[cabfpub] Ballot 190

Gervase Markham gerv at mozilla.org
Fri Apr 28 06:35:11 MST 2017


Hi Jeremy,

On 27/04/17 21:00, Jeremy Rowley via Public wrote:
> Ben let me know that there were questions about Ballot 190. The ballot
> was withdrawn and hasn’t gone to vote yet because of Section 2:

My concerns with ballot 190 are threefold:

1) I think that applicability and sunset dates for sections should be
encoded in the BRs themselves. This has been our previous practice, and
it's not too messy. We often clean them up when revisiting that section;
several recent ballots or ballot proposals have done that.

2) A blanket "all previous validations are OK" seems unacceptable to
Google, and I'd have concerns about it too, because of the flaws in th
website validation method, and the wild west that was 3.2.2.4.11. On the
other hand, a blanket "all previous validations need to be redone" is
unlikely to find support among CAs.

3) It's not totally clear how wildcard validations interact with each
method. It can be worked out, but it could be clearer.

Therefore, my proposal is that you enhance the ballot to add two
additional sections/paragraphs/statements to each of the ten methods:

Firstly, either:

* This method is suitable for wildcard validations of the form
  "*.FQDN", where FQDN is the domain validated.
or
* This method is not suitable for wildcard validations.

After that, you could put a revalidation statement for each method which
could be something like:

* Previous validations done under this section can be reused.
or
* Previous validations done under this section as it appeared in BRs
v.1.X.X or later can be reused.
or
* Previous validations done under this section must be redone for
issuances after <date>.

or whatever the rule turns out to be, as negotiated. I would start by
saying reuse is possible for 3.2.2.4.1-5, and not for 3.2.2.4.6, and see
where we get. The advantage of doing it this way is that when and if we
update a method to improve the validation, we can also edit the
applicable reuse statement at the same time, if necessary, and the scope
is nicely right.

We'd also need something like:

* Previous validations under section 3.2.2.4.11 "Any Other Method" (or
section 3.2.2.4.7 for versions of the BRs before version 1.X.X) which do
not fit the criteria of any other current section must be redone for
issuances after <date soon in the future>.

We should also permanently mark section 3.2.2.4.11 as "Reserved", in the
manner that some sections are now, to avoid confusion in the future.
Additional methods should start at number 12.

>  1. Does the proposed language resolve the previous concern with Ballot 190?
>  2. If not, should section 2 be dropped entirely.
>  3. If section 2 remains, would you vote against the ballot?
>  4. If section 2 was dropped, would you vote for the ballot?
>  5. Is there other language you’d prefer to see included instead? 

5. See above.

Gerv


More information about the Public mailing list