<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 2/5/2017 11:59 μμ, Jeremy Rowley via
Public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:4e53697642bf4e6798258cdea68296f0@EX2.corp.digicert.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1412434006;
mso-list-template-ids:-378001934;}
@list l1
{mso-list-id:1920940847;
mso-list-type:hybrid;
mso-list-template-ids:999172736 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Okay.
Based on the discussion, I propose we do the following to
move things forward:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="margin-left:0in;mso-list:l1
level1 lfo3"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Include
an extension in the EE certs indicating compliance with a
certain version of the BRs. This addresses Ryan’s concerns
of knowing which certs were issued under new methods
compared to relying on older documentation.<o:p></o:p></span></li>
<li class="MsoNormal" style="margin-left:0in;mso-list:l1
level1 lfo3"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Permit
document reuse for 13 months after which all certs must be
validated using one of the new methods. This addresses
Kirk’s concern of having to revalidate every customer as
of the effective date, permitting roughly half to expire
while the other half are revalidated.<o:p></o:p></span></li>
</ol>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Does
this make everyone equally unhappy?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
I think Gerv's proposal
(<a class="moz-txt-link-freetext" href="https://cabforum.org/pipermail/public/2017-April/010804.html">https://cabforum.org/pipermail/public/2017-April/010804.html</a>) is a
big improvement because some validation information is harder to
acquire than others. Methods that can be automated (like 3.2.2.4.6
or 3.2.2.4.7) could re-use information for a lot less than 13
months.<br>
<br>
It would also be great if there was guidance on which of the 10
domain validation methods can be used to prove domain namespace
ownership (or wildcard validation as Gerv mentioned in his proposal)
and which, should be limited to only verify ownership for a single
FQDN.<br>
<br>
It would also be nice to write requirements for reuse of validation
information for Domain ownership (for each method) and validation
information for Identities (that doesn't change so often, for
example Identify Information for IV Certificates). So, a CA could be
allowed to reuse identify information for IV Certificates for 39
months, and for OV Certificates reuse for 24 months.<br>
<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:4e53697642bf4e6798258cdea68296f0@EX2.corp.digicert.com">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Jeremy<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Ryan Sleevi [<a class="moz-txt-link-freetext" href="mailto:sleevi@google.com">mailto:sleevi@google.com</a>] <br>
<b>Sent:</b> Tuesday, May 2, 2017 12:43 PM<br>
<b>To:</b> Jeremy Rowley <a class="moz-txt-link-rfc2396E" href="mailto:jeremy.rowley@digicert.com"><jeremy.rowley@digicert.com></a><br>
<b>Cc:</b> CA/Browser Forum Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a>; Gervase Markham
<a class="moz-txt-link-rfc2396E" href="mailto:gerv@mozilla.org"><gerv@mozilla.org></a><br>
<b>Subject:</b> Re: [cabfpub] Ballot 190<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Just to be clear: My initial proposal was
simply to indicate "All information in this certificate has
been validated in accordance with the explicit methods in
Version X"<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">That is, even if information is reused,
that the information was compatible with version X. If
version X+1 or X+3 changes things substantially - but
still permits reuse of Version X data - then you'd
continue to assert Version X. If Version X+3's validation
was still compatible with Version X (perhaps it added a
new method, or changed something unrelated), you could
assert either X, X+1, X+2, or X+3 and still be in full
compliance. Asserting X+3 is, of course, a stronger
security assurance, but asserting X is still
compliant/compatible :)<o:p></o:p></p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a></pre>
</blockquote>
<br>
</body>
</html>