[cabfpub] [EXTERNAL]Re: Ballot 190: Domain Validation

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Apr 13 20:45:31 UTC 2017

Your analysis below is not correct.   The “law” in the CA/Browser Forum is what is approved by the members in a Ballot (all of it – in Ballot 190, that includes both Section 1 and Section 2 – both sections have equal validity and applicability because both were adopted by the members at the same time.)

In contrast, the BRs are just a compilation of those portions of prior adopted Ballots that have long-term applicability to members.  It’s a mistake to junk up the BRs with lots of effective dates and transition rule that will expire, and it’s unnecessary.  Again, the adopted ballots of the Forum are the “law” – all sections of the ballots equally – and not the BR compilations themselves.  I think Google’s Legal Department will agree.

See the following concerning codification of US laws: https://en.wikipedia.org/wiki/United_States_Statutes_at_Large

*** Codification

Today, large portions of slip laws [for the Forum, our Ballots once they have been approved by the members] denominated as public laws are now drafted as amendments to the United States Code [for the Forum, the BRs and EVGL]. Once enacted into law, an Act will be published in the Statutes at Large [for the Forum, an updated version of the BRs or EVGL will be published] and will add to, modify, or delete some part of the United States Code [the BRs or EVGL]. Provisions of a public law [Ballot] that contains only enacting clauses, effective dates, and similar matters are not generally codified [i.e., those portions of a Forum Ballot such as Ballot 190, Section 2, would not be included in the BRs, but would still be valid and controlling]. ***

We could put ballot transition rules in BRs themselves (for Ballot 190, move from Section 2 to Section 1 and make part of BR, but I would rather not – then the transition rules are no longer relevant (because they are time-based and will expire), they have to be pulled out again by a later ballot – not useful.  The transition rules will exist in Section 2 of the adopted Ballot 190 itself, and that is sufficient.

Another option is to add transition rules like Ballot 190, Section 2 to the BRs as “Notes” to BR that are not part of BR, and that can later be removed by the BRs compiler without a further ballot once the transition rules are no longer relevant (because all validation data from before the effective date of Ballot 190 will have expired).  That’s what some legislatures do, and I wouldn’t object to that.

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Thursday, April 13, 2017 10:02 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Ryan Sleevi <sleevi at google.com>
Subject: [EXTERNAL]Re: [cabfpub] Ballot 190: Domain Validation

On Tue, Apr 11, 2017 at 4:46 PM, Jeremy Rowley via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

Ballot Section 2
This provisions of Ballot Section 1 will apply only to the validation of domain names occurring after this Ballot 190’s effective date.  Validation of domain names that occurs before this Ballot’s effective date and the resulting validation data may continue to be used for the periods specified in BR 4.2.1 and EVGL 11.14.3 so long as the validations were conducted in compliance with the BR Section validation methods in effect at the time of each validation.

As mentioned on today's call, this clause is not compatible with / creates a conflict with the Baseline Requirements.

Section 4.2.1 governs the reuse of previously obtained documents or data, but Section 3.2 explicitly requires that CAs validate and verify every certificate during issuance.

The clear intent from Section 2, as worded, is to extend this to allow CAs to not even verify the domains at the time of issuance. While understandable as to the goal, it's highly undesirable.

If you want to accomplish this, however, you would need to update Section 4.2.1 to specify how that process works. Otherwise, Section 4.2.1 will govern, and Section 2 of this ballot will have no effect due to its ambiguity and lack of modification to the document.

I want to echo a strong opposition towards allowing the reuse of data or documents obtained under previous versions of the Baseline Requirements, much as in the discussion of Ballot 194. We are aware of multiple CAs who have relied on insecure methods here, and the idea that this information would be appropriate to continue issuing certificates for the next three years is an unacceptable security risk. We raised this issue to the Forum nearly three years ago at this point, and continuing for three more years is not good.

I encourage CAs to thoughtfully examine and articulate why they believe a phase-in is needed, on a per-section basis, so as to help better understand the impact relative to the security risk being introduced, and would encourage the ballot authors and co-sponsors to update Section 2 to actually update the Baseline Requirements, if that is the goal.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170413/b3b41719/attachment-0003.html>

More information about the Public mailing list