[cabfpub] Preballot - Revised Ballot 190

Peter Bowen pzb at amzn.com
Fri May 19 02:46:37 UTC 2017


On May 18, 2017, at 7:33 AM, Ryan Sleevi via Public <public at cabforum.org> wrote:
> 
> Certainly, we saw a number of CAs feeling that the 'data reuse' was new rules, despite it also being long-standing in the BRs through reading, and what CAs voted on (in Ballot 169). 

I’ve heard several different versions of the current situation with respect to ‘data reuse’ and I’m afraid I’m now somewhat confused.  Maybe I’ve missed a message somewhere, but here is what I think I understand about the ‘data reuse’ rules and where there is currently contention.

Ballot 169 included the text "Completed confirmations of Applicant authority may be valid for the issuance of multiple certificates over time. In all cases, the confirmation must have been initiated within the time period specified in the relevant requirement (such as Section 3.3.1 of this document) prior to certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant’s Parent Company, Subsidiary Company, or Affiliate.”

This appears to clearly allow reuse of the result of running a validation workflow.  However there is contention about whether a completed confirmation of authority that was initiated and completed under a prior version of the BRs can be used under the current version of the BRs.

It has been suggested that this could be clarified by adding something similar to “[…] over time, provided the the process used to complete the confirmation complied the Baseline Requirements in effect at the time the confirmation was completed.”  In the alternative, it could be clarified by adding something similar to “[…] over time, provided the the process used to complete the confirmation complies with the Baseline Requirements in effect when the certificate is issued.”

The proponents of the first option point out that it aligns with how their CAs have been operating for 15 years and that there is no evidence that existing validation methods have led to significant security issues.  They further agree that raising the security bar is good and recommend that we use the new methods for validations going forward but allow existing validations to avoid customer pain created by requiring re-validaiton significantly sooner than the customers current expectations.

The proponents of the second option point out that 169 was designed to close various security holes in the validation processes.  Allowing existing validations that do not follow the new methods fails to close the security hole for up to three years.  They further point out that there is evidence that many of the methods used by CAs in the past have be shown to be problematic and it is important to the security of the web to avoid relying on those validations.

Is this a reasonable summary of the current situation and controversy?

Thanks,
Peter


More information about the Public mailing list