<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
I was not aware of this effort and I'm trying to find any relevant
emails to the group that I missed with any of these announcements.<br>
<br>
In any case, thank you for the update, I'm sure this will receive
more attention (and contributions) now that it has been highlighted
:)<br>
<br>
<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 4/6/2024 11:51 μ.μ., Ryan Dickson
via Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018fe505c085-fae56cb1-b4de-4285-a5fe-4e9940a28bc7-000000@email.amazonses.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr"><span
id="gmail-docs-internal-guid-4a0dd4cb-7fff-b865-bae0-a726c959aa51">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Hi
Roman,</span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Thank
you for highlighting the Princeton Open MPIC Project,
which we introduced in the preamble of SC-067 Version 1
[1]. While we appreciate your (and others) perspective,
this ballot intends to close an open vulnerability that
was presented at F2F 58 (February 28, 2023), and as I
understand it, discussed within the Server Certificate
Working Group before that time.</span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">There
are multiple approaches to implementing MPIC in a manner
that satisfies the requirements described in this ballot.
The Princeton API [2] is just one example. We also see an
API [3] available from Cloudflare, and earlier ballot
discussion highlighted VPNs [4] could also be used in lieu
of standing up remote cloud server instances. The ballot
was subsequently updated [5] to make the permitted use of
VPNs clear. </span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Beyond
this, I’m unaware of other ballots passed in recent
history that have gone to such lengths to ensure ease of
community adoption, especially ones intended at
introducing meaningful security improvements in response
to a demonstrated and ongoing vulnerability. This approach
has included delaying the Effective Dates described in
earlier proposals [6, slide 37], and also adopting a
phased approach that strengthens over time to allow CA
Owners a reasonable amount of flexibility and time for
them to fine-tune implementations before blocking action
becomes normative [6, slide 38]. </span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Just
as was discussed in messages [7][8][9] related to
third-party linting tools, delaying the adoption of an
important security function because of a dependency on a
voluntary contribution by a third-party who is not a Forum
participant is a path that must be avoided. </span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Regardless
of the above, we’ve checked with the Princeton researchers
and they have indicated:</span></p>
<ul style="margin-top:0px;margin-bottom:0px">
<li dir="ltr"
style="list-style-type:disc;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre"><p
dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"
role="presentation"><span
style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">they expect the current API specification [2] to be implemented by September 2024. The ballot describes the first “MUST" implementation date as March 15, 2025 [10]. I’ll note this “MUST" effective date is intentionally “soft”, as CAs can use their discretion as to whether MPIC responses block issuance. The “hard" block requirement takes effect September 15, 2025.</span></p></li>
<li dir="ltr"
style="list-style-type:disc;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre"><p
dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"
role="presentation"><span
style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">they are expected to upload a functional prototype to GitHub this week.</span></p></li>
<li dir="ltr"
style="list-style-type:disc;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre"><p
dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"
role="presentation"><span
style="background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">only 4 CA Owners have joined the Open MPIC Project mailing list [11]. </span></p></li>
</ul>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Related
to the Open MPIC Project mailing list, I was surprised at
such low participation and interest in collaboration given
(1) the perceived community reaction to Henry’s
presentation at F2F 58 and following discussions and (2)
how long we’ve been discussing MPIC within the Validation
Subcommittee and broader SCWG. Beyond the points earlier
about the risk and precedent of delaying adoption of a
security function as a result of a voluntary third-party
contribution, it’s difficult to reason this limited
community participation as a motivating factor for
delaying the ballot, which should be instead interpreted
as helping close an open Web PKI vulnerability, as a
result of the project’s progress.</span></p>
<br>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Thanks,</span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Ryan</span></p>
</span><br class="gmail-Apple-interchange-newline">
<div><span
id="gmail-docs-internal-guid-6feaa294-7fff-4fea-3c99-43ffeed12867">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">References: </span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[1]
</span><a
href="https://github.com/cabforum/servercert/pull/487"
style="text-decoration-line:none" moz-do-not-send="true"><span
style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://github.com/cabforum/servercert/pull/487</span></a><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[2]
</span><a
href="https://github.com/open-mpic/open-mpic-specification"
style="text-decoration-line:none" moz-do-not-send="true"><span
style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://github.com/open-mpic/open-mpic-specification</span></a><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[3]
