[cabfpub] Ballot 218 version 2: Remove validation methods #1 and #5

Adriano Santoni adriano.santoni at staff.aruba.it
Wed Jan 24 00:34:22 MST 2018


It seems to me that the premise of this ballot is wrong. The various 
methods under section 3.2.2.4, with the exception of #1 and #5, only 
validate domain control - not ownership. I cannot see how they validate 
ownership.

Besides, the implied notion that ownership and control must _both_ be 
validated seems to conflict with several occurances of "OR" (either 
ownership OR control) in the BRs.

If this ballot implies that the traditional "OR" should be replaced by 
an "AND", then other parts of the BRs should also be revised accordingly.

Apart from that, ownership of a domain (which implies control, while the 
opposite is obviously untrue) seems to me a sound basis on which to 
issue a certificate, of course provided that ownership is properly 
validated.

I am also perplexed about the statement that methods .1 and .5 are 
"actively being used to avoid validating domain control or ownership": 
what evidence do we have of that?

Adriano


Il 22/01/2018 22:30, Tim Hollebeek via Public ha scritto:
>
> Ballot 218 version 2: Remove validation methods #1 and #5
>
> Purpose of Ballot: Section 3.2.2.4 says that it “defines the permitted 
> processes and procedures for validating the Applicant’s ownership or 
> control of the domain.”  Most of the validation methods actually do 
> validate ownership and control, but two do not, and can be completed 
> solely based on an applicant’s own assertions.
>
> Since these two validation methods do not meet the objectives of 
> section 3.2.2.4, and are actively being used to avoid validating 
> domain control or ownership, they should be removed, and the other 
> methods that do validate domain control or ownership should be used.
>
> The following motion has been proposed by Tim Hollebeek of DigiCert 
> and endorsed by Ryan Sleevi of Google and Rich Smith of Comodo.
>
> -- MOTION BEGINS –
>
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” as follows, based upon 
> Version 1.5.4:
>
> In Section 1.6.1, in the definition of “Domain Contact”, after “in a 
> DNS SOA record”, add “, or as obtained through direct contact with the 
> Domain Name Registrar”
>
> In Section 3.2.2.4.1, add text at the end: “For certificates issued on 
> or after August 1, 2018, this method SHALL NOT be used for validation, 
> and completed validations using this method SHALL NOT be used for the 
> issuance of certificates.”
>
> In Section 3.2.2.4.5, add text at the end: “For certificates issued on 
> or after August 1, 2018, this method SHALL NOT be used for validation, 
> and completed validations using this method SHALL NOT be used for the 
> issuance of certificates.”
>
> After Section 3.2.2.4.10, add following two new subsections:
>
> “3.2.2.4.11 Any Other Method
>
> This method has been retired and MUST NOT be used.
>
> 3.2.2.4.12 Validating Applicant as a Domain Contact
>
> Confirming the Applicant's control over the FQDN by validating the 
> Applicant is the Domain Contact. This method may only be used if the 
> CA is also the Domain Name Registrar, or an Affiliate of the 
> Registrar, of the Base Domain Name.
>
> Note: Once the FQDN has been validated using this method, the CA MAY 
> also issue Certificates for other FQDNs that end with all the labels 
> of the validated FQDN. This method is suitable for validating Wildcard 
> Domain Names.“
>
> In Section 4.2.1, after the paragraph that begins “After the change to 
> any validation method”, add the following paragraph: “Validations 
> completed using methods specified in Section 3.2.2.4.1 or Section 
> 3.2.2.4.5 SHALL NOT be re-used on or after August 1, 2018.”
>
> -- MOTION ENDS –
>
> For the purposes of section 4.2.1, the new text added to 4.2.1 from 
> this ballot is “specifically provided in a [this] ballot.”
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
>   Start Time: 2017-01-22  21:30:00 UTC
>
>   End Time: Not Before 2017-01-29 21:30:00 UTC
>
> Vote for approval (7 days)
>
>   Start Time: TBD
>
>   End Time: TBD
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180124/f0c904d8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4025 bytes
Desc: Firma crittografica S/MIME
URL: <http://cabforum.org/pipermail/public/attachments/20180124/f0c904d8/attachment-0001.p7s>


More information about the Public mailing list