<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:806708132;
mso-list-type:hybrid;
mso-list-template-ids:1962998106 -1944968166 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><a name="_MailEndCompose">In the CAB Forum guidelines for issuing certs, use of WHOIS records is important. WHOIS records may not be the only way to obtain a cert, but in practice they are a main way to do so because WHOIS is an official
and referenceable record. David says that “CAs are required to validate using information sources outside the RDS” but that does not mean that data in the RDS isn’t used or needed.<o:p></o:p></a></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose">From </span><a href="https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.1-redlined.pdf"><span style="mso-bookmark:_MailEndCompose">https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.1-redlined.pdf</span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose">
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose">3.2.2.4.5 Domain Authorization Document<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose">Confirming the Applicant's control over the requested FQDN by relying upon the attestation to the authority of the Applicant to request a Certificate contained in a Domain Authorization Document.
The Domain Authorization Document MUST substantiate that the communication came from
<b>the Domain Contact</b>. The CA MUST verify that the Domain Authorization Document was either (i) dated on or after the date of the domain validation request or (ii<b>) that the WHOIS data has not materially changed</b> since a previously provided Domain
Authorization Document for the Domain Name Space. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose">From the definitions section:<o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1"><span style="mso-bookmark:_MailEndCompose">Domain Authorization Document: Documentation provided by, or a CA’s documentation of a communication with, a Domain Name Registrar, the
Domain Name Registrant, or the person or <b>entity listed in WHOIS</b> as the Domain Name Registrant (including any private, anonymous, or proxy registration service) attesting to the authority of an Applicant to request a Certificate for a specific Domain
Namespace. <o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1"><span style="mso-bookmark:_MailEndCompose"><b>Domain Contact: The Domain Name Registrant, technical contact, or administrative contract (or the equivalent under a ccTLD) as listed
in the WHOIS record of the Base Domain Name or in a DNS SOA record. <o:p></o:p></b></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1"><span style="mso-bookmark:_MailEndCompose">Domain Name Registrant: Sometimes referred to as the “owner” of a Domain Name, but more properly the person(s) or entity(ies) registered
with a Domain Name Registrar as having the right to control how a Domain Name is used, such as the natural person or Legal
<b>Entity that is listed as the “Registrant” by WHOIS or the Domain Name Registrar</b>.
<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose">[emphases mine] <o:p>
</o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose">If contact data is not available in RDS, that will certainly place additional work on registrars, who will need to verify or vouch for their registrants to the CAs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:10.0pt">**********************************<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:10.0pt">Greg Aaron<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:10.0pt">Vice-President, Product Management<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:10.0pt">iThreat Cyber Group / Cybertoolbelt.com<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:10.0pt">mobile: +1.215.858.2257<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:10.0pt">**********************************<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:10.0pt">The information contained in this message is privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient,
or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and deleting it from your computer.<o:p></o:p></span></span></p>
</div>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><o:p> </o:p></span></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]
<b>On Behalf Of </b>David Cake<br>
<b>Sent:</b> Monday, January 8, 2018 1:09 PM<br>
<b>To:</b> Lisa Phifer <lisa@corecom.com><br>
<b>Cc:</b> gnso-rds-pdp-wg@icann.org<br>
<b>Subject:</b> [gnso-rds-pdp-wg] Domain Name Certification was Re: Proposed Agenda for RDS PDP WG Meeting - 9 January at 17.00 UTC<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span>As we hopefully prepare to finalise agreement on the whether or not domain name agreement on whether or not Domain Name Certification is a legitimate purpose for requiring collection of
registrant data, I note that we had some dissenting points of view on the previous poll. I want to address those arguments, so it is clear that they were not ignored. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span>John Bambenek stated that “the entire underpinning of TLS encryption requires validation of requesters and domain name owners.” - while there are some arguments about the detail of that
statement (regarding the validation of domain based certificates, which require only validation of domain name control), its roughly correct - but the real issue here is that John’s commennt does not address the primary argument, which is that (according to
CAB Forum rules) CAs are required to validate using information sources outside the RDS, and as such, removing information which would be of only advisory value to the validation process of organisation and Extended Validation certificates should have no significant
effect on the validation of the certificates that underpin TLS. See section 11.2.2 * <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span>Where John’s argument may be interpreted as an argument against the use of domain validation certificates, which do not attempt to validate based on identity of owners or ownership, but
