[cabfpub] [EXTERNAL]Re: Ballot 190: Domain Validation

Ryan Sleevi sleevi at google.com
Fri Apr 14 00:52:42 UTC 2017

On Thu, Apr 13, 2017 at 7:58 PM, Kirk Hall via Public <public at cabforum.org>

> The CA does not have to revet Subscribers again until the prior data
> expires according to the normal rules for re-use of data.


This is a misreading of the BRs. You do need to reverify the information,
using the existing data. This has been stated multiple times. If you're
doing something else, please stop, immediately.

> As Gerv said on the call today, it will be a disincentive for CAs ever to
> vote for incremental change in validation methods if the changes always
> take effect immediately, and wipe out the CA’s ability to re-use data that
> was properly collected according to the prior rules and is still in the
> permitted re-use period.  I don’t think anyone intended that result when we
> came up with Ballot 169 and now Ballot 190.

Yes. We did. Because the existing methods are insecure, have lead to known
issues, and for which absolutely should not be relied upon for another
three years before CAs take meaningful steps to address their insecure

I can understand that you may wish to continue insecure practices. The goal
was to clarify that CAs should have better security, and should do so
promptly, considering we spent two years discussing changes after a year of
reporting the security issue before CAs took that matter seriously. We
proposed a phase in to allow CAs to adopt that (March 1, 2017). At that
time, any information obtained using the old methods that is not
used/acceptable under the new methods MUST be reissued.

The goal was to improve security. Section 2 actively undoes those years of
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170413/046cc84d/attachment-0003.html>

More information about the Public mailing list