</span><a
href="https://docs.google.com/document/d/19wvjk7lcK1TCQpJrjEljosTEe8A0We1ayRp_1Ou3r4s/edit#heading=h.9kf5j5tsn6i7"
style="text-decoration-line:none" moz-do-not-send="true"><span
style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://docs.google.com/document/d/19wvjk7lcK1TCQpJrjEljosTEe8A0We1ayRp_1Ou3r4s/edit#heading=h.9kf5j5tsn6i7</span></a></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[4]
</span><a
href="https://github.com/cabforum/servercert/pull/487#discussion_r1557725687"
style="text-decoration-line:none" moz-do-not-send="true"><span
style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://github.com/cabforum/servercert/pull/487#discussion_r1557725687</span></a><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[5]
</span><a
href="https://github.com/cabforum/servercert/pull/507/commits/01b3f1d9fa361d0dc568cf5a2713e6f39abb7438#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR389"
style="text-decoration-line:none" moz-do-not-send="true"><span
style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://github.com/cabforum/servercert/pull/507/commits/01b3f1d9fa361d0dc568cf5a2713e6f39abb7438#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR389</span></a><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[6]
</span><a
href="https://drive.google.com/file/d/1LTwtAwHXcSaPVSsqKQztNJrV2ozHJ7ZL/view"
style="text-decoration-line:none" moz-do-not-send="true"><span
style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://drive.google.com/file/d/1LTwtAwHXcSaPVSsqKQztNJrV2ozHJ7ZL/view</span></a><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[7]
</span><a
href="https://archive.cabforum.org/pipermail/servercert-wg/2024-April/004411.html"
style="text-decoration-line:none" moz-do-not-send="true"><span
style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://archive.cabforum.org/pipermail/servercert-wg/2024-April/004411.html</span></a></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[8]
</span><a
href="https://archive.cabforum.org/pipermail/servercert-wg/2024-April/004417.html"
style="text-decoration-line:none" moz-do-not-send="true"><span
style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://archive.cabforum.org/pipermail/servercert-wg/2024-April/004417.html</span></a><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[9]
</span><a
href="https://archive.cabforum.org/pipermail/servercert-wg/2024-May/004614.html"
style="text-decoration-line:none" moz-do-not-send="true"><span
style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://archive.cabforum.org/pipermail/servercert-wg/2024-May/004614.html</span></a><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[10]
</span><a
href="https://github.com/cabforum/servercert/pull/517/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR1110"
style="text-decoration-line:none" moz-do-not-send="true"><span
style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://github.com/cabforum/servercert/pull/517/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR1110</span></a><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[11]
</span><a
href="https://lists.princeton.edu/cgi-bin/wa?A0=OPEN-MPIC"
style="text-decoration-line:none" moz-do-not-send="true"><span
style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">https://lists.princeton.edu/cgi-bin/wa?A0=OPEN-MPIC</span></a><span
style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> </span></p>
</span><br class="gmail-Apple-interchange-newline">
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Jun 4, 2024 at 3:47 AM
Roman Fischer via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="msg-5169377640873654436">
<div style="overflow-wrap: break-word;" lang="DE">
<div class="m_-5169377640873654436WordSection1">
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif">Dear all,</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif" lang="EN-US">I was
informed by direct mail about the following which I
find very interesting and wanted to share here:</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Princeton
researchers are working on an open source
implementation of MPIC and are looking for
collaborators: </span><a
href="https://freedom-to-tinker.com/2024/02/13/announcing-the-open-multi-perspective-issuance-corroboration-project/"
moz-do-not-send="true"><span lang="EN-US">https://freedom-to-tinker.com/2024/02/13/announcing-the-open-multi-perspective-issuance-corroboration-project/</span></a><span
lang="EN-US">. The first version of the API
specification is on </span><a
href="https://github.com/open-mpic/open-mpic-specification/tree/main"
moz-do-not-send="true"><span lang="EN-US">github</span></a><span
lang="EN-US">.</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif" lang="EN-US">As
these developments seem to be in an early stage,
wouldn’t it make sense to postpone this ballot until
at least a first draft of this open source
implementation is available? I don’t think it makes
sense that each CA invents their own protocols and
possibly makes avoidable mistakes coding /
implementing this non-trivial topic..</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif" lang="EN-US"> </span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif" lang="EN-US">Kind
regards<br>
Roman</span></p>
<p class="MsoNormal"><span
style="font-size:11pt;font-family:Calibri,sans-serif" lang="EN-US"> </span></p>
<div
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11pt;font-family:Calibri,sans-serif" lang="EN-US">From:</span></b><span
style="font-size:11pt;font-family:Calibri,sans-serif" lang="EN-US">
Servercert-wg <<a
href="mailto:servercert-wg-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Chris Clements via
Servercert-wg<br>
<b>Sent:</b> Montag, 20. Mai 2024 16:30<br>
<b>To:</b> CA/B Forum Server Certificate WG Public
