[cabfpub] Ballot 218: Remove validation methods #1 and #5

Tim Hollebeek tim.hollebeek at digicert.com
Tue Jan 9 09:35:38 MST 2018


Doesn’t Ryan and Dimitris’ fix handle that?  Direct communication with the registrar is easy if you are the registrar.

 

-Tim

 

From: Peter Bowen [mailto:pzb at amzn.com] 
Sent: Monday, January 8, 2018 9:49 PM
To: Wayne Thayer <wthayer at mozilla.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Tim Hollebeek <tim.hollebeek at digicert.com>
Subject: Re: [cabfpub] Ballot 218: Remove validation methods #1 and #5

 

 





On Jan 8, 2018, at 9:20 AM, Wayne Thayer via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

 

On Mon, Jan 8, 2018 at 9:46 AM, Tim Hollebeek via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

I’m not sure there are other valid cases (in fact I suspect there are not), but Wayne mentioned on the validation WG call that he’s concerned that this change could be very disruptive if not handled carefully, and I’m sympathetic to that concern.  Especially since on the same call he also pointed out the same flaw that Dimitris did …

 

My concern is based on a small sample size, but in reviewing CPS' I've noted that government CAs often rely on 3.2.2.4.1. Other than Dimitris, they are not participating in this discussion and may not be aware of it. That isn't a good excuse to delay needed fixes, but I do think that the outright elimination of method #1 on Mar 1st will catch a number of these CAs by surprise and we'll see compliance issues. The approach that Ryan and Dimitris are discussing helps to address my concern.

 

I know I’m really late to this conversation, but I think we need to split 3.2.2.4.1.  It currently has one very strong validation method combined with two that are under discussion.

 

While I know it does not apply to many CAs, I think option 3 in 3.2.2.4.1 is excellent validation when available.  If the CA is also the registry or registrar, then they can have a very high assurance that a certificate requester has control of the domain.  I would hate to see this method go away, as I personally see this as the potentially the strongest proof of domain control.

 

Thanks,

Peter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180109/0df3ca2f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20180109/0df3ca2f/attachment-0001.p7s>


More information about the Public mailing list