[cabfpub] Definition of Random Value on draft ballot re new domain validation methods
sleevi at google.com
Tue May 5 17:30:05 UTC 2015
On May 5, 2015 9:44 AM, "kirk_hall at trendmicro.com" <kirk_hall at trendmicro.com>
> Here's a more fundamental question -- why do we need to introduce the
concept of a "Random Value" for use in practical demonstrations? It's not
a requirement today. Here's what current 11.1.1 (6) requires today:
While I should hope it was obvious, it is because today's method is not
sufficiently or practically secure, nor objectively evaluatable as such.
Having reviewed several CA's practices in this area, it is clear security
is not at the forefront of implementers minds, not even their area of
experience or expertise, and that is unacceptable for organizations tasked
with operating in the public trust for the core of online security.
That's why we are refining all of these methods. To have clear and
objective security controls in place that meet a minimum bar for security.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public