[cabfpub] Ballot 190: Domain Validation
pzb at amzn.com
Thu Apr 13 15:10:00 MST 2017
What Ryan is asking for, if I understand it correctly, is that the BRs fully document the requirements when read only with the items they normatively reference. There should be no need to review ballots, mailing lists messages, meeting minutes, or other items to interpret the BRs and to determine whether something is in compliance with the BRs.
To handle the proposed section 2, we simply need to amend the BRs to explain what is required of a CA. For example, if I understand the proposal correctly, we might consider the following BR changes:
In section 4.2.1, in the third paragraph, replace “provided” with “described”.
In section 220.127.116.11, replace the last sentence (which currently reads " CAs SHALL NOT include a Domain Name or IP Address in a Subject attribute
except as specified in Sections 18.104.22.168 or 22.214.171.124.”) with something like:
“CAs MUST NOT include Domain Name or IP Address in a Subject Attribute unless it has been verified using a procedure covered in section 126.96.36.199 or 188.8.131.52 of the Baseline Requirements that were in effect at the time of verification, Such verification MUST have occurred no more than 39 months prior to certificate issuance if the issuance occurs before 1 March 2018. Such verification MUST have occurred no more than 825 days prior to certificate issuance if the issuance occurs on or after 1 March 2018.”
I think that matches your intent.
> On Apr 13, 2017, at 2:56 PM, Kirk Hall via Public <public at cabforum.org> wrote:
> While I still disagree with your personal interpretation – why can’t we do things the way other deliberative bodies do? – as I said before, I have no problem including “Notes” at the end of provisions that are not part of the BRs, but which inform readers of what the transition rules for a particular ballot are. The notes can then be dropped once they are no longer relevant.
> So we can include Section 2 of Ballot 190 as a “Note” after BR 184.108.40.206, which is the section affected by the transition rule, then remove it once the transition period is over – everyone will see that in the compiled version of the updated BRs. Sounds like a solution we can all live with.
> From: Ryan Sleevi [mailto:sleevi at google.com]
> Sent: Thursday, April 13, 2017 2:36 PM
> To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
> Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: [EXTERNAL]Re: [cabfpub] Ballot 190: Domain Validation
> On Thu, Apr 13, 2017 at 5:07 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com> wrote:
> Can you explain what part of Ballot 190 (shown below) is not clear to you? Do you have edits you would suggest that would “fix” the problem you see?
> From my earlier message, as it looks like you may have missed it:
> "If you want to accomplish this, however, you would need to update Section 4.2.1 to specify how that process works. Otherwise, Section 4.2.1 will govern, and Section 2 of this ballot will have no effect due to its ambiguity and lack of modification to the document."
> We have a section in the document that governs this. It's Section 4.2.1.
> We have a section in the document that calls out effective dates. It's Section 1.2.1 and 1.2.2.
> We have a defined process in our bylaws to modify those sections. Let's follow it, and not invent new procedures ad hoc.
> Public mailing list
> Public at cabforum.org
More information about the Public