<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
@font-face
{font-family:"Century Gothic";
panose-1:2 11 5 2 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Doug, Eva and Christophe<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you for this proposal!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This removes what we have considered to be obstacles for automating the issuance of EV certificates. We have found such obstacles in section 11.13, 14.1.3 and 16 – which (at least) indicates that two persons or validations specialist must
be involved in the processing and approval of each certificate requests on the CA side before issuance. The current language clarifies that this is not required so this addresses our main concerns.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">However, I have a few comments and questions for other (sub)topics. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In the new text in 11.13 2) and 3) Due Diligence and Cross-Correlation is described in a way that clarifies those terms, thanks. Verification of domain names are out of scope for Due Diligence, but only if this is performed in an automated
manner. Verification of domain names are out of scope for Cross-Correlation, independent on being performed in an automated manner. Is this done deliberately? <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I also find current text in section 11.7 Verification of Applicant’s Domain Name that should be changed. Section 11.7.1 1) includes text that indicates that method 1 is still allowed
<i>(..the CA SHALL confirm that the <u>Applicant either is the domain name registrant</u> or has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements…</i>). The use of Onion domain names is covered both in Section
11.7.1 and BR 3.2.2.4 so perhaps the text in Section 11.7.1 1) could be changed to:
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><i>For each Fully-Qualified Domain Name listed in a Certificate, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant's Parent Company, Subsidiary Company, or Affiliate,
collectively referred to as "Applicant" for the purposes of this section) has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements.<o:p></o:p></i></p>
<p class="MsoNormal">This might be out of scope for what’s covered in your proposal, but it would be nice to fix this also. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The last paragraph in Section 11.14 (moved from 11.14.3) includes a statement about reusing previously submitted data in support of multiple EV Certificate containing the “same Subject”. Does this also include Domain Names in Subject Alternative
Names? I.e. would a reuse of Due Diligence and Cross-Correlation require that the same Domain Names must be used for all EV certificates?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In Section 14.1.3 the text includes: <o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><i>For example, one Validation Specialist collects all Applicant information and a second Validation Specialist performs Due Diligence and Cross-Correlation.<o:p></o:p></i></p>
<p class="MsoNormal">We consider that the activities of the first Validation Specialist should focus on (initial) verification processes rather than collecting Applicant information. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The main issue addressed in these comments is the separation of verification of all information related to the Subscriber/Subject (identity) and the verification of Domain Names. I fully understand that in the context of automation of domain
control validation this separation might be important, but it’s hard to understand the consequences of such a change.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards<o:p></o:p></p>
<p class="MsoNormal">Mads <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Validation <validation-bounces@cabforum.org> <b>
On Behalf Of </b>Doug Beattie via Validation<br>
<b>Sent:</b> Thursday, January 25, 2024 12:56 PM<br>
<b>To:</b> validation@cabforum.org<br>
<b>Subject:</b> Re: [cabf_validation] Further discussion on improvements for automation in the context of EV certificates<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m resending this because it may not gave gone though when Eva sent it.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Doug<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Eva Van Steenberge <<a href="mailto:eva.vansteenberge@globalsign.com">eva.vansteenberge@globalsign.com</a>>
