[cabfpub] Voting begins: Ballot 218 version 2

Fotis Loukos fotisl at ssl.com
Thu Feb 1 09:43:47 MST 2018 

SSL.com votes Yes on Ballot 218 version 2.

Regards,
Fotis

On 29/01/2018 11:51 μμ, Tim Hollebeek via Public wrote:
>  
> 
> I’m highly skeptical that discussing this for another month will change
> anybody’s minds.  It has already been discussed for over a month,
> including at three validation working group meetings and once on the
> management call, with extensive discussion on this list as well.
> 
>  
> 
> There have been a number of clever attempts to distract from the matter
> at hand.  Everybody seems to agree that methods #1 and #5 as currently
> written are insufficient to validate certificates, and efforts to
> improve method #1 have all either been shown to be similarly weak, or
> have turned the validation method into one of the other existing
> validation methods.  In fact, this demonstrates an obvious transition
> path for CAs currently using method #1: use method #2 or method #3.
> 
>  
> 
> Since methods #1 and #5 do not sufficiently validate certificates, they
> should not be used, and six months should be more than enough time to
> cease using them.
> 
>  
> 
> Here is the final version of the ballot, with voting times.  A redlined
> document is attached (I encourage other proposers to post ballot
> redlines, even if it isn’t required).
> 
>  
> 
> -Tim
> 
>  
> 
> ----- Ballot 218 version 2: Remove validation methods #1 and #5 -----
> 
>  
> 
> Purpose of Ballot: Section 3.2.2.4 says that it “defines the permitted
> processes and procedures for validating the Applicant’s ownership or
> control of the domain.”  Most of the validation methods actually do
> validate ownership and control, but two do not, and can be completed
> solely based on an applicant’s own assertions.
> 
>  
> 
> Since these two validation methods do not meet the objectives of section
> 3.2.2.4, and are actively being used to avoid validating domain control
> or ownership, they should be removed, and the other methods that do
> validate domain control or ownership should be used.
> 
>  
> 
> The following motion has been proposed by Tim Hollebeek of DigiCert and
> endorsed by Ryan Sleevi of Google and Rich Smith of Comodo.
> 
>  
> 
> -- MOTION BEGINS –
> 
>  
> 
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based upon
> Version 1.5.4:
> 
>  
> 
> In Section 1.6.1, in the definition of “Domain Contact”, after “in a DNS
> SOA record”, add “, or as obtained through direct contact with the
> Domain Name Registrar”
> 
>  
> 
> In Section 3.2.2.4.1, add text at the end: “For certificates issued on
> or after August 1, 2018, this method SHALL NOT be used for validation,
> and completed validations using this method SHALL NOT be used for the
> issuance of certificates.”
> 
>  
> 
> In Section 3.2.2.4.5, add text at the end: “For certificates issued on
> or after August 1, 2018, this method SHALL NOT be used for validation,
> and completed validations using this method SHALL NOT be used for the
> issuance of certificates.”
> 
>  
> 
> After Section 3.2.2.4.10, add following two new subsections:
> 
> “3.2.2.4.11 Any Other Method
> 
>  
> 
> This method has been retired and MUST NOT be used.
> 
>  
> 
> 3.2.2.4.12 Validating Applicant as a Domain Contact
> 
>  
> 
> Confirming the Applicant's control over the FQDN by validating the
> Applicant is the Domain Contact. This method may only be used if the CA
> is also the Domain Name Registrar, or an Affiliate of the Registrar, of
> the Base Domain Name.
> 
>  
> 
> Note: Once the FQDN has been validated using this method, the CA MAY
> also issue Certificates for other FQDNs that end with all the labels of
> the validated FQDN. This method is suitable for validating Wildcard
> Domain Names.“
> 
>  
> 
> In Section 4.2.1, after the paragraph that begins “After the change to
> any validation method”, add the following paragraph: “Validations
> completed using methods specified in Section 3.2.2.4.1 or Section
> 3.2.2.4.5 SHALL NOT be re-used on or after August 1, 2018.”
> 
>  
> 
> -- MOTION ENDS –
> 
>  
> 
> For the purposes of section 4.2.1, the new text added to 4.2.1 from this
> ballot is “specifically provided in a [this] ballot.”
> 
>  
> 
> The procedure for approval of this ballot is as follows:
> 
>  
> 
> Discussion (7+ days)
> 
>   Start Time: 2017-01-22  21:30:00 UTC 
> 
>   End Time: 2017-01-29 21:50:00 UTC
> 
>  
> 
> Vote for approval (7 days)
> 
>   Start Time: 2017-01-29 21:50:00 UTC
> 
>   End Time: 2017-02-05 21:50 UTC
> 
>  
> 
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 


-- 
Fotis Loukos, PhD
Director of Security Architecture
SSL Corp
e: fotisl at ssl.com
w: https://www.ssl.com

More information about the Public mailing list