<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>SSL.com votes YES.<br>
<br>
csk<br>
</p>
<div class="moz-cite-prefix">On 12/17/2018 5:55 PM, Tim Hollebeek
via Public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BN6PR14MB1106EB357CF8EE8C091377CC83BC0@BN6PR14MB1106.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Ballot SC13: CAA
Contact Property and Associated E-mail Validation Methods<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Purpose of
Ballot: Increasingly, contact information is not available
in WHOIS due to concerns about potential GDPR violations.
This ballot specifies a method by which domain holders can
publish their contact information via DNS, and how CAs can
use that information for validating domain control.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">The following
motion has been proposed by Tim Hollebeek of DigiCert and
endorsed by Bruce Morton of Entrust and Doug Beattie of
GlobalSign.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">--- MOTION
BEGINS ---<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">This ballot
modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” as follows,
based on Version 1.6.0:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Add the
following definitions to section 1.6.1:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">DNS CAA Email
Contact: The email address defined in section B.1.2.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">DNS TXT Record
Email Contact: The email address defined in section B.2.2.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Add Section
3.2.2.4.13: Email to DNS CAA Contact<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Confirming the
Applicant's control over the FQDN by sending a Random Value
via email and then receiving a confirming response utilizing
the Random Value. The Random Value MUST be sent to a DNS CAA
Email Contact. The relevant CAA Resource Record Set MUST be
found using the search algorithm defined in RFC 6844 Section
4, as amended by Errata 5065 (Appendix A).<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Each email MAY
confirm control of multiple FQDNs, provided that each email
address is a DNS CAA Email Contact for each Authorization
Domain Name being validated. The same email MAY be sent to
multiple recipients as long as all recipients are DNS CAA
Email Contacts for each Authorization Domain Name being
validated.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">The Random Value
SHALL be unique in each email. The email MAY be re-sent in
its entirety, including the re-use of the Random Value,
provided that its entire contents and recipient(s) SHALL
remain unchanged. The Random Value SHALL remain valid for
use in a confirming response for no more than 30 days from
its creation. The CPS MAY specify a shorter validity period
for Random Values.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Note: Once the
FQDN has been validated using this method, the CA MAY also
issue Certificates for other FQDNs that end with all the
labels of the validated FQDN. This method is suitable for
validating Wildcard Domain Names.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Add Section
3.2.2.4.14: Email to DNS TXT Contact<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Confirming the
Applicant's control over the FQDN by sending a Random Value
via email and then receiving a confirming response utilizing
the Random Value. The Random Value MUST be sent to a DNS TXT
Record Email Contact for the Authorization Domain Name
selected to validate the FQDN.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Each email MAY
confirm control of multiple FQDNs, provided that each email
address is DNS TXT Record Email Contact for each
Authorization Domain Name being validated. The same email
MAY be sent to multiple recipients as long as all recipients
are DNS TXT Record Email Contacts for each Authorization
Domain Name being validated.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">The Random Value
SHALL be unique in each email. The email MAY be re-sent in
its entirety, including the re-use of the Random Value,
provided that its entire contents and recipient(s) SHALL
remain unchanged. The Random Value SHALL remain valid for
use in a confirming response for no more than 30 days from
its creation. The CPS MAY specify a shorter validity period
for Random Values.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Note: Once the
FQDN has been validated using this method, the CA MAY also
issue Certificates for other FQDNs that end with all the
labels of the validated FQDN. This method is suitable for
validating Wildcard Domain Names.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Add Appendix B:
DNS Contact Properties<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">These methods
allow domain owners to publish contact information in DNS
for the purpose of validating domain control.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">B.1. CAA Methods<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">B.1.1. CAA
contactemail Property<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">SYNTAX:
contactemail <rfc6532emailaddress> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">The CAA
contactemail property takes an email address as its
parameter. The entire parameter value MUST be a valid email
address as defined in RFC 6532 section 3.2, with no
additional padding or structure, or it cannot be used.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">The following is
an example where the holder of the domain specified the
contact property using an email address.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">$ORIGIN
example.com.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">
CAA 0 contactemail <a class="moz-txt-link-rfc2396E" href="mailto:domainowner@example.com">"domainowner@example.com"</a><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">The contactemail
property MAY be critical, if the domain owner does not want
CAs who do not understand it to issue certificates for the
domain.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">B.2. DNS TXT
Methods<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">B.2.1. DNS TXT
Record Email Contact<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">The DNS TXT
record MUST be placed on the "_validation-contactemail"
subdomain of the domain being validated. The entire RDATA
value of this TXT record MUST be a valid email address as
defined in RFC 6532 section 3.2, with no additional padding
or structure, or it cannot be used.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">--- MOTION ENDS
---<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">*** WARNING ***:
USE AT YOUR OWN RISK. THE REDLINE BELOW IS NOT THE OFFICIAL
VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">A comparison of
the changes can be found at:
<a class="moz-txt-link-freetext" href="https://github.com/cabforum/documents/compare/Ballot-SC4---CAA-CONTACT-email?diff=unified&expand=1">https://github.com/cabforum/documents/compare/Ballot-SC4---CAA-CONTACT-email?diff=unified&expand=1</a><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">The changes
between version 5 and version 4 are here:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><a class="moz-txt-link-freetext" href="https://github.com/cabforum/documents/commit/92dd4a3a9afa38e9abf6765eb19e27508663ae61">https://github.com/cabforum/documents/commit/92dd4a3a9afa38e9abf6765eb19e27508663ae61</a><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">The procedure
for approval of this ballot is as follows:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Discussion (7+
days)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Start Time:
2018-12-10 17:30 Eastern<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">End Time: Not
before 2018-12-17 17:30 Eastern<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Vote for
approval (7 days)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">Start Time:
2018-12-17 19:00 Eastern<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New"">End Time:
2018-12-24 19:00 Eastern<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Chris Kemmerer
Manager of Operations
SSL.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~ To find the reefs, look~~~~~~~~
~~~~ for the wrecks. ~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</pre>
</body>
</html>