[cabfpub] Ballot 218: Remove validation methods #1 and #5

Dimitris Zacharopoulos jimmy at it.auth.gr
Fri Jan 5 11:44:23 UTC 2018 

On 3/1/2018 9:21 μμ, Tim Hollebeek via Public wrote:
>
> Ballot 218: Remove validation methods #1 and #5
>
> Purpose of Ballot: Section 3.2.2.4 says that it “defines the permitted 
> processes and procedures for validating the Applicant’s ownership or 
> control of the domain.”  Most of the validation methods actually do 
> validate ownership and control, but two do not, and can be completed 
> solely based on an applicant’s own assertions.
>
> Since these two validation methods do not meet the objectives of 
> section 3.2.2.4, and are actively being used to avoid validating 
> domain control or ownership, they should be removed, and the other 
> methods that do validate domain control or ownership should be used.
>
> The following motion has been proposed by Tim Hollebeek of DigiCert 
> and endorsed by Ryan Sleevi of Google and Rich Smith of Comodo.
>
> -- MOTION BEGINS –
>
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” as follows, based upon 
> Version 1.5.4:
>
> In Section 3.2.2.4.1, add text at the end: “For certificates issued on 
> or after March 1, 2018, this method SHALL NOT be used for validation, 
> and completed validations using this method SHALL NOT be used for the 
> issuance of certificates.”
>
> In Section 3.2.2.4.5, add text at the end: “For certificates issued on 
> or after March 1, 2018, this method SHALL NOT be used for validation, 
> and completed validations using this method SHALL NOT be used for the 
> issuance of certificates.”
>
> In Section 4.2.1, after the paragraph that begins “After the change to 
> any validation method”, add the following paragraph: “Validations 
> completed using methods specified in Section 3.2.2.4.1 or Section 
> 3.2.2.4.5 SHALL NOT be re-used on or after March 1, 2018.”
>
> -- MOTION ENDS –
>
> For the purposes of section 4.2.1, the new text added to 4.2.1 from 
> this ballot is “specifically provided in a [this] ballot.”
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
>   Start Time: 2017-01-03  19:30:00 UTC
>
>   End Time: Not Before 2017-01-10 19:30:00 UTC
>
> Vote for approval (7 days)
>
>   Start Time: TBD
>
>   End Time: TBD
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

This is the current text of 3.2.2.4.1:

--- BEGIN QUOTE ---


          3.2.2.4.1 Validating the Applicant as a Domain Contact

Confirming the Applicant's control over the FQDN by validating the 
Applicant is the Domain Contact directly with the Domain Name Registrar. 
This method may only be used if:

 1. The CA authenticates the Applicant's identity under BR Section
    3.2.2.1 and the authority of the Applicant Representative under BR
    Section 3.2.5, OR
 2. The CA authenticates the Applicant's identity under EV Guidelines
    Section 11.2 and the agency of the Certificate Approver under EV
    Guidelines Section 11.8; OR
 3. The CA is also the Domain Name Registrar, or an Affiliate of the
    Registrar, of the Base Domain Name. Note: Once the FQDN has been
    validated using this method, the CA MAY also issue Certificates for
    other FQDNs that end with all the labels of the validated FQDN. This
    method is suitable for validating Wildcard Domain Names.

--- END QUOTE ---

Methods 3.2.2.4.2 and 3.2.2.4.3 rely on publicly available (usually 
WHOIS) information about domain registrants which are usually provided 
by public suffix registries. There are cases (like the gr public suffix 
domains) where domain registrant information is not publicly available. 
The only method of acquiring information of domain registrants is to 
contact the Registrar.

Our proposal to the the ballot proposer and endorsers is to update 
method 3.2.2.4.1 instead of completely removing it, so that:

 1. it MUST NOT be used for domains that have publicly-available domain
    registrant information, which can be validated directly via method
    3.2.2.4.2 OR 3.2.2.4.3.
 2. for the restricted public suffix registry cases, allow the CA to
    obtain Domain Registrant information directly with the Domain Name
    Registrar, which will then MUST be combined with method 3.2.2.4.2 OR
    3.2.2.4.3.

We would also like to keep option 3, in cases where the CA is also the 
Domain Name Registrar of the Base Domain Name to reduce unnecessary 
duplication of work.

Please consider the following language:

--- BEGIN updated language for 3.2.2.4.1 ---

Confirming the Applicant's control over the FQDN by validating the 
Applicant is the Domain Contact directly with the Domain Name Registrar. 
This method may only be used if:

 1. The CA validates Domain Contact information obtained from the Domain
    Registrar by using the process described in section 3.2.2.4.2 OR
    3.2.2.4.3; OR
 2. The CA is also the Domain Name Registrar, or an Affiliate of the
    Registrar, of the Base Domain Name.

Note: Once the FQDN has been validated using this method, the CA MAY 
also issue Certificates for other FQDNs that end with all the labels of 
the validated FQDN. This method is suitable for validating Wildcard 
Domain Names.

--- END updated language for 3.2.2.4.1 ---


Best regards,
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180105/5d461229/attachment-0003.html>

More information about the Public mailing list