Discussion List <<a
href="mailto:servercert-wg@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>><br>
<b>Subject:</b> [Servercert-wg] Discussion Period
Begins - Ballot SC-067 V3: "Require domain
validation and CAA checks to be performed from
multiple Network Perspectives"</span></p>
</div>
<p class="MsoNormal"> </p>
<div>
<p style="margin:0cm"><b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">Purpose of
Ballot SC-067 V3</span></b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">:</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">This Ballot
proposes updates to the
<i>Baseline Requirements for the Issuance and
Management of Publicly-Trusted TLS Server
Certificates</i> (i.e., TLS BRs) related to
“Multi-Perspective Issuance Corroboration”
(“MPIC”).</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">Background</span></b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">:</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- MPIC refers
to performing domain validation and CAA checks
from multiple Network Perspectives before
certificate issuance, as described within the
Ballot for the applicable validation methods in
TLS BR Sections 3.2.2.4 and 3.2.2.5.</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- Not all
methods described in TLS BR Sections 3.2.2.4 and
3.2.2.5 will require using MPIC.</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- This work was
most recently motivated by research presented at
Face-to-Face 58 [1] by Princeton University, but
has been discussed for years prior as well.</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- The goal of
this proposal is to make it more difficult for
adversaries to successfully launch
equally-specific prefix attacks against the domain
validation processes described in the TLS BRs.</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- Additional
background information can be found in an update
shared at Face-to-Face 60 [2].</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">Benefits of
Adoption</span></b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">:</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- Recent
publicly-documented attacks have used BGP hijacks
to fool domain control validation and obtain
malicious certificates, which led to the
impersonation of HTTPS websites [3][</span><span
style="font-family:Arial,sans-serif;color:black">4</span><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">].</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- Routing
security defenses (e.g., RPKI) can mitigate the
risk of global BGP attacks, but localized,
equally-specific BGP attacks still pose a
significant threat to the Web PKI [5][6].</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- Corroborating
domain control validation checks from multiple
network perspectives (i.e., MPIC) spread across
the Internet substantially reduces the threat
posed by equally-specific BGP attacks, ensuring
the integrity of domain validation and issuance
decisions [5][7][8].</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- Existing
deployments of MPIC at the scale of millions of
certificates a day demonstrate the feasibility of
this technique at Internet scale [7][9].</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">Intellectual
Property (IP) Disclosure</span></b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">:</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- While not a
Server Certificate Working Group Member,
researchers from Princeton University presented at
Face-to-Face 58, provided academic expertise, and
highlighted publicly-available peer-reviewed
research to support Members in drafting this
ballot.</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- The Princeton
University researchers indicate that they have not
filed for any patents relating to their MPIC work
and do not plan to do so in the future.</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- Princeton
University has indicated that it is unable to
agree to the CA/Browser Forum IPR agreement
because it could encumber inventions invented by
researchers not involved in the development of
MPIC or with the CA/B Forum.</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- Princeton
University has instead provided the attached IPR
statement. Pursuant to the IPR statement,
Princeton University has granted a worldwide
royalty free license to the intellectual property
in MPIC developed by the researchers and has made
representations regarding its lack of knowledge of
any other Princeton intellectual property needed
to implement MPIC.</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- The attached
IPR statement has not changed since disclosed in
Discussion Round 1.</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:black">-
For clarity, Princeton University’s IPR statement
is NOT intended to replace the Forum’s IPR
agreement or allow Princeton to participate in the
Forum in any capacity.</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:black">-
Members seeking legal advice regarding this ballot
should consult their own counsel.</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">Proposal
Revision History</span></b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">:</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- Pre-Ballot
Release #1 (work team artifacts and broader
Validation Subcommittee collaboration) [10]</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- Pre-Ballot
Release #2 [11]</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">Previous
versions of this Ballot</span></b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">:</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)">-</span><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> Ballot Release
#1 [12] (comparing Version 2 to Version 1) [13].
