calibri">Besides, the implied notion that ownership
and control must _both_ be validated seems to conflict with
several occurances of "OR" (either ownership OR control) in the
BRs.<br>
</font></p>
<p><font face="Calibri">If this ballot implies that the traditional
"OR" should be replaced by an "AND", then other parts of the BRs
should also be revised accordingly.<br>
</font></p>
<p><font face="Calibri">Apart from that, </font><font
face="Calibri">ownership of a domain (which implies control,
while the opposite is obviously untrue) seems to me a sound
basis on which to issue a certificate, of course provided that
ownership is properly validated.</font></p>
<font face="Calibri"> I am also perplexed about the statement that
methods .1 and .5 are "actively being used to avoid validating
domain control or ownership": what evidence do we have of that?<br>
<br>
Adriano<br>
<br>
</font><br>
<div class="moz-cite-prefix">Il 22/01/2018 22:30, Tim Hollebeek via
Public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:DM5PR14MB1289279F502EF7AC51256ED383EC0@DM5PR14MB1289.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ballot 218 version 2: Remove validation
methods #1 and #5<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Purpose of Ballot: Section 3.2.2.4 says
that it “defines the permitted processes and procedures for
validating the Applicant’s ownership or control of the
domain.” Most of the validation methods actually do validate
ownership and control, but two do not, and can be completed
solely based on an applicant’s own assertions.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Since these two validation methods do not
meet the objectives of section 3.2.2.4, and are actively being
used to avoid validating domain control or ownership, they
should be removed, and the other methods that do validate
domain control or ownership should be used.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The following motion has been proposed by
Tim Hollebeek of DigiCert and endorsed by Ryan Sleevi of
Google and Rich Smith of Comodo.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-- MOTION BEGINS –<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This ballot modifies the “Baseline
Requirements for the Issuance and Management of
Publicly-Trusted Certificates” as follows, based upon Version
1.5.4:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In Section 1.6.1, in the definition of
“Domain Contact”, after “in a DNS SOA record”, add “, or as
obtained through direct contact with the Domain Name
Registrar”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In Section 3.2.2.4.1, add text at the end:
“For certificates issued on or after August 1, 2018, this
method SHALL NOT be used for validation, and completed
validations using this method SHALL NOT be used for the
issuance of certificates.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In Section 3.2.2.4.5, add text at the end:
“For certificates issued on or after August 1, 2018, this
method SHALL NOT be used for validation, and completed
validations using this method SHALL NOT be used for the
issuance of certificates.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">After Section 3.2.2.4.10, add following two
new subsections:<o:p></o:p></p>
<p class="MsoNormal">“3.2.2.4.11 Any Other Method<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This method has been retired and MUST NOT
be used.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">3.2.2.4.12 Validating Applicant as a Domain
Contact<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Confirming the Applicant's control over the
FQDN by validating the Applicant is the Domain Contact. This
method may only be used if the CA is also the Domain Name
Registrar, or an Affiliate of the Registrar, of the Base
Domain Name.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Note: Once the FQDN has been validated
using this method, the CA MAY also issue Certificates for
other FQDNs that end with all the labels of the validated
FQDN. This method is suitable for validating Wildcard Domain
Names.“<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">In Section
4.2.1, after the paragraph that begins “After the change to
any validation method”, add the following paragraph:
“Validations completed using methods specified in Section
3.2.2.4.1 or Section 3.2.2.4.5 SHALL NOT be re-used on or
after August 1, 2018.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-- MOTION ENDS –<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For the purposes of section 4.2.1, the new
text added to 4.2.1 from this ballot is “specifically provided
in a [this] ballot.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The procedure for approval of this ballot
is as follows:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Discussion (7+ days) <o:p></o:p></p>
<p class="MsoNormal"> Start Time: 2017-01-22 21:30:00 UTC <o:p></o:p></p>
<p class="MsoNormal"> End Time: Not Before 2017-01-29 21:30:00
UTC<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Vote for approval (7 days) <o:p></o:p></p>
<p class="MsoNormal"> Start Time: TBD <o:p></o:p></p>
<p class="MsoNormal"> End Time: TBD<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>