<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:526066825;
mso-list-type:hybrid;
mso-list-template-ids:1435264976 -615349338 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Please post Server Cert ballot discussion to the Server Certificate group, not the Public list of the entire Forum.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Regards,<o:p></o:p></p><p class=MsoNormal>Rich<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Public <public-bounces@cabforum.org> <b>On Behalf Of </b>Doug Beattie via Public<br><b>Sent:</b> Wednesday, October 10, 2018 1:42 PM<br><b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Subject:</b> Re: [cabfpub] Pre-ballot for Ballot SC5: Improve Phone Validation Methods<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>I’d like to get some discussion started on this approach for tightening down the Phone Validation method and adding a new method. Please take a look and comment, then we can discuss Tuesday at the Face 2 Face meeting.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Modify Method 3 to:<o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='color:#1F497D;margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo2'>Identify where the phone number comes from. The current method 3 says that the number is one that is identified by the Domain Name Registrar as the Domain Contact, but we have a defined term that is better “Domain Contact”. “<span style='color:windowtext'>The Domain Name Registrant, technical contact, or administrative contract (or the equivalent under a ccTLD) as listed in the WHOIS record of the Base Domain Name or in a DNS SOA record, or as obtained through direct contact with the Domain Name Registrar.”</span>.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:#1F497D;margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo2'>Clarify how to handle transfers and voicemail. <o:p></o:p></li><li class=MsoListParagraphCxSpLast style='color:#1F497D;margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo2'>Clarify that this process verifies an ADN (not FQDN)<o:p></o:p></li></ul><p class=MsoNormal><span style='color:#1F497D'>Add Section 3.2.2.4.15: Domain Contact Phone published in a DNS CAA Record<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Add Section 3.2.2.4.16 Domain Contact Phone published in a DNS TXT record<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Modify Appendix B: DNS Contact Types (based on Ballot SC4) to include the definition of Phone numbers. Unfortunately, until ballot SC4 is finalized, I’m in a bit of a holding pattern on this update.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>I think we should try to do this as one Ballot, but perhaps having one that just modified method 3 would permit a more rapid approval. Let me know your thoughts on that.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Please comment this week if you have the time.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Doug<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.25in'><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Doug Beattie <br><b>Sent:</b> Friday, August 17, 2018 9:01 AM<br><b>To:</b> 'CA/Browser Forum Public Discussion List' <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br><b>Subject:</b> Pre-ballot for Ballot SC5: Improve Phone Validation Methods<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Since this is dependent on the CAA and TXT approach defined in ballot SC4 which is in process, this isn’t yet a complete ballot, but we wanted to get input on the basic set of changes being proposed in parallel with SC4 discussions<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Redlined version attached.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>Ballot SC5: Improve Phone Validation Methods<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>Purpose of Ballot: As discussed during the Validation Summit, Method 3 of the Baseline Requirements could use some improvements to close off some potential bad practices that might lead to security risks. This ballot builds on “Ballot SC4 - email and CAA CONTACT” to introduce 2 new validation methods for Phone number validation with the source of the phone number being a CAA record and a DNS TXT record.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>This Ballot tightens up the rules around phone validation in order to make sure domain authorization or control is verified with a person who is authorized to do so. This ballot changes Method 3, but if we need to create a new method and sunset Method 3, we can do that.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>The following motion has been proposed by Tim Hollebeek of DigiCert and endorsed by Bruce Morton of Entrust and Doug Beattie of GlobalSign.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>--- MOTION BEGINS ---<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based on Version 1.X.X:<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><b><span style='color:black'>Modify 3.2.2.4.3 Phone Contact with Domain Contact to read as follows: <o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>Confirm the Applicant's control over the FQDN by calling the Domain Contact’s phone number and receive a confirming response to validate the ADN.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>Each phone call MAY confirm control of multiple</span> <span style='color:black'>ADNs provided that the same Domain Contact phone number is listed for each</span> <span style='color:black'>ADN being verified and they provide a confirming response for each ADN.</span><o:p></o:p></p><p class=MsoNormal><span style='color:black'>In the event that someone other than a Domain Contact is reached, the CA MAY request to be transferred to the Domain Contact. <o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:black'>In the event of reaching voicemail, the CA may leave the Random Value and the ADN(s) being validated. The Domain Contact may return the Random Number to the CA via Phone, Email, Fax, or SMS to approve the request within 30 days of the voicemail.</span><o:p></o:p></p><p class=MsoNormal><u><span style='color:black'><o:p><span style='text-decoration:none'> </span></o:p></span></u></p><p class=MsoNormal><u><span style='color:black'><o:p><span style='text-decoration:none'> </span></o:p></span></u></p><p class=MsoNormal><b>Add Section 3.2.2.4.15: Domain Contact Phone published in a DNS CAA Record<o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:black'>Confirm the Applicant's control over the FQDN by calling the phone number identified as a CAA Contact property record as defined in Appendix B and receive a confirming response to validate the ADN. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>Each phone call MAY confirm control of multiple</span> <span style='color:black'>ADNs, provided that the same phone number is listed for each</span> <span style='color:black'>ADN being verified and they provide a confirming response for each ADN.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>The CA may not be transferred or request to be transferred as this phone number has been specifically listed for the purposes of Domain Validation. </span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:black'>In the event of reaching voicemail, the CA may leave the Random Value and the ADN(s) being validated. The CAA Contact may return the Random Number to the CA via Phone, Email, Fax, or SMS to approve the request within 30 days of the voicemail.</span><o:p></o:p></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>Add Section 3.2.2.4.16 Domain Contact Phone published in a DNS TXT record<o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:black'>Confirm the Applicant's control over the FQDN by calling the phone number identified as a DNS domain-authorization-phone TXT phone number as defined in Appendix B and receive a confirming response to validate the ADN. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>Each phone call MAY confirm control of multiple</span> <span style='color:black'>ADNs, provided that the same phone number is listed for each</span> <span style='color:black'>ADN being verified and they provide a confirming response for each ADN.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>The CA may not be transferred or request to be transferred as this phone number has been specifically listed for the purposes of Domain Validation. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in'><span style='color:black'>In the event of reaching voicemail, the CA may leave the Random Value and the ADN(s) being validated. The CAA Contact may return the Random Number to the CA via Phone, Email, Fax, or SMS to approve the request within 30 days of the voicemail.</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>Modify Appendix B: DNS Contact Types<o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>When Ballot SC4 is finalized, this ballot will add Phone number to the permitted CAA and DNS TXT record Contact types.<o:p></o:p></p><p class=MsoListParagraph style='margin-bottom:0in;margin-bottom:.0001pt;mso-add-space:auto;line-height:normal'><o:p> </o:p></p><p class=MsoNormal>--- MOTION ENDS ---<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>A comparison of the changes can be found at: TBD<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The procedure for approval of this ballot is as follows:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Discussion (7+ days)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Start Time: TBD<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>End Time: TBD<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Vote for approval (7 days)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Start Time: TBD<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>End Time: TBD<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>