[cabfpub] Ballot 190: Domain Validation

Ryan Sleevi sleevi at google.com
Thu Apr 13 17:01:34 UTC 2017

On Tue, Apr 11, 2017 at 4:46 PM, Jeremy Rowley via Public <
public at cabforum.org> wrote:

> *Ballot Section 2*
> This provisions of Ballot Section 1 will apply only to the validation of
> domain names occurring after this Ballot 190’s effective date.  Validation
> of domain names that occurs before this Ballot’s effective date and the
> resulting validation data may continue to be used for the periods specified
> in BR 4.2.1 and EVGL 11.14.3 so long as the validations were conducted in
> compliance with the BR Section validation methods in effect at the
> time of each validation.

As mentioned on today's call, this clause is not compatible with / creates
a conflict with the Baseline Requirements.

Section 4.2.1 governs the reuse of previously obtained documents or data,
but Section 3.2 explicitly requires that CAs validate and verify every
certificate during issuance.

The clear intent from Section 2, as worded, is to extend this to allow CAs
to not even verify the domains at the time of issuance. While
understandable as to the goal, it's highly undesirable.

If you want to accomplish this, however, you would need to update Section
4.2.1 to specify how that process works. Otherwise, Section 4.2.1 will
govern, and Section 2 of this ballot will have no effect due to its
ambiguity and lack of modification to the document.

I want to echo a strong opposition towards allowing the reuse of data or
documents obtained under previous versions of the Baseline Requirements,
much as in the discussion of Ballot 194. We are aware of multiple CAs who
have relied on insecure methods here, and the idea that this information
would be appropriate to continue issuing certificates for the next three
years is an unacceptable security risk. We raised this issue to the Forum
nearly three years ago at this point, and continuing for three more years
is not good.

I encourage CAs to thoughtfully examine and articulate why they believe a
phase-in is needed, on a per-section basis, so as to help better understand
the impact relative to the security risk being introduced, and would
encourage the ballot authors and co-sponsors to update Section 2 to
actually update the Baseline Requirements, if that is the goal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170413/110a14fa/attachment-0003.html>

More information about the Public mailing list