[cabfpub] [EXTERNAL]Re: Ballot 190: Domain Validation
Peter Bowen
pzb at amzn.com
Fri Apr 14 03:13:06 UTC 2017
Kirk,
I think there is confusion here between “validation” and “validation data” as Geoff calls out. As I understand it, some trust anchor list maintainers are fine with CAs reusing the inputs to the validation check as long as they are still valid inputs.
For example, under the pre-169 BRs, the BRs only required “Communicating with the Domain’s administrator using an email address […]”. It might have be acceptable for a CA to send an email saying “Is this address active?” to the approved email addresses and if they got back “Yes” use that data to meet 3.2.2.4(4). In the new rules, the CA would need to confirm they send a specific Random Value to the email address and received the Random Value back in the confirming response. “Yes” is not a Random Value, so the data is not acceptable. However if a CA was already sending something that qualifies as a Random Value and recording that it came back within the time allotted in 3.2.2.4.4, the could use this information to perform the validation.
Is the problem you are running into that you cannot easily identify which sets of validation data you already have can continue to be used versus which data needs to be moved to archived status?
Thanks,
Peter
> On Apr 13, 2017, at 4:58 PM, Kirk Hall via Public <public at cabforum.org> wrote:
>
> No, Geoff – Section 2 is not designed to say that a CAcan still use validation data from before but only to the extent that it complies with the new requirements. It says that the CA can reuse validation data properly collected during the validation process before the effective date of Ballot 190 for the normal period for reuse of validation data. The CA does not have to revet Subscribers again until the prior data expires according to the normal rules for re-use of data.
>
>
>
> As Gerv said on the call today, it will be a disincentive for CAs ever to vote for incremental change in validation methods if the changes always take effect immediately, and wipe out the CA’s ability to re-use data that was properly collected according to the prior rules and is still in the permitted re-use period. I don’t think anyone intended that result when we came up with Ballot 169 and now Ballot 190.
>
>
>
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Geoff Keating via Public
> Sent: Thursday, April 13, 2017 4:50 PM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Cc: Geoff Keating <geoffk at apple.com>
> Subject: [EXTERNAL]Re: [cabfpub] Ballot 190: Domain Validation
>
>
>
>
>
> On Apr 11, 2017, at 1:46 PM, Jeremy Rowley via Public <public at cabforum.org> wrote:
>
>
>
> This provisions of Ballot Section 1 will apply only to the validation of domain names occurring after this Ballot 190’s effective date. Validation of domain names that occurs before this Ballot’s effective date and the resulting validation data may continue to be used for the periods specified in BR 4.2.1 and EVGL 11.14.3 so long as the validations were conducted in compliance with the BR Section 3.2.2.4 validation methods in effect at the time of each validation.
>
>
>
> I have to say, I find this confusing too. ‘validation data’ to me sounds like not the same thing as ‘validation’—I would think ‘validation data’ is the raw results of the validation (“The user clicked on a link with a code of XXXX which was the same code we sent the user”) and not the conclusion (“so the user controls the domain”).
>
>
>
> In any case what I think we would like is that, as of the effective date, you can still use validation data from before but only to the extent that it complies with the new requirements?
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list