<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:106%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Since this is dependent on the CAA and TXT approach defined in ballot SC4 which is in process, this isn’t yet a complete ballot, but we wanted to get input on the basic set of changes being proposed in parallel with SC4 discussions<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Redlined version attached.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>Ballot SC5: Improve Phone Validation Methods<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>Purpose of Ballot: As discussed during the Validation Summit, Method 3 of the Baseline Requirements could use some improvements to close off some potential bad practices that might lead to security risks. This ballot builds on “Ballot SC4 - email and CAA CONTACT” to introduce 2 new validation methods for Phone number validation with the source of the phone number being a CAA record and a DNS TXT record.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>This Ballot tightens up the rules around phone validation in order to make sure domain authorization or control is verified with a person who is authorized to do so. This ballot changes Method 3, but if we need to create a new method and sunset Method 3, we can do that.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>The following motion has been proposed by Tim Hollebeek of DigiCert and endorsed by Bruce Morton of Entrust and Doug Beattie of GlobalSign.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>--- MOTION BEGINS ---<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based on Version 1.X.X:<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><b><span style='color:black'>Modify 3.2.2.4.3 Phone Contact with Domain Contact to read as follows: <o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>Confirm the Applicant's control over the FQDN by calling the Domain Contact’s phone number and receive a confirming response to validate the ADN.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>Each phone call MAY confirm control of multiple</span> <span style='color:black'>ADNs provided that the same Domain Contact phone number is listed for each</span> <span style='color:black'>ADN being verified and they provide a confirming response for each ADN.</span><o:p></o:p></p><p class=MsoNormal><span style='color:black'>In the event that someone other than a Domain Contact is reached, the CA MAY request to be transferred to the Domain Contact. <o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:black'>In the event of reaching voicemail, the CA may leave the Random Value and the ADN(s) being validated. The Domain Contact may return the Random Number to the CA via Phone, Email, Fax, or SMS to approve the request within 30 days of the voicemail.</span><o:p></o:p></p><p class=MsoNormal><u><span style='color:black'><o:p><span style='text-decoration:none'> </span></o:p></span></u></p><p class=MsoNormal><u><span style='color:black'><o:p><span style='text-decoration:none'> </span></o:p></span></u></p><p class=MsoNormal><b>Add Section 3.2.2.4.15: Domain Contact Phone published in a DNS CAA Record<o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:black'>Confirm the Applicant's control over the FQDN by calling the phone number identified as a CAA Contact property record as defined in Appendix B and receive a confirming response to validate the ADN. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>Each phone call MAY confirm control of multiple</span> <span style='color:black'>ADNs, provided that the same phone number is listed for each</span> <span style='color:black'>ADN being verified and they provide a confirming response for each ADN.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>The CA may not be transferred or request to be transferred as this phone number has been specifically listed for the purposes of Domain Validation. </span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:black'>In the event of reaching voicemail, the CA may leave the Random Value and the ADN(s) being validated. The CAA Contact may return the Random Number to the CA via Phone, Email, Fax, or SMS to approve the request within 30 days of the voicemail.</span><o:p></o:p></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>Add Section 3.2.2.4.16 Domain Contact Phone published in a DNS TXT record<o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:black'>Confirm the Applicant's control over the FQDN by calling the phone number identified as a DNS domain-authorization-phone TXT phone number as defined in Appendix B and receive a confirming response to validate the ADN. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>Each phone call MAY confirm control of multiple</span> <span style='color:black'>ADNs, provided that the same phone number is listed for each</span> <span style='color:black'>ADN being verified and they provide a confirming response for each ADN.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>The CA may not be transferred or request to be transferred as this phone number has been specifically listed for the purposes of Domain Validation. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>In the event of reaching voicemail, the CA may leave the Random Value and the ADN(s) being validated. The CAA Contact may return the Random Number to the CA via Phone, Email, Fax, or SMS to approve the request within 30 days of the voicemail.</span><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><b>Modify Appendix B: DNS Contact Types<o:p></o:p></b></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>When Ballot SC4 is finalized, this ballot will add Phone number to the permitted CAA and DNS TXT record Contact types.<o:p></o:p></p><p class=MsoListParagraph style='margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;line-height:normal'><o:p> </o:p></p><p class=MsoNormal>--- MOTION ENDS ---<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>A comparison of the changes can be found at: TBD<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>The procedure for approval of this ballot is as follows:<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Discussion (7+ days)<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Start Time: TBD<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>End Time: TBD<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Vote for approval (7 days)<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Start Time: TBD<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>End Time: TBD<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>