[cabfpub] Preballot - Revised Ballot 190

[Ryan Sleevi]

On Fri, May 19, 2017 at 10:27 AM, Peter Bowen <pzb at amzn.com> wrote:
>
> The contention, from my view, is the definition of “data or document”.  I
> think that all agree that a "utility bill, bank statement, credit card
> statement” provided by the customer in order for address verification is
> clearly a document and falls within the scope of this requirement.  I also
> think all agree that data obtained from Companies House in the UK or the
> Division of Corporations of the State of Delaware about the existence of a
> company is clearly data that falls within the scope of this requirement.
> What is less clear or contentious is data obtained as a result of the
> validation process.  For example, there is contention as to whether the
> data recorded by the CA that states that customer X controls p.com and
> example.aws is within the scope of the requirement.  Additionally there is
> contention as to whether intermediate data is within the scope, such as
> data that shows that a Random Value was emailed to hostmaster at example.com
> on 2017-02-24 at 15:52 UTC and the CA received a confirming response using
> the Random Value on 2017-02-24 at 17:14 UTC.
>

Yes, I agree, this is a summary of the dispute with respect to 4.2.1.


> Additionally I have seen some contention about the meaning of "The Random
> Value SHALL remain valid for use in a confirming response for no more than
> 30 days from its creation” as found in ballot 169.  As one of he authors of
> this language, I intended it to mean that the confirming response must have
> been received within 30 days of creation of the random value, but that the
> response itself could be reused as per 4.2.1.  That is a CA could send a
> random value to the domain registrant on 2017-03-01 and received the
> confirming response on 2017-03-05 and then use that to issue a certificate
> for the domain on 2017-12-29.  However I think I’ve heard someone suggest
> that the 30 days is how long you can reuse the confirming response which
> would mean it could not be used to issue on 2017-12-29.  This is probably
> another place where it would be helpful to make super clear the expectation.
>

To rephrase and confirm: As the author of that section, your understanding
was that "The Random Value" constituted data obtained during validation,
whose lifetime was limited to 30 days, rather than the fullness permitted
under 4.2.1. You believed, however, that such usage was not in conflict
with / a disruption to the existing practice under 3.2.2.4, in which the
applicant, having confirmed the Random Value (and thus become a
subscriber), was allowed to have multiple certificates issued using that
previously completed verification, up to the limits permitted by 3.2.2.4.

Or did you mean to suggest that the _first_ certificate issued was issued
on 2017-12-29? If so, I think I would agree - if you do not use the
confirming response by 2017-03-31 (30 days) to issue a certificate, then
you would not be permitted to issue on 2017-12-29.

I do want to stress the flexibility and openness to consider
interpretations so that we harmoniously align, despite the deep concerns
about the security implications and the practices of some CAs, provided
that we find an appropriate route to transparently quantify and assess the
certificates, so that it is possible for relying parties to distinguish
these issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170519/eda9102d/attachment-0001.html>