Note, some of the changes represented in the
comparison are updates made by other ballots that
have since passed (e.g., SC-069).</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">- Ballot
Release #2 [14] (comparing Version 3 to Version 2)
[15]. Note, some of the changes represented in the
comparison are updates made by other ballots that
have since passed (e.g., SC-072).</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">References</span></b><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">:</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[1]
</span><a
href="https://cabforum.org/wp-content/uploads/13-CAB-Forum-face-to-face-multiple-vantage-points.pdf"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://cabforum.org/wp-content/uploads/13-CAB-Forum-face-to-face-multiple-vantage-points.pdf</span></a></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[2]
</span><a
href="https://drive.google.com/file/d/1LTwtAwHXcSaPVSsqKQztNJrV2ozHJ7ZL/view?usp=drive_link"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://drive.google.com/file/d/1LTwtAwHXcSaPVSsqKQztNJrV2ozHJ7ZL/view?usp=drive_link</span></a><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[3]
</span><a
href="https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600</span></a><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[4]
</span><a
href="https://www.coinbase.com/blog/celer-bridge-incident-analysis"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://www.coinbase.com/blog/celer-bridge-incident-analysis</span></a><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[5]
</span><a
href="https://www.usenix.org/conference/usenixsecurity23/presentation/cimaszewski"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://www.usenix.org/conference/usenixsecurity23/presentation/cimaszewski</span></a><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[6]
</span><a
href="https://www.blackhat.com/docs/us-15/materials/us-15-Gavrichenkov-Breaking-HTTPS-With-BGP-Hijacking-wp.pdf"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://www.blackhat.com/docs/us-15/materials/us-15-Gavrichenkov-Breaking-HTTPS-With-BGP-Hijacking-wp.pdf</span></a><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[7]
</span><a
href="https://www.usenix.org/conference/usenixsecurity21/presentation/birge-lee"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://www.usenix.org/conference/usenixsecurity21/presentation/birge-lee</span></a><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[8]
</span><a
href="https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee</span></a><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[9]
</span><a
href="https://security.googleblog.com/2023/05/google-trust-services-acme-api_0503894189.html"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://security.googleblog.com/2023/05/google-trust-services-acme-api_0503894189.html</span></a><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[10]
</span><a
href="https://github.com/ryancdickson/staging/pull/6"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://github.com/ryancdickson/staging/pull/6</span></a><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[11]
</span><a
href="https://github.com/ryancdickson/staging/pull/8"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://github.com/ryancdickson/staging/pull/8</span></a><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[12]
</span><a
href="https://github.com/cabforum/servercert/pull/487"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://github.com/cabforum/servercert/pull/487</span></a><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[13]
</span><a
href="https://github.com/cabforum/servercert/compare/6d10abda8980c6eb941987d3fc26e753e62858c0..5224983ef0a6f94c18808ea3469e7a5ae35746e5"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://github.com/cabforum/servercert/compare/6d10abda8980c6eb941987d3fc26e753e62858c0..5224983ef0a6f94c18808ea3469e7a5ae35746e5</span></a></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[14]
</span><a
href="https://github.com/cabforum/servercert/pull/507"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://github.com/cabforum/servercert/pull/507</span></a><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">[15]
</span><a
href="https://github.com/cabforum/servercert/compare/5224983ef0a6f94c18808ea3469e7a5ae35746e5..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://github.com/cabforum/servercert/compare/5224983ef0a6f94c18808ea3469e7a5ae35746e5..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463</span></a><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(14,16,26)">The following
motion has been proposed by Chris Clements and
Ryan Dickson of Google (Chrome Root Program) and
endorsed by Aaron Gable (ISRG / Let’s Encrypt) and
Wayne Thayer (Fastly). </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><b><span
style="font-family:Arial,sans-serif;color:black">—
Motion Begins —</span></b></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:black">This
ballot modifies the “Baseline Requirements for the
Issuance and Management of Publicly-Trusted TLS
Server Certificates” (“Baseline Requirements”),
based on Version 2.0.4.</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:black">MODIFY
the Baseline Requirements as specified in the
following Redline:</span></p>
<p style="margin:0cm"><a
href="https://github.com/cabforum/servercert/compare/c4a34fe2292022e0a04ba66b5a85df75907ac2a2..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463"
moz-do-not-send="true"><span
style="font-family:Arial,sans-serif">https://github.com/cabforum/servercert/compare/c4a34fe2292022e0a04ba66b5a85df75907ac2a2..2dcf1a8fe5fc7b6a864b5767ab1db718bc447463</span></a><span
style="font-family:Arial,sans-serif;color:black"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><b><span
style="font-family:Arial,sans-serif;color:black">—
Motion Ends —</span></b></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:black">This
ballot proposes a Final Maintenance Guideline. The
procedure for approval of this ballot is as
follows:</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><b><span
style="font-family:Arial,sans-serif;color:black">Discussion
(at least 11 days)</span></b></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:black">-
Start: 2024-05-20 14:30:00 UTC</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:black">-
End no earlier than: 2024-05-31 14:30:00 UTC</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:rgb(80,0,80)"> </span></p>
<p style="margin:0cm"><b><span
style="font-family:Arial,sans-serif;color:black">Vote
for approval (7 days)</span></b></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:black">-
Start: TBD</span></p>
<p style="margin:0cm"><span
style="font-family:Arial,sans-serif;color:black">-
End: TBD</span></p>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org"
moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</div>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>