[cabfpub] [EXTERNAL]Re: Ballot 218: Remove validation methods #1 and #5

Tim Hollebeek tim.hollebeek at digicert.com
Wed Jan 3 23:01:03 UTC 2018 

Jeremy’s proposal was discussed in the Validation working group.  You were there, and spoke up to oppose it.

 

I’m also fine with discussing it again, which we will do tomorrow.  But there is no requirement that ballots go through working groups.

 

If people oppose the ballot, that’s fine, but they should do so on the merits.

 

-Tim

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Bruce Morton via Public
Sent: Wednesday, January 3, 2018 3:27 PM
To: Rich Smith <richard.smith at comodo.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; 'Ryan Sleevi' <sleevi at google.com>; Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [cabfpub] [EXTERNAL]Re: Ballot 218: Remove validation methods #1 and #5

 

I disagree.

 

Removing, changing and adding back in method #1 is not a productive exercise. This method has been used for probably 20 years and yet we never see any notifications, articles, alerts, etc. of how this method was defeated by an attacker.

 

Note, I agree that method #1 can be approved in the BRs, but please advise which CAs have not already improved this method in practice? If a CA finds a BR requirement to be weak, they should either not use it or improve the process in their own practices. I assume that many BR requirements were not intended to have loopholes, but were written to allow competitiveness in the way they are adopted. 

 

I think that the current ballot 218 is bypassing the working group process where a working group was created by ballot to improve the validation methods. Is this the intension?

 

If we are going to support abrupt ballots, then I would suggest that they at least be split into one topic and discuss method #1 and #5 independently.

 

Finally, what is the rush? Why can’t this change be discussed at the bi-weekly CAB Forum meeting or Validation Working Group meeting at least once before a pre-ballot is produced? And why effective March 1, 2018? Not only has method #1 been highly effective for 20 years, but we have also just updated the validation methods to support ballot 190. More time would allow CAs to add changes to their release cycles and allow Subscribers to learn new validation processes they will now have to adopt.

 

I am open to change BR requirements, but do not support ballot 218.

 

Bruce.   

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Rich Smith via Public
Sent: January 3, 2018 4:44 PM
To: 'Ryan Sleevi' <sleevi at google.com <mailto:sleevi at google.com> >; 'CA/Browser Forum Public Discussion List' <public at cabforum.org <mailto:public at cabforum.org> >; Kirk Hall <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com> >
Subject: [EXTERNAL]Re: [cabfpub] Ballot 218: Remove validation methods #1 and #5

 

I agree with Ryan on this and stand by my endorsement of this ballot to move forward.  I’m not opposed to adding 3.2.2.4.1 back in if it can be made much more secure and brought up to equivalent level with the other methods, but I also have my doubts as to whether or not that is possible in the broad sense across all TLDs and registrars.  That being the case I think the best course is to remove it for now because in it’s present form is extremely weak and add back later if and when it has undergone sufficient revisions to make it secure.

 

Regards,

Rich

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Wednesday, January 3, 2018 2:24 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com> >; CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >
Subject: Re: [cabfpub] Ballot 218: Remove validation methods #1 and #5

 

Hi Kirk,

 

We had two endorsers for the discussion. As I mentioned, there's nothing inherent in needing to direct this to VWG. As DigiCert has pointed out, there are CAs today that are doing validations that are patently insecure.

 

While we can understand and appreciate that some members may wish to introduce new validation methods that are limited in scope and applicability (for example, Mads' example only applies to a limited subset of ccTLDs, and cannot be done safely generically), in order to reduce that risk, I think it's entirely appropriate to take the necessary steps to ensure the safety of the Internet at large.

 

This does not prevent or inhibit the issuance of certificates that have appropriate controls - that is, these methods could be argued as an 'optimization' - and thus we should not unduly delay progress. Regarding passing it to the VWG, could you indicate where you saw that was suggested? The only mention of it I saw was from you, on a separate thread, and I'm curious if perhaps I've missed additional discussion. Certainly, our workmode does not require sending such discussions "to committee"

 

On Wed, Jan 3, 2018 at 3:10 PM, Kirk Hall via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

Tim, I thought this issue was going to be discussed first by the VWG, as several CAs have indicated they would like to keep (but improve) Method 1.  

 

From: Public [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> ] On Behalf Of Tim Hollebeek via Public
Sent: Wednesday, January 3, 2018 11:22 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >
Subject: [EXTERNAL][cabfpub] Ballot 218: Remove validation methods #1 and #5

 

 

Ballot 218: Remove validation methods #1 and #5

 

Purpose of Ballot: Section 3.2.2.4 says that it “defines the permitted processes and procedures for validating the Applicant’s ownership or control of the domain.”  Most of the validation methods actually do validate ownership and control, but two do not, and can be completed solely based on an applicant’s own assertions.

 

Since these two validation methods do not meet the objectives of section 3.2.2.4, and are actively being used to avoid validating domain control or ownership, they should be removed, and the other methods that do validate domain control or ownership should be used.

 

The following motion has been proposed by Tim Hollebeek of DigiCert and endorsed by Ryan Sleevi of Google and Rich Smith of Comodo.

 

-- MOTION BEGINS –

 

This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” as follows, based upon Version 1.5.4:

 

In Section 3.2.2.4.1, add text at the end: “For certificates issued on or after March 1, 2018, this method SHALL NOT be used for validation, and completed validations using this method SHALL NOT be used for the issuance of certificates.”

 

In Section 3.2.2.4.5, add text at the end: “For certificates issued on or after March 1, 2018, this method SHALL NOT be used for validation, and completed validations using this method SHALL NOT be used for the issuance of certificates.”

 

In Section 4.2.1, after the paragraph that begins “After the change to any validation method”, add the following paragraph: “Validations completed using methods specified in Section 3.2.2.4.1 or Section 3.2.2.4.5 SHALL NOT be re-used on or after March 1, 2018.”

 

-- MOTION ENDS –

 

For the purposes of section 4.2.1, the new text added to 4.2.1 from this ballot is “specifically provided in a [this] ballot.”

 

The procedure for approval of this ballot is as follows:

 

Discussion (7+ days) 

  Start Time: 2017-01-03  19:30:00 UTC  

  End Time: Not Before 2017-01-10 19:30:00 UTC

 

Vote for approval (7 days) 

  Start Time: TBD   

  End Time: TBD

 


_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180103/da27bb95/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180103/da27bb95/attachment-0003.p7s>

More information about the Public mailing list