<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Ben:<o:p></o:p></p>
<p class="MsoNormal"><br>
The reference to Section 3.2.2.3 goes with the "or has been authorized by the domain registrant to act on the registrant's behalf" part only. The typical verification of the domain under active control of the registrant would be done via Section 3.2.2.1.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">A possible clarification might be phrased as:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">"The CA SHALL confirm that the Applicant has registered the FQDN contained in the rfc822Name<b><u> in line with the verification practices of Section 3.2.2.1,
</u></b>or has been authorized by the domain registrant to act on the registrant’s behalf in line with the verification practices of Section 3.2.2.3." <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best, Stephen<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Smcwg-public <smcwg-public-bounces@cabforum.org>
<b>On Behalf Of </b>Ben Wilson via Smcwg-public<br>
<b>Sent:</b> Tuesday, August 8, 2023 4:56 PM<br>
<b>To:</b> SMIME Certificate Working Group <smcwg-public@cabforum.org><br>
<b>Subject:</b> [Smcwg-public] Validation of Information for Name-Constrained SubCAs<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Does anyone recall offhand why section 7.1.5 doesn't also refer to section 3.2.2.1? </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">Section 7.1.5 says, "The CA SHALL confirm that the Applicant has registered the FQDN contained in the rfc822Name or has authorized by the domain registrant to act on the registrant’s behalf in line with the
verification practices of Section 3.2.2.3." </span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1D1C1D;background:white">Section 3.2.2.3 is "Validating applicant as operator of associated mail server(s)", and section 3.2.2.1 is "</span>Validating
authority over mailbox via domain." Was there a concern that 3.2.2.1 was too broad and that validation had to be done pursuant to section 3.2.2.3? And what about section 3.2.2.2 (validating control over mailbox via email).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Ben<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>