[cabfpub] Ballot 190

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Apr 27 20:53:45 UTC 2017 

Jeremy - to put the BR 3.2.2.4 amendment in context, it goes just before 3.2.2.4.1, and there is already another “Note:” there.  So it would look like below.  Also, I modified my prior language to make it clearer by adding “made by Ballot 190” to the first sentence.

3.2.2.4. Validation of Domain Authorization or Control

This section defines the permitted processes and procedures for validating the Applicant's ownership or control of the domain.

The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully‐Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.

Completed confirmations of Applicant authority may be valid for the issuance of multiple certificates over time. In all cases, the confirmation must have been initiated within the time period specified in the relevant requirement (such as Section 3.3.1 of this document) prior to certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant's Parent Company, Subsidiary Company, or Affiliate.

Note: FQDNs may be listed in Subscriber Certificates using dNSNames in the subjectAltName extension or in Subordinate CA Certificates via dNSNames in permittedSubtrees within the Name Constraints extension.

[NEW] Note: The changes to BR 3.2.2.4.1 through 3.2.2.4.10 made by Ballot 190 will apply only to the validation of domain names occurring on or after [insert Ballot 190’s effective date if it passes and completes its Review Period].  Validation of domain names that occurs before [insert Ballot 190’s effective date if it passes and completes its Review Period] and the resulting validation data may continue to be used for the periods specified in BR 4.2.1 and EVGL 11.14.3 so long as the validations were conducted in compliance with the BR Section 3.2.2.4 validation methods in effect at the time of each validation.

3.2.2.4.1 Validating the Applicant as a Domain Contact.

Confirming the Applicant's control ***

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley via Public
Sent: Thursday, April 27, 2017 1:01 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: [EXTERNAL][cabfpub] Ballot 190

Ben let me know that there were questions about Ballot 190. The ballot was withdrawn and hasn’t gone to vote yet because of Section 2:

“This provisions of Ballot Section 1 will apply only to the validation of domain names occurring after this Ballot 190’s effective date.  Validation of domain names that occurs before this Ballot’s effective date and the resulting validation data may continue to be used for the periods specified in BR 4.2.1 and EVGL 11.14.3 so long as the validations were conducted in compliance with the BR Section 3.2.2.4 validation methods in effect at the time of each validation.”

I couldn’t tell if the objection to this section was the section not being part of the Baseline Requirements or a general concern that CAs may have issued certificates using the “any other method” that will remain valid for potentially four years (for a re-issue that relies on a previous validation).

Assuming the first issue is the primary concern, the following language was proposed in the validation working group for inclusion in the BRs:
“Note: The changes to BR 3.2.2.4.1 through 3.2.2.4.10 will apply only to the validation of domain names occurring on or after [insert Ballot 190’s effective date if it passes and completes its Review Period].  Validation of domain names that occurs before [insert Ballot 190’s effective date if it passes and completes its Review Period] and the resulting validation data may continue to be used for the periods specified in BR 4.2.1 and EVGL 11.14.3 so long as the validations were conducted in compliance with the BR Section 3.2.2.4 validation methods in effect at the time of each validation.”

Rather than go through multiple iterations and have this ballot potentially fail, can we do a quick straw poll?


  1.  Does the proposed language resolve the previous concern with Ballot 190?
  2.  If not, should section 2 be dropped entirely.
  3.  If section 2 remains, would you vote against the ballot?
  4.  If section 2 was dropped, would you vote for the ballot?
  5.  Is there other language you’d prefer to see included instead?

Jeremy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170427/a769c16c/attachment-0003.html>

More information about the Public mailing list