[cabfpub] Ballot 190
Dimitris Zacharopoulos
jimmy at it.auth.gr
Wed May 3 06:08:21 UTC 2017
On 2/5/2017 11:59 μμ, Jeremy Rowley via Public wrote:
>
> Okay. Based on the discussion, I propose we do the following to move
> things forward:
>
> 1. Include an extension in the EE certs indicating compliance with a
> certain version of the BRs. This addresses Ryan’s concerns of
> knowing which certs were issued under new methods compared to
> relying on older documentation.
> 2. Permit document reuse for 13 months after which all certs must be
> validated using one of the new methods. This addresses Kirk’s
> concern of having to revalidate every customer as of the effective
> date, permitting roughly half to expire while the other half are
> revalidated.
>
> Does this make everyone equally unhappy?
>
I think Gerv's proposal
(https://cabforum.org/pipermail/public/2017-April/010804.html) is a big
improvement because some validation information is harder to acquire
than others. Methods that can be automated (like 3.2.2.4.6 or 3.2.2.4.7)
could re-use information for a lot less than 13 months.
It would also be great if there was guidance on which of the 10 domain
validation methods can be used to prove domain namespace ownership (or
wildcard validation as Gerv mentioned in his proposal) and which, should
be limited to only verify ownership for a single FQDN.
It would also be nice to write requirements for reuse of validation
information for Domain ownership (for each method) and validation
information for Identities (that doesn't change so often, for example
Identify Information for IV Certificates). So, a CA could be allowed to
reuse identify information for IV Certificates for 39 months, and for OV
Certificates reuse for 24 months.
Dimitris.
> Jeremy
>
> *From:*Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Tuesday, May 2, 2017 12:43 PM
> *To:* Jeremy Rowley <jeremy.rowley at digicert.com>
> *Cc:* CA/Browser Forum Public Discussion List <public at cabforum.org>;
> Gervase Markham <gerv at mozilla.org>
> *Subject:* Re: [cabfpub] Ballot 190
>
> Just to be clear: My initial proposal was simply to indicate "All
> information in this certificate has been validated in accordance with
> the explicit methods in Version X"
>
> That is, even if information is reused, that the information was
> compatible with version X. If version X+1 or X+3 changes things
> substantially - but still permits reuse of Version X data - then you'd
> continue to assert Version X. If Version X+3's validation was still
> compatible with Version X (perhaps it added a new method, or changed
> something unrelated), you could assert either X, X+1, X+2, or X+3 and
> still be in full compliance. Asserting X+3 is, of course, a stronger
> security assurance, but asserting X is still compliant/compatible :)
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170503/2b3cedf3/attachment-0002.html>
More information about the Public
mailing list