<div dir="ltr">Hi Kirk,<div><br></div><div>We had two endorsers for the discussion. As I mentioned, there's nothing inherent in needing to direct this to VWG. As DigiCert has pointed out, there are CAs today that are doing validations that are patently insecure.</div><div><br></div><div>While we can understand and appreciate that some members may wish to introduce new validation methods that are limited in scope and applicability (for example, Mads' example only applies to a limited subset of ccTLDs, and cannot be done safely generically), in order to reduce that risk, I think it's entirely appropriate to take the necessary steps to ensure the safety of the Internet at large.</div><div><br></div><div>This does not prevent or inhibit the issuance of certificates that have appropriate controls - that is, these methods could be argued as an 'optimization' - and thus we should not unduly delay progress. Regarding passing it to the VWG, could you indicate where you saw that was suggested? The only mention of it I saw was from you, on a separate thread, and I'm curious if perhaps I've missed additional discussion. Certainly, our workmode does not require sending such discussions "to committee"</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 3, 2018 at 3:10 PM, Kirk Hall via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="m_993597751338952806WordSection1">
<p class="MsoNormal"><span style="color:#1f497d">Tim, I thought this issue was going to be discussed first by the VWG, as several CAs have indicated they would like to keep (but improve) Method 1.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Public [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@<wbr>cabforum.org</a>] <b>
On Behalf Of </b>Tim Hollebeek via Public<br>
<b>Sent:</b> Wednesday, January 3, 2018 11:22 AM<br>
<b>To:</b> CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br>
<b>Subject:</b> [EXTERNAL][cabfpub] Ballot 218: Remove validation methods #1 and #5<u></u><u></u></p>
</div>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Ballot 218: Remove validation methods #1 and #5<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Purpose of Ballot: Section 3.2.2.4 says that it “defines the permitted processes and procedures for validating the Applicant’s ownership or control of the domain.” Most of the validation methods actually do validate ownership and control,
but two do not, and can be completed solely based on an applicant’s own assertions.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Since these two validation methods do not meet the objectives of section 3.2.2.4, and are actively being used to avoid validating domain control or ownership, they should be removed, and the other methods that do validate domain control
or ownership should be used.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">The following motion has been proposed by Tim Hollebeek of DigiCert and endorsed by Ryan Sleevi of Google and Rich Smith of Comodo.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">-- MOTION BEGINS –<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based upon Version 1.5.4:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">In Section 3.2.2.4.1, add text at the end: “For certificates issued on or after March 1, 2018, this method SHALL NOT be used for validation, and completed validations using this method SHALL NOT be used for the issuance of certificates.”<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">In Section 3.2.2.4.5, add text at the end: “For certificates issued on or after March 1, 2018, this method SHALL NOT be used for validation, and completed validations using this method SHALL NOT be used for the issuance of certificates.”<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="text-autospace:none">In Section 4.2.1, after the paragraph that begins “After the change to any validation method”, add the following paragraph: “Validations completed using methods specified in Section 3.2.2.4.1 or Section 3.2.2.4.5
SHALL NOT be re-used on or after March 1, 2018.”<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">-- MOTION ENDS –<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">For the purposes of section 4.2.1, the new text added to 4.2.1 from this ballot is “specifically provided in a [this] ballot.”<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">The procedure for approval of this ballot is as follows:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Discussion (7+ days) <u></u><u></u></p>
<p class="MsoNormal"> Start Time: 2017-01-03 19:30:00 UTC <u></u><u></u></p>
<p class="MsoNormal"> End Time: Not Before 2017-01-10 19:30:00 UTC<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Vote for approval (7 days) <u></u><u></u></p>
<p class="MsoNormal"> Start Time: TBD <u></u><u></u></p>
<p class="MsoNormal"> End Time: TBD<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div></div></div>
</div>
<br>______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br></blockquote></div><br></div>