only on de facto control, the argument is outside the scope of the charter of this working group. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span>Similarly, the comments from Tim O’Brien that ‘for Organisational and Extended Validation to work, this information needs to be collected’, seem to directly contradict the CAB Forum rules
that directly state that for Organisational and Extended Validation, the CA must not rely on information from the RDS. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span>The comments from Rob Golding that '“entity that controls the domain name” does not imply domain name registrant, and so conflates two different entities unnecessarily’ is not I think
correct, I think rather the opposite - Extended Validation certificates specifically do not attempt to guarantee that the certificate applicant IS the domain name registrant, but rather that they have a right to control it (note primary purpose of EV Cert
2.1.1 (1), and Warranties 7.1.C, and explicit wording ‘owned or controlled by’ in 9.2.2). So there is no conflation, rather a precise distinguishing between the purpose of RDS data (which relates to registrant), and the purpose of EV etc Certificates. Domain
certificates are a different case, in that they are generally validated by the de facto demonstration of domain name control only - which again, is not guaranteed to be the registrant. <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span>Two people suggested modifications to the text. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span>Rod Rasmussen suggests that Domain Name Certification may be a legitimate purpose for optional collection of registration data at the request of the registrant. While it is hard to argue
unambiguously against such a limited statement, I am not sure that even in such a form it is true. It is hard to see how even a very optional form of data could be legitimately used by a CA for validation, given the explicit rules against doing so. Rod, if
you have a specific example in mind I’d be interested - otherwise it would seem to be somewhat speculative. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span>Maxim Alzoba suggests that the ambiguity between use and collection could create a problem (specifically with the GDPR), and suggests we reword to avoid this issue. While I disagree with
the argument, more importantly I think we should revisit this when we address access issues, rather than confuse the issue of our discussion of collection. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">*<span class="apple-tab-span"> </span>[all references to rules here from CA/B Forum Guidelines For The Issuance And Management Of Extended Validation Certificates, version 1.6.5]<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-tab-span"> </span>Regards <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-tab-span">
</span>David<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 9 Jan 2018, at 1:06 am, Lisa Phifer <<a href="mailto:lisa@corecom.com">lisa@corecom.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Dear all,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The next GNSO Next-Gen RDS PDP Working Group meeting will take place on Tuesday 9 January 2018 at 17:00 UTC.<span class="apple-converted-space"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The proposed agenda (below) and meeting materials (attached) are also posted on the meeting page:<span class="apple-converted-space"> </span><a href="https://community.icann.org/x/QgByB"><span style="color:purple">https://community.icann.org/x/QgByB</span></a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Lisa<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-top:7.5pt;background:white;background-position:initial initial;background-repeat:initial initial">
<b><span style="color:#333333">PROPOSED AGENDA – RDS PDP WG Call on<span class="apple-converted-space"> </span></span>Tuesday 9 January 2018 at 17:00 UTC</b><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;color:#333333;background:#FCFCFC"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">1. Roll Call/SOI Updates<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2. Complete deliberation on data required for Domain Name Management<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> a. Review poll results from 20 December call Question 2<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> b. Finalize agreement on data required for Domain Name Management<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">3. Complete deliberation on Domain Name Certification<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> a. Review poll results from 20 December call Question 3<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> b. Finalize agreement on Domain Name Certification as a legitimate purpose<span class="apple-converted-space"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">4. Start deliberation on “Criminal Activity/ DNS Abuse – Investigation”<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">5. Confirm action items and proposed decision points<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">6. Confirm next WG meeting: Tuesday, 16 January at 17:00 UTC<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b>Meeting Materials</b>:<span class="apple-converted-space"> </span><a href="https://community.icann.org/x/QgByB"><span style="color:purple">https://community.icann.org/x/QgByB</span></a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Note: Attached call handout includes poll results and the definitions produced by DT7<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"><Handout-9January-RDSWGCall-v3.pdf><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">_______________________________________________<br>
gnso-rds-pdp-wg mailing list<br>
</span><a href="mailto:gnso-rds-pdp-wg@icann.org"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:purple">gnso-rds-pdp-wg@icann.org</span></a><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
</span><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:purple">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</span></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>