[cabfpub] Ballot 190

Gervase Markham gerv at mozilla.org
Mon May 1 12:41:19 UTC 2017


On 28/04/17 17:06, Kirk Hall via Public wrote:
> Can you share with us the facts, data, evidence, etc. that leads you to
> believe that the domain validations previously done under old method 6
> pose a significant security threat to users?

Well, there was this:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Htujoyq-pO8/uRBcS2TmBQAJ

The problems GoDaddy encountered with their implementation of the method
were among those identified and avoided in the official version.

> 2. On the idea of marker of some sort in new certs indicating whether or
> not a newly-issued cert had been validated (or revalidated) in
> accordance with the methods in Ballot 190 – how do you see users
> actually using this information?

Forgive me; I've not noticed anyone suggest this. Who did?

> What would happen if we later make a further change to the validation
> methods (I think Gerv gave the hypothetical that we might change new
> method 6 to say subfile instead of file, etc.).  Would all method 6
> domains immediately have to be revetted to match the new requirement? 

At least if Jeremy adopts my proposal for how this should be documented,
then this would be something to be decided at the time, and written into
the data reuse provisions for Method 6.

Gerv



More information about the Public mailing list