<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>SSL.com votes YES on SC46.<br>
<br>
Chris K<br>
</p>
<div class="moz-cite-prefix">On 6/2/2021 1:24 PM, Bruce Morton via
Servercert-wg wrote:<br>
</div>
<blockquote type="cite" cite="mid:01000179cdf81a99-8b83f166-d12d-4438-b3c3-2bbc3e30fdd8-000000@email.amazonses.com">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Entrust votes Yes to ballot SC46.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Bruce.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Servercert-wg
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg-bounces@cabforum.org"><servercert-wg-bounces@cabforum.org></a>
<b>On Behalf Of </b>Ryan Sleevi via Servercert-wg<br>
<b>Sent:</b> Wednesday, May 26, 2021 2:30 PM<br>
<b>To:</b> Ryan Sleevi <a class="moz-txt-link-rfc2396E" href="mailto:sleevi@google.com"><sleevi@google.com></a>; CA/B Forum
Server Certificate WG Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:servercert-wg@cabforum.org"><servercert-wg@cabforum.org></a><br>
<b>Subject:</b> [EXTERNAL] Re: [Servercert-wg] Voting Begins
for Ballot SC46: Sunset the CAA exception for DNS Operator<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">WARNING: This email originated outside of
Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender
and know the content is safe.<o:p></o:p></p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr width="100%" size="2" align="center">
</div>
<div>
<div>
<p class="MsoNormal">Unfortunately, I realized belatedly
that I forgot to clearly indicate the Voting End Time.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">As such, the previous mail did not
officially start voting. Thankfully, as no votes were
received, I think we can just say I didn't start it
correctly?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Please find the corrected
announcement below:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This email begins the voting period
for Ballot SC46: Sunset the CAA exception for DNS
operator<br>
<br>
Purpose of Ballot:<br>
<br>
This Ballot addresses security issues with Section
3.2.2.8 regarding CAA checking.<br>
<br>
Currently, Section 3.2.2.8 permits a CA to bypass CAA
checking if the CA or an Affiliate of the CA is the DNS
Operator. This term is referred to through RFC 7719, and
involves a precise technical definition regarding how a
zone's authoritative servers are configured and
expressed (e.g. NS records). While this allows a CA to
skip looking up the CAA record, it does not absolve them
of the need to look up these other records on every
issuance.<br>
<br>
As practiced by CAs, this has clearly caused some
confusion. For example, some CAs have incorrectly
implemented policies that determine they're
authoritative based on self-assertion that they are
authoritative, which is not consistent with the current
requirements.<br>
<br>
To avoid these issues, this sunsets the CAA exception on
2021-07-01 for the DNS Operator, simplifying the
requirements and reducing ambiguities for CAs performing
validation.<br>
<br>
The following motion has been proposed by Ryan Sleevi of
Google and endorsed by Ben Wilson of Mozilla and Jacob
Hoffman-Andrews of ISRG/Let's Encrypt.<br>
<br>
It can be viewed on GitHub as <a href="https://urldefense.com/v3/__https:/github.com/cabforum/servercert/pull/271__;!!FJ-Y8qCqXTj2!NFeHHMg2M0PSERtj03rqrCoxas3jZqEeftaCsg3iAoFNIJ7Gmq5rzCN_3XxzPiKIUOI$" moz-do-not-send="true">
https://github.com/cabforum/servercert/pull/271</a><br>
<br>
-- MOTION BEGINS --<br>
<br>
This ballot modifies the “Baseline Requirements for the
Issuance and Management of Publicly-Trusted
Certificates” (“Baseline Requirements”), based on
Version 1.7.4:<br>
<br>
MODIFY the Baseline Requirements as specified in the
following Redline:<br>
<br>
<a href="https://urldefense.com/v3/__https:/github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..6d34b1d51f645912d2237d5d4b46f4a49e8352ed__;!!FJ-Y8qCqXTj2!NFeHHMg2M0PSERtj03rqrCoxas3jZqEeftaCsg3iAoFNIJ7Gmq5rzCN_3XxztHcKH2U$" moz-do-not-send="true">https://github.com/cabforum/servercert/compare/47248d77d371356780b08cfa971b26d88d704ca8..6d34b1d51f645912d2237d5d4b46f4a49e8352ed</a><br>
<br>
-- MOTION ENDS --<br>
<br>
This ballot proposes a Final Maintenance Guideline.<br>
<br>
The procedure for approval of this ballot is as follows:<br>
<br>
Discussion (7+ days)<br>
<br>
Start Time: 2021-05-13 20:00:00 UTC<br>
End Time: 2021-05-26 14:00:00 UTC<br>
<br>
Vote for approval (7 days)<br>
<br>
Start Time: 2021-05-26 18:30:00 UTC<br>
End Time: 2021-06-02 18:30:00 UTC<o:p></o:p></p>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
</body>
</html>