[cabfpub] [EXTERNAL]Re: Ballot 182/190 revision

Kirk Hall Kirk.Hall at entrustdatacard.com
Tue Jul 18 11:51:06 MST 2017


Peter, let me just comment on the 4.2.1 language.  The new language was added in Ballot 190 to create a permanent rule applicable in the future, not just as a stop-gap for the Ballot 169 / 180-82 situation.  Meaning, if any validation method is incrementally improved by a future ballot, it will be clear that CAs don't have to revalidate domains/stop using prior validations for that method unless such a requirement is clearly stated in a ballot.  The 4.2.1 language was also intended to be a general rule that addressed comments that existing 4.2.1 only covers data reuse, and not reuse of prior validations themselves, etc.  So I think we want to keep that.

I will look more closely at your Method 11 language, but my first reaction is we all want to see the backside of Method 11, and I think all Method 11 questions will likely be adequately covered by the changes that were made to BR 4.2.1.  While I know some members don't like this resolution of the issue, I think the final consensus on prior validations done under old Method 7 / new Method 11 (up to the time Ballot 190 finally is adopted and becomes effective) is, we will simply live with those prior validations.  While some members don't agree with that, no one has shown any significant (or even any minor) misissuance in the past using the "any other method" validation rules, so the easiest thing is to ignore those prior validations and just move to an incrementally better system where any other method is no longer used for new validations.

Give me some time to look again at the definitions in Ballot 202, and also look at them in the context of Ballot 190, and I'll get back to you as soon as I can.

-----Original Message-----
From: Peter Bowen [mailto:pzb at amzn.com] 
Sent: Monday, July 17, 2017 7:11 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: [EXTERNAL]Re: [cabfpub] Ballot 182/190 revision

Kirk,

To start, I applied the changes from Ballot 190 v6 (7-6-2017) on top of BR 1.4.9 with Ballot 202 changes integrated. I then tried to address several items that had been raised, including things discussed during the validation working group call.

You are correct that I dropped the modifications to 4.2.1, instead creating a new method 11 that covers existing validations.  It is not “any other method”, but is specifically all the methods that were pre-ballot 169 methods except “any other”.  In drafting it, tried to use the existing language and dates — notably March 1, 2017 is taken directly from section 1.2.2 “Relevant Dates” of the current BRs.  This section says "2017‐03‐01: CAs	MUST	follow	revised	validation	requirements	in	section	3.2.2.4.”  It is very possible I misunderstood the discussion, but it was my impression that you and others want to use validations allowed by the BRs in force at the time of the validation.  According to the changes table the March 2017 date was added to the BRs on August 5, 2016 so this date had plenty of notice.

I also attempted to address your concern about older validations not using the “.well-known” path for website authentication by explicitly referencing the old validation methods which did not specify a path.  The list of methods I included is every method that is not “any other”, which is also the exact same list as what is allowed in the EV Guidelines.  My proposed text also explicitly calls out both Authorization Domain Name and Base Domain Name to give full flexibility to CAs and avoid any question about wildcard names.

I can build a redline of v6 versus my revision if you would find it helpful to compare the two.

Thanks,
Peter

> On Jul 17, 2017, at 5:27 PM, Kirk Hall via Public <public at cabforum.org> wrote:
> 
> Peter, I just started going through your draft, and it appears you did not work from the Ballot 190 draft v6 proposed by Entrust, Buypass, and GlobalSign, but started a new ballot from scratch.  Is that correct?
> 
> For example, Ballot 190 as we proposed it included edits to BR 4.2.1 on data and prior validation reuse to respond to questions in the Forum and clarify the rules - but these changes are not included in your attached draft - was this inadvertent?
> 
> When we pulled Ballot 190 v6 from the discussion period, it was to give you time to work on the critical definitions such as Authorized Domain Name so we could eliminate the Notes at the end of each validation method.  We certainly did not expect you to completely rewrite the whole ballot, and many things you have suggested won't be acceptable to the proposer and endorsers.  For example, you have left in Method 11 "any other method" but with a number of new limitations (including a limitation date for use of the method of March 1, 2017, before anyone knew such a limitation would be imposed - in general, after the fact restrictions are not fair and not a good idea) - we have already discussed this issue extensively, including on the last teleconference call where Mozilla stated its policy of allowing previous validation data and validations to be reused, so this Method 11 proposal is just not acceptable.
> 
> At this point, your proposed rewrite of Ballot 190 isn't going to work, but we will review to see if there are some suggestions in the ballot that we can include in a new Ballot 190 v7.  Also, once we complete an update of the critical definitions (perhaps in Ballot 202, perhaps moved back to Ballot 190), we can try to finish up Ballot 190 and get it to a vote.
> 
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen via Public
> Sent: Thursday, July 13, 2017 4:29 PM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: [EXTERNAL][cabfpub] Ballot 182/190 revision
> 
> As Kirk mentioned in a prior email, I’ve been working on updates to draft Ballot 190 which itself is a revision to Ballot 182.  Attached is my attempt at a revision.  
> 
> The base document includes changes from Ballots 204 (passed) and 202 (not yet passed).  With that base, the only two sections this modifies are definitions (1.6.1) and 3.2.2.4.
> 
> I believe that this addresses the many of the concerns previously raised, but I know there are some unresolved open issues that the Validation Working Group has identified.
> 
> Thanks,
> Peter
> 
> 
> 
> <CA-Browser Forum BR 1.4.10 draft with 182bis.docx>_______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public



More information about the Public mailing list