<br>
<b>Sent:</b> Thursday, January 25, 2024 4:41 AM<br>
<b>To:</b> <a href="mailto:validation@cabforum.org">validation@cabforum.org</a><br>
<b>Cc:</b> Doug Beattie <<a href="mailto:doug.beattie@globalsign.com">doug.beattie@globalsign.com</a>>; Christophe Bonjean <<a href="mailto:christophe.bonjean@globalsign.com">christophe.bonjean@globalsign.com</a>><br>
<b>Subject:</b> Further discussion on improvements for automation in the context of EV certificates<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello all<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We made some amendments to our proposed text here: <a href="https://github.com/cabforum/servercert/compare/main...chrisbn:servercert:improve-evg-automation-issue-467">
https://github.com/cabforum/servercert/compare/main...chrisbn:servercert:improve-evg-automation-issue-467</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We have a short presentation prepared to summarize what has changed, explain the rationale behind these updates and to seek further feedback from this forum. Looking forward to the discussion!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Kind regards,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="444" style="width:333.15pt;border-collapse:collapse">
<tbody>
<tr style="height:12.7pt">
<td valign="top" style="padding:0in 5.4pt 0in 5.4pt;height:12.7pt">
<p class="MsoNormal" style="margin-right:-.1in;text-align:justify"><span lang="EN-PH" style="font-size:12.0pt;mso-fareast-language:EN-PH"><img border="0" width="200" height="77" style="width:2.0833in;height:.802in" id="Picture_x0020_24" src="cid:image001.gif@01DA5DBE.75785240"></span><span style="font-size:9.0pt;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
</td>
<td width="239" valign="top" style="width:179.55pt;padding:0in 5.4pt 0in 5.4pt;height:12.7pt">
<p class="MsoNormal" style="margin-right:-.1in"><b><span style="font-size:2.0pt;font-family:"Century Gothic",sans-serif;color:#2E74B5;mso-fareast-language:EN-GB"><br>
</span></b><b><span style="font-family:"Century Gothic",sans-serif;color:#2E74B5;mso-fareast-language:EN-GB">Eva
</span></b><span style="font-family:"Century Gothic",sans-serif;color:#2E74B5;mso-fareast-language:EN-GB">VAN STEENBERGE (She/Her)<b><o:p></o:p></b></span></p>
<p class="MsoNormal" style="margin-right:-.2in"><span style="font-size:8.0pt;font-family:"Century Gothic",sans-serif;mso-fareast-language:EN-GB">Senior Compliance officer<br>
</span><span style="font-size:12.0pt;mso-fareast-language:EN-GB"><img border="0" width="11" height="11" style="width:.1145in;height:.1145in" id="Picture_x0020_7" src="cid:image002.png@01DA5DBE.75785240" alt="Receiver with solid fill"></span><span style="font-size:8.0pt;font-family:"Century Gothic",sans-serif;mso-fareast-language:EN-GB">
+441622766748</span><span style="font-size:12.0pt;font-family:"Century Gothic",sans-serif;mso-fareast-language:EN-GB"><br>
</span><span style="font-size:8.0pt;font-family:"Century Gothic",sans-serif;mso-fareast-language:EN-GB"><img border="0" width="12" height="12" style="width:.125in;height:.125in" id="Picture_x0020_3" src="cid:image003.png@01DA5DBE.75785240" alt="Email with solid fill"></span><span style="font-size:8.0pt;font-family:"Century Gothic",sans-serif;mso-fareast-language:EN-GB">
</span><span style="font-size:9.0pt;font-family:"Calibri Light",sans-serif"><a href="mailto:eva.vansteenberge@globalsign.com"><span style="color:blue">eva.vansteenberge</span><span style="color:blue;mso-fareast-language:EN-GB">@globalsign.com</span></a></span><u><span style="font-size:9.0pt;font-family:"Calibri Light",sans-serif;color:#0563C1;mso-fareast-language:EN-GB"><o:p></o:p></span></u></p>
<p class="MsoNormal" style="margin-right:-.2in"><span style="font-size:8.0pt;font-family:"Century Gothic",sans-serif;mso-fareast-language:EN-GB"><img border="0" width="12" height="12" style="width:.125in;height:.125in" id="Picture_x0020_4" src="cid:image004.png@01DA5DBE.75785240" alt="Cursor with solid fill"></span><span lang="DE" style="font-size:8.0pt;font-family:"Century Gothic",sans-serif;mso-fareast-language:EN-GB">
</span><span style="font-size:12.0pt;mso-fareast-language:EN-GB"><a href="https://www.globalsign.com/"><span lang="DE" style="font-size:8.0pt;font-family:"Century Gothic",sans-serif;color:windowtext;text-decoration:none">www.globalsign.com</span></a></span><span lang="DE" style="mso-fareast-language:EN-GB"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>