[cabfpub] Voting begins: Ballot 218 version 2

Adriano Santoni adriano.santoni at staff.aruba.it
Mon Feb 5 07:19:58 UTC 2018 

Actalis "abstains".

We appreciate the intent to improve the security of domain validation 
procedures, but we would have preferred a strengthening of Method 1 - 
which seemed quite possible - rather than its abolition.

Adriano


Il 29/01/2018 22:51, Tim Hollebeek via Public ha scritto:
>
> I’m highly skeptical that discussing this for another month will 
> change anybody’s minds.  It has already been discussed for over a 
> month, including at three validation working group meetings and once 
> on the management call, with extensive discussion on this list as well.
>
> There have been a number of clever attempts to distract from the 
> matter at hand.  Everybody seems to agree that methods #1 and #5 as 
> currently written are insufficient to validate certificates, and 
> efforts to improve method #1 have all either been shown to be 
> similarly weak, or have turned the validation method into one of the 
> other existing validation methods.  In fact, this demonstrates an 
> obvious transition path for CAs currently using method #1: use method 
> #2 or method #3.
>
> Since methods #1 and #5 do not sufficiently validate certificates, 
> they should not be used, and six months should be more than enough 
> time to cease using them.
>
> Here is the final version of the ballot, with voting times.  A 
> redlined document is attached (I encourage other proposers to post 
> ballot redlines, even if it isn’t required).
>
> -Tim
>
> ----- Ballot 218 version 2: Remove validation methods #1 and #5 -----
>
> Purpose of Ballot: Section 3.2.2.4 says that it “defines the permitted 
> processes and procedures for validating the Applicant’s ownership or 
> control of the domain.”  Most of the validation methods actually do 
> validate ownership and control, but two do not, and can be completed 
> solely based on an applicant’s own assertions.
>
> Since these two validation methods do not meet the objectives of 
> section 3.2.2.4, and are actively being used to avoid validating 
> domain control or ownership, they should be removed, and the other 
> methods that do validate domain control or ownership should be used.
>
> The following motion has been proposed by Tim Hollebeek of DigiCert 
> and endorsed by Ryan Sleevi of Google and Rich Smith of Comodo.
>
> -- MOTION BEGINS –
>
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” as follows, based upon 
> Version 1.5.4:
>
> In Section 1.6.1, in the definition of “Domain Contact”, after “in a 
> DNS SOA record”, add “, or as obtained through direct contact with the 
> Domain Name Registrar”
>
> In Section 3.2.2.4.1, add text at the end: “For certificates issued on 
> or after August 1, 2018, this method SHALL NOT be used for validation, 
> and completed validations using this method SHALL NOT be used for the 
> issuance of certificates.”
>
> In Section 3.2.2.4.5, add text at the end: “For certificates issued on 
> or after August 1, 2018, this method SHALL NOT be used for validation, 
> and completed validations using this method SHALL NOT be used for the 
> issuance of certificates.”
>
> After Section 3.2.2.4.10, add following two new subsections:
>
> “3.2.2.4.11 Any Other Method
>
> This method has been retired and MUST NOT be used.
>
> 3.2.2.4.12 Validating Applicant as a Domain Contact
>
> Confirming the Applicant's control over the FQDN by validating the 
> Applicant is the Domain Contact. This method may only be used if the 
> CA is also the Domain Name Registrar, or an Affiliate of the 
> Registrar, of the Base Domain Name.
>
> Note: Once the FQDN has been validated using this method, the CA MAY 
> also issue Certificates for other FQDNs that end with all the labels 
> of the validated FQDN. This method is suitable for validating Wildcard 
> Domain Names.“
>
> In Section 4.2.1, after the paragraph that begins “After the change to 
> any validation method”, add the following paragraph: “Validations 
> completed using methods specified in Section 3.2.2.4.1 or Section 
> 3.2.2.4.5 SHALL NOT be re-used on or after August 1, 2018.”
>
> -- MOTION ENDS –
>
> For the purposes of section 4.2.1, the new text added to 4.2.1 from 
> this ballot is “specifically provided in a [this] ballot.”
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
>   Start Time: 2017-01-22  21:30:00 UTC
>
>   End Time: 2017-01-29 21:50:00 UTC
>
> Vote for approval (7 days)
>
>   Start Time: 2017-01-29 21:50:00 UTC
>
>   End Time: 2017-02-05 21:50 UTC
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180205/74d327e6/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4025 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180205/74d327e6/attachment-0003.p7s>

More information about the Public mailing list