[cabfpub] Ballot 190 - Discussion Period is starting

Ryan Sleevi sleevi at google.com
Thu Sep 7 15:22:42 MST 2017


On Wed, Sep 6, 2017 at 9:14 PM, Kirk Hall via Public <public at cabforum.org>
wrote:

> Peter, let me first review how BR 4.2.1 got where it is in Ballot 190.  We
> started the ballot by adding back 7 validation methods from Ballot 169.
> Then there was a question of whether this meant CA could, or could not,
> reuse domain validation data under 4.2.1 for validation methods that had
> changed.  The Validation Working Group did not intend that data that was
> still in the permissible “re-use” period under 4.2.1 had to be thrown out,
> so we made that clear in an amendment to 4.2.1.  Then there was an
> additional question of whether a “validation” itself (for example,
> combining vetting data for both an organization and its domains in OV
> vetting a week before the Ballot 190  becomes effective) could still be
> used under 4.2.1 – this was tied to some very specific language that some
> were interpreting as requiring revalidation of data where a domain method
> had changed.  So we clarified that as well by another amendment to 4.2.1 –
> a prior completed validation (domain and/or organization) could still be
> reused under 4.2.1 for the permitted period.
>
>
>
> I’m not sure I completely follow your examples below.  If someone has
> collected OV validation data (both organization data and domain data) on
> July 1, 2017, then both the data itself and the validation using that date
> can be reused under 4.2.1 (right now) for 39 months from that date.  If the
> customer wants to add a new domain on July 20, 2017, that bit of data could
> also be reused for 39 months, but the related organization validation data
> will expire 39 months after it was collected on July 1, 2017.  No one could
> rebundle the old data one day before expiration and say “look, I just
> revalidated the organization and domains” and use it for another extended
> period under 4.2.1.
>

Hi Kirk,

Please consider this example in the case of DV. I believe you will see
Peter's point and the security risk that both Amazon and Google have
highlighted would be introduced in the current ballot.

I hope you can consider addressing this security risk prior to voting on
the ballot. As we've seen, promises to do this "after" passing take
considerable time, and since the security risk here is so significant, it's
difficult to believe that it would be wise or in our users interest to
support.


>
>
> Again, the only reason we added “the validation itself” to the ballot was
> to counter a different interpretation offered on the list.  I don’t think
> the amended 4.2.1 language could be used as you suggest – but if you want
> to come up with a better way to express these concepts in a post-190
> ballot, please draft it and add it to the list of further improvements the
> VWG will be working on.  We agree on the ultimate goal.
>
>
>
> *From:* Peter Bowen [mailto:pzb at amzn.com]
> *Sent:* Wednesday, September 6, 2017 12:53 PM
> *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public
> Discussion List <public at cabforum.org>
> *Subject:* [EXTERNAL]Re: [cabfpub] Ballot 190 - Discussion Period is
> starting
>
>
>
> Kirk,
>
>
>
> As I have said previously, I think the changes in 4.2.1 regarding reuse
> are problematic for two reasons.
>
>
>
> First, the proposed text says "the CA obtained the data or document from a
> source specified under Section 3.2 or completed the validation itself”.  It
> is not clear if the CA can choose to do both, which would effectively
> extend the reuse period, or if these are mutually exclusive options.  For
> example, assuming a reuse of 825 days, can a CA do the following?
>
>
>
> - 1 March 2018 - Fetch a copy of domain registration information and
> corporate registration, complete a new validation, and issue a certificate
>
> - 1 May 2020 - Reuse the previously obtained registration information,
> complete a new validation, and issue a new certificate with the same info
> as the previous certificate
>
> - 1 July 2022 - Reuse the last validation and issue a new certificate with
> the same info as the previous certificates
>
>
>
> Second, the proposed text says "After the change to any validation method
> specified […], a CA may continue to reuse […] the validation itself, for
> the period stated in this BR 4.2.1 unless otherwise specifically provided
> in a ballot.”
>
>
>
> Right now CAs can reuse data and documents collected during validation.
> It isn’t that hard to run the validation workflow for each certificate
> issuance, using the existing data, and make sure you have everything in
> place.  I don’t think having the output reusable makes a lot of sense.
>
>
>
> Thanks,
>
> Peter
>
>
>
> On Sep 5, 2017, at 10:52 AM, Kirk Hall via Public <public at cabforum.org>
> wrote:
>
>
>
> As agreed on our CABF teleconference last week, we are starting the formal
> discussion period for Ballot 190 (in this case, v8).  I have attached the
> ballot in two formats and in three modes.
>
>
>
> The title of the actual ballot to be voted on uses all capital letters
> “BALLOT 190 v8 (9-5-2017)”.  I also attach a version that includes some
> explanatory comments, and a “clean” version showing how the BRs will read
> if Ballot 190 v8 is adopted “Ballot 190 v8 (9-5-2017) (showing BRs if
> adopted)”.
>
>
>
> The discussion period ends Sept. 12 at 18:00 UTC, and the voting period
> runs Sept. 12-19.
>
>
>
> This version 8 is based on the prior version 7, but includes a limited
> number of changes as outlined in emails among me, Ryan, and Doug on Aug.
> 29-30.
>
>
>
> We are almost there!  Thanks to everyone who has worked on this effort
> over the past two years.  Assuming Ballot 190 passes, the Validation
> Working Group can then start work on further amendments as outlined in my
> prior emails.
>
> <BALLOT 190 v8 (9-5-2017).docx><BALLOT 190 v8 (9-5-2017).pdf><Ballot 190
> v8 (9-5-2017) with comments.docx><Ballot 190 v8 (9-5-2017) with
> comments.pdf><Ballot 190 v8 (9-5-2017) (showing BRs if
> adopted).docx><Ballot 190 v8 (9-5-2017) (showing BRs if adopted).pdf>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170907/3a37cd93/attachment.html>


More information about the Public mailing list