<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
All currently approved Domain Validation methods provide some level
of assurance which is not easily quantifiable without calculating
the risks (vulnerabilities, threats) of each method. If we had a
methodology to quantify the assurance level of each method, we would
be able to compare them.<br>
<br>
The discussion around methods 3.2.2.4.1 (1 and 2) and 3.2.2.4.5
demonstrated that these methods have lower assurance levels than the
other methods, without providing conclusive evidence to support
ultimate failure of #1 and #5. If we had that, probably all
validations performed with methods #1 and #5 would have to be
invalidated and re-done using other methods. This means that the
forum considered these methods "acceptable" so far which means they
provided a "reasonable" assurance level. The bar has been raised,
but not in a measurable way. Intuitively, these methods were proved
to be the "weakest" among the other methods, even though there are
known vulnerabilities for almost all of them (including DNS/routes
hijacking, etc). The validation working group should discuss more
about the threats of each method (and how to formalize the level of
assurance) in case a similar discussion about the other methods is
brought forward.<br>
<br>
HARICA votes "abstain" to ballot 218.<br>
<br>
<br>
Dimitris.<br>
<br>
<br>
<div class="moz-cite-prefix">On 29/1/2018 11:51 μμ, Tim Hollebeek
via Public wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM5PR14MB12896270E9320FAD7F246D1183E50@DM5PR14MB1289.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m highly skeptical that discussing this
for another month will change anybody’s minds. It has already
been discussed for over a month, including at three validation
working group meetings and once on the management call, with
extensive discussion on this list as well.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There have been a number of clever attempts
to distract from the matter at hand. Everybody seems to agree
that methods #1 and #5 as currently written are insufficient
to validate certificates, and efforts to improve method #1
have all either been shown to be similarly weak, or have
turned the validation method into one of the other existing
validation methods. In fact, this demonstrates an obvious
transition path for CAs currently using method #1: use method
#2 or method #3.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Since methods #1 and #5 do not sufficiently
validate certificates, they should not be used, and six months
should be more than enough time to cease using them.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here is the final version of the ballot,
with voting times. A redlined document is attached (I
encourage other proposers to post ballot redlines, even if it
isn’t required).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-Tim<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">----- Ballot 218 version 2: Remove
validation methods #1 and #5 -----<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Purpose of Ballot: Section 3.2.2.4 says
that it “defines the permitted processes and procedures for
validating the Applicant’s ownership or control of the
domain.” Most of the validation methods actually do validate
ownership and control, but two do not, and can be completed
solely based on an applicant’s own assertions.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Since these two validation methods do not
meet the objectives of section 3.2.2.4, and are actively being
used to avoid validating domain control or ownership, they
should be removed, and the other methods that do validate
domain control or ownership should be used.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The following motion has been proposed by
Tim Hollebeek of DigiCert and endorsed by Ryan Sleevi of
Google and Rich Smith of Comodo.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-- MOTION BEGINS –<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This ballot modifies the “Baseline
Requirements for the Issuance and Management of
Publicly-Trusted Certificates” as follows, based upon Version
1.5.4:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In Section 1.6.1, in the definition of
“Domain Contact”, after “in a DNS SOA record”, add “, or as
obtained through direct contact with the Domain Name
Registrar”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In Section 3.2.2.4.1, add text at the end:
“For certificates issued on or after August 1, 2018, this
method SHALL NOT be used for validation, and completed
validations using this method SHALL NOT be used for the
issuance of certificates.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In Section 3.2.2.4.5, add text at the end:
“For certificates issued on or after August 1, 2018, this
method SHALL NOT be used for validation, and completed
validations using this method SHALL NOT be used for the
issuance of certificates.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">After Section 3.2.2.4.10, add following two
new subsections:<o:p></o:p></p>
<p class="MsoNormal">“3.2.2.4.11 Any Other Method<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This method has been retired and MUST NOT
be used.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">3.2.2.4.12 Validating Applicant as a Domain
Contact<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Confirming the Applicant's control over the
FQDN by validating the Applicant is the Domain Contact. This
method may only be used if the CA is also the Domain Name
Registrar, or an Affiliate of the Registrar, of the Base
Domain Name.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Note: Once the FQDN has been validated
using this method, the CA MAY also issue Certificates for
other FQDNs that end with all the labels of the validated
FQDN. This method is suitable for validating Wildcard Domain
Names.“<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none">In Section
4.2.1, after the paragraph that begins “After the change to
any validation method”, add the following paragraph:
“Validations completed using methods specified in Section
3.2.2.4.1 or Section 3.2.2.4.5 SHALL NOT be re-used on or
after August 1, 2018.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-- MOTION ENDS –<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">For the purposes of section 4.2.1, the new
text added to 4.2.1 from this ballot is “specifically provided
in a [this] ballot.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The procedure for approval of this ballot
is as follows:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Discussion (7+ days) <o:p></o:p></p>
<p class="MsoNormal"> Start Time: 2017-01-22 21:30:00 UTC <o:p></o:p></p>
<p class="MsoNormal"> End Time: 2017-01-29 21:50:00 UTC<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Vote for approval (7 days) <o:p></o:p></p>
<p class="MsoNormal"> Start Time: 2017-01-29 21:50:00 UTC<o:p></o:p></p>
<p class="MsoNormal"> End Time: 2017-02-05 21:50 UTC<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>