<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML - vooraf opgemaakt Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTML-voorafopgemaaktChar
{mso-style-name:"HTML - vooraf opgemaakt Char";
mso-style-priority:99;
mso-style-link:"HTML - vooraf opgemaakt";
font-family:Consolas;
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.E-mailStijl20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.E-mailStijl21
{mso-style-type:personal-reply;
font-family:"Verdana",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="NL" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">PKIoverheid votes YES. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">We’ve been following the discussion as it has unfolded. The definition of current methods 3.2.2.4.1 and 3.2.2.4.5, as currently worded in the BR, we have to agree, leaves much room for interpretation. However, we might
be able to improve these methods, a process that will require time.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">In this discussion there are CAs and browsers on the one side who are (possibly) proposing a more radical solution of termination of said validation methods per March 1 (enforced through browser program requirements),
there is ballot 218 which proposes abolition of 3.2.2.4.1 and 3.2.2.4.5 per August 1, and there are parties who want to keep current methods in place, at least long enough for new and improved versions to be developed and deployed. The last option has the
danger that a working group effort could go on for months and months without much progress, while the current methods stay in place. This ballot, with a firm deadline of August 1, puts a fixed end date on the current methods .1 and .5. We welcome possible
working group discussions about a new or improved domain validation methods (possibly included in the broader discussion, see Dimitris’ response below) and is, in our view, this ballot is the best approach forward. It’s a combination of an achievable timeline
for CAs to move away from 3.2.2.4.1 and 3.2.2.4.5 while also including a final date by which CAs must have changed to a different method.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">Kind regards,</span><span lang="EN-US" style="font-size:14.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:14.0pt;font-family:"Verdana",sans-serif;color:#1F497D"> </span><span lang="EN-US" style="font-size:14.0pt;color:windowtext"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">Jochem van den Berge</span></b><span lang="EN-US" style="font-size:14.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D"> </span><span lang="EN-US" style="font-size:14.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">Logius PKIoverheid<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">Public Key Infrastructure for the Dutch government<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">........................................................................</span><span lang="EN-US" style="font-size:14.0pt;color:windowtext"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-family:"Verdana",sans-serif;color:#1F497D">Logius</span></b><span lang="EN-US" style="font-size:14.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">Ministry of the Interior and Kingdom Relations (BZK)</span></b><span lang="EN-US" style="font-size:14.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">Wilhelmina van Pruisenweg 52 | 2595 AN | The Hague<br>
PO Box 96810 | 2509 JE | The Hague</span><span lang="EN-US" style="font-size:14.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D">........................................................................</span><span lang="EN-US" style="font-size:14.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><u><span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D"><a href="mailto:Jochem.vanden.berge@logius.nl"><span lang="EN-GB">jochem.vanden.berge@logius.nl</span></a></span></u><span lang="EN-US" style="font-size:14.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:#1F497D"><a href="http://www.logius.nl">http://www.logius.nl</a></span><span lang="EN-US" style="font-size:14.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="color:windowtext">Van:</span></b><span style="color:windowtext"> Public [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>Namens </b>Dimitris Zacharopoulos via Public<br>
<b>Verzonden:</b> donderdag 1 februari 2018 15:35<br>
<b>Aan:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Onderwerp:</b> Re: [cabfpub] Voting begins: Ballot 218 version 2<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<span lang="EN-US">All currently approved Domain Validation methods provide some level of assurance which is not easily quantifiable without calculating the risks (vulnerabilities, threats) of each method. If we had a methodology to quantify the assurance level
of each method, we would be able to compare them.<br>
<br>
The discussion around methods 3.2.2.4.1 (1 and 2) and 3.2.2.4.5 demonstrated that these methods have lower assurance levels than the other methods, without providing conclusive evidence to support ultimate failure of #1 and #5. If we had that, probably all
validations performed with methods #1 and #5 would have to be invalidated and re-done using other methods. This means that the forum considered these methods "acceptable" so far which means they provided a "reasonable" assurance level. The bar has been raised,
but not in a measurable way. Intuitively, these methods were proved to be the "weakest" among the other methods, even though there are known vulnerabilities for almost all of them (including DNS/routes hijacking, etc). The validation working group should discuss
more about the threats of each method (and how to formalize the level of assurance) in case a similar discussion about the other methods is brought forward.<br>
<br>
HARICA votes "abstain" to ballot 218.<br>
<br>
<br>
Dimitris.<br>
<br>
