[cabfpub] Restarting discussion period for Ballot 190 v4 dated June 30, 2017

[Kirk Hall]

Doug – in response to your message below, here are my thoughts:

1) Your suggested change makes sense to me, but we are trying to wrap up Ballot 190.  So let’s put that on the list for immediate edits to BR 3.2.2.4 once Ballot 190 passes.

2) On the “Note” issue, I just posted v5 of Ballot 190 using Gerv’s proposed Note language on this point.  Aas I indicated in my message, the Validation Working Group should immediately start working on further edits to Ballot 190 once it passes, and your suggestions are good.  Until the edits are decided, I think we all know what is intended by Gerv’s Note language (it seems clear to me), and we will have clearly established in the BRs the ability to issue for FQDNs with more nodes to the left of a validated FQDN (except for Method 8) – some CAs are not certain that procedure is clearly indicated today, even though it is the common practice among CAs.

3) On your Point 3) below – yes, your interpretation of the intent and meaning of Ballot 190 (as pasted in below) are correct, and this is part of the “legislative record” for Ballot 190 in the event any questions arise later.

“The intent is that for all Validated FQDNs the CA validated within the past 39 months (or 825 days starting March 2018), the CA may reuse these Validated FQDNs to approve orders for subdomains, as long as the validations were done in compliance with the BRs at that time (which includes “any other method”).  If a CA did file based validation using a location other than the currently specified “.well-known/pki-validation” directory 38 months ago, the CA WOULD be permitted to reuse that for issuance of new certificates today.  I’m hoping we all interpret this ballot to allow this.”

From: Doug Beattie [mailto:doug.beattie at globalsign.com]
Sent: Wednesday, July 5, 2017 12:31 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: [EXTERNAL]RE: [cabfpub] Restarting discussion period for Ballot 190 v4 dated June 30, 2017

Kirk,

Three things I wanted to comment on.

1) The second paragraph in 3.2.2.4 the statement “as of the date the Certificate issues” doesn’t make sense.  Should this be “as of the date the Certificate is issued”?

-          The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.

2) The proposed “note” is still a bit vague, overly restrictive and prone to misinterpretation because we use the term FQDN 3 times in different contexts: “Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN and have more labels than it.”

Point 1: We should be able to reuse the Validated FQDN to approve FQDNs that have the same or more labels (not just more). So, I would edit the above “..validated FQDN and have the same or more labels than it the requested FQDN.

Point 2: We should define the term “Validated FQDN”.  If we did that, then the proposed “note” would be more clear.

Point 3: We should be clear that reuse of domain validation must be only allowed if it’s the same (authenticated) Applicant requesting subsequent validation of FQDNs.  As it’s currently stated, it seems like the CA can go ahead and issue certificates to anyone with any subdomain under a Validated FQDN.  When ordering through resellers this becomes increasingly difficult and we need to be sure that the CA is authenticating the applicant each time if they want to reuse this vetting data.

I propose this:

-          Note: Once the FQDN has been validated using this method, the CA MAY issue Certificates for FQDNs that end with all the labels of the Validated FQDN and have the same or more labels than the Validated FQDN for the same Applicant.

-          Validated FQDN: The FQDN validated by the CA.  The requested FQDN is generally equal to, or a subdomain of the Validated FQDN.

3) What we’re striving for is to re-use vetting documents collected during one validation for subsequent validations.  If the FQDN is foo.wibble-fish.com and we validate wibble-fish.com (the Validated FQDN), we’d like to be able to use this to validate www.wibble-fish.com<http://www.wibble-fish.com>.  I think we agree on this, but wanted to state it explicitly.

The intent is that for all Validated FQDNs the CA validated within the past 39 months (or 825 days starting March 2018), the CA may reuse these Validated FQDNs to approve orders for subdomains, as long as the validations were done in compliance with the BRs at that time (which includes “any other method”).  If a CA did file based validation using a location other than the currently specified “.well-known/pki-validation” directory 38 months ago, the CA WOULD be permitted to reuse that for issuance of new certificates today.  I’m hoping we all interpret this ballot to allow this.

Doug


From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Kirk Hall via Public
Sent: Saturday, July 1, 2017 1:29 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Subject: [cabfpub] Restarting discussion period for Ballot 190 v4 dated June 30, 2017


Gerv has made a good suggestion for changing Ballot 190 still further (see below).  It's a holiday weekend in the US and Canada, so I don't think we will get much of a dialogue going.



Gerv, I think your modification makes sense, but I'd like to let others comment if they see a problem or have an alternative suggestion for wording.



Right now, the discussion period for Ballot 190 ends on Sunday, July 2 (tomorrow) at 23:00 UTC.  With regret, we are withdrawing Ballot 190 and terminating the current discussion period now, and simultaneously reintroducing Ballot 190 and restarting the discussion period now so we can work out this wording next week.  Also, I want to correct my spelling of one endorser’s name – it’s Mads Henriksveen of Buypass (I misspelled it before – sorry, Mads).



Accordingly, Ballot 190 v4 is reintroduced with the following new Discussion Period and Voting Period.



Discussion Period: July 1, 2017 at 18:00 UTC through July 8, 2017 at 18:00 UTC

Voting Period: July 8, 2017 at 18:00 UTC through July 15, 2017 at 18:00 UTC.



We would like input from members over the next week.  Should we change the following language in v4 of the Ballot to Gerv’s proposed language (which would be included in a new v5)?



Current v4 language:



Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that have more labels than the validated FQDN and end in the validated FQDN.



Gerv’s proposed language:



Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN and have more labels than it.



Comments?



-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Friday, June 30, 2017 5:54 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>>; CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Subject: [EXTERNAL]Re: [cabfpub] Updated Ballot 190 v4 dated June 30, 2017



On 30/06/17 17:19, Kirk Hall via Public wrote:

> “_Note_: Once the FQDN has been validated using this method, the CA

> MAY also issue Certificates for other FQDNs that have more labels than

> the validated FQDN and end in the validated FQDN.”



If we are going to be pedantic, foo.wibble-fish.com has more labels than fish.com and still "ends in" the validated FQDN in the same sense the was objected to.



It would be much better to phrase this entirely in terms of labels.

Here's my first stab:



_Note_: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN and have more labels than it.



Gerv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170706/3ebb562b/attachment-0001.html>