[cabfpub] Preballot - Revised Ballot 190

Kirk Hall Kirk.Hall at entrustdatacard.com
Fri May 19 06:00:23 UTC 2017

Good summary, Peter.  

I can only say as someone who worked on Ballot 169 for over a year in the Validation Working Group (and who actually spearheaded it for many months, creating many updated drafts that showed changes from the prior seven domain validation methods, including elimination of the dreaded "any other method" number 7) that never, at any time, did any participant in the Validation Working Group express an opinion that these incremental improvements in validation methods should be interpreted as requiring revalidation of domains that had previously been validated under BR as written.  

Instead, it was the universal view that BR 4.2.1 (and the corresponding EVGL 11.14.3) would allow reuse of existing domain validation data derived from the old validation methods for the periods stated in those sections.  As you know, the permitted reuse period for DV and OV certs already will be reduced from 39 months to 825 days next March 1, and the EVGL provisions already limit reuse of domain validation data for EV certificates to 13 months -- that is what is intended by Ballot 190.  Any other interpretation is new, and was never a part of the Validation Working Group's intention in drafting Ballots 169 and 190.  Most CAs have already shifted to the new validation methods for new domain validations, even though the ballot has not yet been adopted, so change is already underway.

As Gerv said a few weeks ago, requiring revalidation of all outstanding domains every time there is an incremental improvement in domain validation methods will turn out to be a tremendous disincentive to ever adopt such incremental improvements.  If there is ever a strong evidentiary showing that a particular existing validation method has *actually* resulted in a meaningful number of misissued certificates, everyone would likely agree to improving the validation method immediately and launching a campaign to revalidate all the affected domains over a short, reasonable period.  However, in our current discussion of Ballot 190, no such strong evidentiary showing has ever been made by anyone, and so Ballot 190 clarifies that the long-standing rule permitting reuse of proper validation data under BR 4.2.1 and EVGL 11.14.3 continues in place.

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen via Public
Sent: Thursday, May 18, 2017 7:47 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Peter Bowen <pzb at amzn.com>
Subject: [EXTERNAL]Re: [cabfpub] Preballot - Revised Ballot 190

On May 18, 2017, at 7:33 AM, Ryan Sleevi via Public <public at cabforum.org> wrote:
> Certainly, we saw a number of CAs feeling that the 'data reuse' was new rules, despite it also being long-standing in the BRs through reading, and what CAs voted on (in Ballot 169). 

I’ve heard several different versions of the current situation with respect to ‘data reuse’ and I’m afraid I’m now somewhat confused.  Maybe I’ve missed a message somewhere, but here is what I think I understand about the ‘data reuse’ rules and where there is currently contention.

Ballot 169 included the text "Completed confirmations of Applicant authority may be valid for the issuance of multiple certificates over time. In all cases, the confirmation must have been initiated within the time period specified in the relevant requirement (such as Section 3.3.1 of this document) prior to certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant’s Parent Company, Subsidiary Company, or Affiliate.”

This appears to clearly allow reuse of the result of running a validation workflow.  However there is contention about whether a completed confirmation of authority that was initiated and completed under a prior version of the BRs can be used under the current version of the BRs.

It has been suggested that this could be clarified by adding something similar to “[…] over time, provided the the process used to complete the confirmation complied the Baseline Requirements in effect at the time the confirmation was completed.”  In the alternative, it could be clarified by adding something similar to “[…] over time, provided the the process used to complete the confirmation complies with the Baseline Requirements in effect when the certificate is issued.”

The proponents of the first option point out that it aligns with how their CAs have been operating for 15 years and that there is no evidence that existing validation methods have led to significant security issues.  They further agree that raising the security bar is good and recommend that we use the new methods for validations going forward but allow existing validations to avoid customer pain created by requiring re-validaiton significantly sooner than the customers current expectations.

The proponents of the second option point out that 169 was designed to close various security holes in the validation processes.  Allowing existing validations that do not follow the new methods fails to close the security hole for up to three years.  They further point out that there is evidence that many of the methods used by CAs in the past have be shown to be problematic and it is important to the security of the web to avoid relying on those validations.

Is this a reasonable summary of the current situation and controversy?

Public mailing list
Public at cabforum.org

More information about the Public mailing list