<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hello,<o:p></o:p></p><p class=MsoNormal>As previously mentioned on the last Validation call, here’s my running list of notable items that we found during our read of the BRs. I classified the items in three buckets: “things to keep in mind”, “to discuss further”, and “to do”. “To discuss further” are items that likely require more discussion prior to proposing concrete changes, while “to do” items are those that are relatively straightforward.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Please let me know if I missed any items that were brought up but not listed below.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>To keep in mind:<o:p></o:p></p><p class=MsoNormal>1. Try to maintain current language/meaning of Subscriber Agreement/Terms of Use to avoid messy legal changes<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>To discuss further:<o:p></o:p></p><p class=MsoNormal>1. Do we need a term to encompass the concept of a current Subscriber that has submitted a Certificate Request for a new Certificate?<o:p></o:p></p><p class=MsoNormal>2. Ben's language for section 1.3.3: https://lists.cabforum.org/pipermail/validation/2022-November/001826.html<o:p></o:p></p><p class=MsoNormal> a. Does this resolve concerns around CAs issuing Test Website certificates, etc.?<o:p></o:p></p><p class=MsoNormal>3. More closely examine references to "hosting providers" in section 9.6.3 and other locations<o:p></o:p></p><p class=MsoNormal> a. This ties very closely into the extensive discussion in November on "Cloud Providers" issuing certificates from CAs that are controlled by the "Cloud Provider": <a href="https://lists.cabforum.org/pipermail/validation/2022-November/001827.html">https://lists.cabforum.org/pipermail/validation/2022-November/001827.html</a><o:p></o:p></p><p class=MsoNormal>4. What exactly is a “certificate request”? Sections 4.1 and 4.2 need help, as it's not clear what exactly a "certificate request" is or what exactly a "certificate request" is comprised of (<a href="https://github.com/cabforum/servercert/issues/400">https://github.com/cabforum/servercert/issues/400</a>)<o:p></o:p></p><p class=MsoNormal>5. What do the Terms of Use accomplish when the Subscriber is the CA?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>To do:<o:p></o:p></p><p class=MsoNormal>1. Revive ballot to distinguish Secret vs. Freshness Random Values<o:p></o:p></p><p class=MsoNormal>2. Make clear that CAs must maintain validation records for their own Certificates<o:p></o:p></p><p class=MsoNormal>3. Use same construction of the initial sentence in 3.2.3 as in 3.2.5 to avoid requiring identity verification for DV certificates requested by natural persons<o:p></o:p></p><p class=MsoNormal>4. Move final sentence of 3.2.3 to 3.2.5, perhaps making a new sub-section to clarify intent <o:p></o:p></p><p class=MsoNormal>5. Replace "Applicant" with "Subscriber" in section 4.9 ("e.g. a court or arbitrator has revoked a Domain Name Registrant's right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name")<o:p></o:p></p><p class=MsoNormal>6. 9.6.3 replace "Subscriber" with "Applicant/Subscriber"<o:p></o:p></p><p class=MsoNormal> a. or split 9.6.3 into two sub-sections: one for initial certificate request, and another section for subsequent requests<o:p></o:p></p><p class=MsoNormal>7. Clean up 9.6.3 (4) for removal of "install"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Corey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>