[cabfpub] Ballot 190

Dimitris Zacharopoulos jimmy at it.auth.gr
Wed May 3 06:08:21 UTC 2017

On 2/5/2017 11:59 μμ, Jeremy Rowley via Public wrote:
> Okay. Based on the discussion, I propose we do the following to move 
> things forward:
>  1. Include an extension in the EE certs indicating compliance with a
>     certain version of the BRs. This addresses Ryan’s concerns of
>     knowing which certs were issued under new methods compared to
>     relying on older documentation.
>  2. Permit document reuse for 13 months after which all certs must be
>     validated using one of the new methods. This addresses Kirk’s
>     concern of having to revalidate every customer as of the effective
>     date, permitting roughly half to expire while the other half are
>     revalidated.
> Does this make everyone equally unhappy?

I think Gerv's proposal 
(https://cabforum.org/pipermail/public/2017-April/010804.html) is a big 
improvement because some validation information is harder to acquire 
than others. Methods that can be automated (like or 
could re-use information for a lot less than 13 months.

It would also be great if there was guidance on which of the 10 domain 
validation methods can be used to prove domain namespace ownership (or 
wildcard validation as Gerv mentioned in his proposal) and which, should 
be limited to only verify ownership for a single FQDN.

It would also be nice to write requirements for reuse of validation 
information for Domain ownership (for each method) and validation 
information for Identities (that doesn't change so often, for example 
Identify Information for IV Certificates). So, a CA could be allowed to 
reuse identify information for IV Certificates for 39 months, and for OV 
Certificates reuse for 24 months.


> Jeremy
> *From:*Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Tuesday, May 2, 2017 12:43 PM
> *To:* Jeremy Rowley <jeremy.rowley at digicert.com>
> *Cc:* CA/Browser Forum Public Discussion List <public at cabforum.org>; 
> Gervase Markham <gerv at mozilla.org>
> *Subject:* Re: [cabfpub] Ballot 190
> Just to be clear: My initial proposal was simply to indicate "All 
> information in this certificate has been validated in accordance with 
> the explicit methods in Version X"
> That is, even if information is reused, that the information was 
> compatible with version X. If version X+1 or X+3 changes things 
> substantially - but still permits reuse of Version X data - then you'd 
> continue to assert Version X. If Version X+3's validation was still 
> compatible with Version X (perhaps it added a new method, or changed 
> something unrelated), you could assert either X, X+1, X+2, or X+3 and 
> still be in full compliance. Asserting X+3 is, of course, a stronger 
> security assurance, but asserting X is still compliant/compatible :)
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170503/2b3cedf3/attachment-0003.html>

More information about the Public mailing list