[cabfpub] [EXTERNAL]Re: Ballot 190: Domain Validation
Kirk Hall
Kirk.Hall at entrustdatacard.com
Fri Apr 14 06:06:07 UTC 2017
Peter - I'm always interested in what you have to say. You ask me what I'm not understanding. I guess I will ask you -- what is unclear about the following part of Ballot 190?
Ballot Section 2
The provisions of Ballot Section 1 [adding back six of the 10 domain validation methods that were in Ballot 169] will apply only to the validation of domain names occurring after this Ballot 190’s effective date. Validation of domain names that occurs before this Ballot’s [190] effective date and the resulting validation data may continue to be used for the periods specified in BR 4.2.1 and EVGL 11.14.3 so long as the validations were conducted in compliance with the BR Section 3.2.2.4 validation methods in effect at the time of each validation.
Do you want to reword Section 2 to make it clearer? Go ahead, by all means – we am open to a clearer expression of how Ballot 190 will or will not affect existing validation data that can be reused under the current rules.
Do you want to rewrite Ballot 190 in some other way to make it clear that CAs don’t have to throw away their valid domain authentication data (which they can reuse under BR 4.2.1 now for DV and OV certs for 39 months, eventually to be shortened to 825 days)? Please do, and I will read it very carefully, and may support it.
Right now I think we are spinning our wheels, and delaying the implementation of Ballot 190 for no good reason. We all share the same goal of getting the web encrypted as broadly and as quickly as possible. One way to do that is to make sure that returning CA customers who want another cert for a domain that has already been properly validated can get the new cert as quickly as possible – without the delay of having to re-validate the same domain that was already validated one month or six months ago under current BR 3.2.2.4. But most important of all, let’s move forward with Ballot 190 as written.
Putting roadblocks up (“Because of Ballot 190 you must revet everything, including domains you already vetted three weeks ago”) will actually slow the path to encryption of the web, and for no good reason.
So tell me please – is Section 2 of Ballot 190 unclear to you, and if so, do you have a proposal to improve it?
-----Original Message-----
From: Peter Bowen [mailto:pzb at amzn.com]
Sent: Thursday, April 13, 2017 8:13 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot 190: Domain Validation
Kirk,
I think there is confusion here between “validation” and “validation data” as Geoff calls out. As I understand it, some trust anchor list maintainers are fine with CAs reusing the inputs to the validation check as long as they are still valid inputs.
For example, under the pre-169 BRs, the BRs only required “Communicating with the Domain’s administrator using an email address […]”. It might have be acceptable for a CA to send an email saying “Is this address active?” to the approved email addresses and if they got back “Yes” use that data to meet 3.2.2.4(4). In the new rules, the CA would need to confirm they send a specific Random Value to the email address and received the Random Value back in the confirming response. “Yes” is not a Random Value, so the data is not acceptable. However if a CA was already sending something that qualifies as a Random Value and recording that it came back within the time allotted in 3.2.2.4.4, the could use this information to perform the validation.
Is the problem you are running into that you cannot easily identify which sets of validation data you already have can continue to be used versus which data needs to be moved to archived status?
Thanks,
Peter
> On Apr 13, 2017, at 4:58 PM, Kirk Hall via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
>
> No, Geoff – Section 2 is not designed to say that a CAcan still use validation data from before but only to the extent that it complies with the new requirements. It says that the CA can reuse validation data properly collected during the validation process before the effective date of Ballot 190 for the normal period for reuse of validation data. The CA does not have to revet Subscribers again until the prior data expires according to the normal rules for re-use of data.
>
>
>
> As Gerv said on the call today, it will be a disincentive for CAs ever to vote for incremental change in validation methods if the changes always take effect immediately, and wipe out the CA’s ability to re-use data that was properly collected according to the prior rules and is still in the permitted re-use period. I don’t think anyone intended that result when we came up with Ballot 169 and now Ballot 190.
>
>
>
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Geoff Keating via Public
> Sent: Thursday, April 13, 2017 4:50 PM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
> Cc: Geoff Keating <geoffk at apple.com<mailto:geoffk at apple.com>>
> Subject: [EXTERNAL]Re: [cabfpub] Ballot 190: Domain Validation
>
>
>
>
>
> On Apr 11, 2017, at 1:46 PM, Jeremy Rowley via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
>
>
>
> This provisions of Ballot Section 1 will apply only to the validation of domain names occurring after this Ballot 190’s effective date. Validation of domain names that occurs before this Ballot’s effective date and the resulting validation data may continue to be used for the periods specified in BR 4.2.1 and EVGL 11.14.3 so long as the validations were conducted in compliance with the BR Section 3.2.2.4 validation methods in effect at the time of each validation.
>
>
>
> I have to say, I find this confusing too. ‘validation data’ to me sounds like not the same thing as ‘validation’—I would think ‘validation data’ is the raw results of the validation (“The user clicked on a link with a code of XXXX which was the same code we sent the user”) and not the conclusion (“so the user controls the domain”).
>
>
>
> In any case what I think we would like is that, as of the effective date, you can still use validation data from before but only to the extent that it complies with the new requirements?
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org<mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170414/90fa9362/attachment-0003.html>
More information about the Public
mailing list