</span><span lang="EN-US" style="font-size:12.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On 29/1/2018 11:51 </span>μμ<span lang="EN-US">, Tim Hollebeek via Public wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I’m highly skeptical that discussing this for another month will change anybody’s minds. It has already been discussed for over a month, including at three validation working group meetings and once on the management
call, with extensive discussion on this list as well.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">There have been a number of clever attempts to distract from the matter at hand. Everybody seems to agree that methods #1 and #5 as currently written are insufficient to validate certificates, and efforts to improve
method #1 have all either been shown to be similarly weak, or have turned the validation method into one of the other existing validation methods. In fact, this demonstrates an obvious transition path for CAs currently using method #1: use method #2 or method
#3.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Since methods #1 and #5 do not sufficiently validate certificates, they should not be used, and six months should be more than enough time to cease using them.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Here is the final version of the ballot, with voting times. A redlined document is attached (I encourage other proposers to post ballot redlines, even if it isn’t required).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">----- Ballot 218 version 2: Remove validation methods #1 and #5 -----<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Purpose of Ballot: Section 3.2.2.4 says that it “defines the permitted processes and procedures for validating the Applicant’s ownership or control of the domain.” Most of the validation methods actually do validate
ownership and control, but two do not, and can be completed solely based on an applicant’s own assertions.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Since these two validation methods do not meet the objectives of section 3.2.2.4, and are actively being used to avoid validating domain control or ownership, they should be removed, and the other methods that do validate
domain control or ownership should be used.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The following motion has been proposed by Tim Hollebeek of DigiCert and endorsed by Ryan Sleevi of Google and Rich Smith of Comodo.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">-- MOTION BEGINS –<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based upon Version 1.5.4:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">In Section 1.6.1, in the definition of “Domain Contact”, after “in a DNS SOA record”, add “, or as obtained through direct contact with the Domain Name Registrar”<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">In Section 3.2.2.4.1, add text at the end: “For certificates issued on or after August 1, 2018, this method SHALL NOT be used for validation, and completed validations using this method SHALL NOT be used for the issuance
of certificates.”<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">In Section 3.2.2.4.5, add text at the end: “For certificates issued on or after August 1, 2018, this method SHALL NOT be used for validation, and completed validations using this method SHALL NOT be used for the issuance
of certificates.”<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">After Section 3.2.2.4.10, add following two new subsections:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">“3.2.2.4.11 Any Other Method<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">This method has been retired and MUST NOT be used.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">3.2.2.4.12 Validating Applicant as a Domain Contact<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Confirming the Applicant's control over the FQDN by validating the Applicant is the Domain Contact. This method may only be used if the CA is also the Domain Name Registrar, or an Affiliate of the Registrar, of the Base
Domain Name.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names.“<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span lang="EN-US">In Section 4.2.1, after the paragraph that begins “After the change to any validation method”, add the following paragraph: “Validations completed using methods specified in Section 3.2.2.4.1
or Section 3.2.2.4.5 SHALL NOT be re-used on or after August 1, 2018.”<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">-- MOTION ENDS –<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">For the purposes of section 4.2.1, the new text added to 4.2.1 from this ballot is “specifically provided in a [this] ballot.”<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The procedure for approval of this ballot is as follows:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Discussion (7+ days) <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Start Time: 2017-01-22 21:30:00 UTC <o:p>
</o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> End Time: 2017-01-29 21:50:00 UTC<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Vote for approval (7 days) <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Start Time: 2017-01-29 21:50:00 UTC<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> End Time: 2017-02-05 21:50 UTC<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre><span lang="EN-US">_______________________________________________<o:p></o:p></span></pre>
<pre><span lang="EN-US">Public mailing list<o:p></o:p></span></pre>
<pre><a href="mailto:Public@cabforum.org"><span lang="EN-US">Public@cabforum.org</span></a><span lang="EN-US"><o:p></o:p></span></pre>
<pre><a href="https://cabforum.org/mailman/listinfo/public"><span lang="EN-US">https://cabforum.org/mailman/listinfo/public</span></a><span lang="EN-US"><o:p></o:p></span></pre>
</blockquote>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
</div>
<br>
<HR>
<font color=gray size=1 face=Arial>Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.<br>This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. </HR><br></font></body>
</html>