[cabfpub] [EXTERNAL]Re: Ballot 190: Domain Validation

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Apr 13 23:58:42 UTC 2017

No, Geoff – Section 2 is not designed to say that a CA can still use validation data from before but only to the extent that it complies with the new requirements.  It says that the CA can reuse validation data properly collected during the validation process before the effective date of Ballot 190 for the normal period for reuse of validation data.  The CA does not have to revet Subscribers again until the prior data expires according to the normal rules for re-use of data.

As Gerv said on the call today, it will be a disincentive for CAs ever to vote for incremental change in validation methods if the changes always take effect immediately, and wipe out the CA’s ability to re-use data that was properly collected according to the prior rules and is still in the permitted re-use period.  I don’t think anyone intended that result when we came up with Ballot 169 and now Ballot 190.

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Geoff Keating via Public
Sent: Thursday, April 13, 2017 4:50 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Geoff Keating <geoffk at apple.com>
Subject: [EXTERNAL]Re: [cabfpub] Ballot 190: Domain Validation

On Apr 11, 2017, at 1:46 PM, Jeremy Rowley via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

This provisions of Ballot Section 1 will apply only to the validation of domain names occurring after this Ballot 190’s effective date.  Validation of domain names that occurs before this Ballot’s effective date and the resulting validation data may continue to be used for the periods specified in BR 4.2.1 and EVGL 11.14.3 so long as the validations were conducted in compliance with the BR Section validation methods in effect at the time of each validation.

I have to say, I find this confusing too.  ‘validation data’ to me sounds like not the same thing as ‘validation’—I would think ‘validation data’ is the raw results of the validation (“The user clicked on a link with a code of XXXX which was the same code we sent the user”) and not the conclusion (“so the user controls the domain”).

In any case what I think we would like is that, as of the effective date, you can still use validation data from before but only to the extent that it complies with the new requirements?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170413/699929a4/attachment-0003.html>

More information about the Public mailing list