[cabfpub] Ballot 218: Remove validation methods #1 and #5

Masaki SHIMAOKA m-shimaoka at secom.co.jp
Wed Jan 10 08:10:02 UTC 2018 

# This post is on behalf of my colleagues.

We support to strengthen 3.2.2.4.1.
Besides, we don't think that 3.2.2.4.1 and .5 can replace within a short 
period.

In our understanding, we are using 3.2.2.4.1 and .5 in our validation 
process. We understand that checking the domain with 3.2.2.4.1 or .5 is 
insufficient to see if an applicant has control over a domain. It is 
agreeable for us to confirm control over a domain by obtaining a change 
on a targeting domain.

We might choose to move over time to some of other the methods, but they 
may not be appropriate in all case. In addition, we had used 3.2.2.4.1 
and .5 for long period, and procedures (including audit) have been 
carried out on that premise.

To be more precise, we believe that 3.2.2.4.6 to .10 should be done with 
automation, and should require following concern.
-Judgment for the automated system to be valid
-How to keep logs and audit trails in an automated system
-Explain to the audit firm that the system and log are valid

In addition, in Japan audit firms, inquiries to the home country are 
prone to occur, and they answer after unpredictable lag. We want enough 
time to deal with that lag. Furthermore, we will take some time to 
create internal documents (including documents for audit) after their 
answer.

We need to discuss the change to major customers after the above 
adjustment. As mentioned above, 3.2.2.4.1 and .5 are methods that have 
been used for many years, and it is conceivable that the business flows 
of large customers are also built on these assumptions. Therefore, they 
might need some period to review their flows.

Best Regards,
Masaki

On 2018/01/04 4:21, Tim Hollebeek via Public wrote:
> Ballot 218: Remove validation methods #1 and #5
> 
> Purpose of Ballot: Section 3.2.2.4 says that it “defines the permitted 
> processes and procedures for validating the Applicant’s ownership or 
> control of the domain.”  Most of the validation methods actually do 
> validate ownership and control, but two do not, and can be completed 
> solely based on an applicant’s own assertions.
> 
> Since these two validation methods do not meet the objectives of section 
> 3.2.2.4, and are actively being used to avoid validating domain control 
> or ownership, they should be removed, and the other methods that do 
> validate domain control or ownership should be used.
> 
> The following motion has been proposed by Tim Hollebeek of DigiCert and 
> endorsed by Ryan Sleevi of Google and Rich Smith of Comodo.
> 
> -- MOTION BEGINS –
> 
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” as follows, based upon 
> Version 1.5.4:
> 
> In Section 3.2.2.4.1, add text at the end: “For certificates issued on 
> or after March 1, 2018, this method SHALL NOT be used for validation, 
> and completed validations using this method SHALL NOT be used for the 
> issuance of certificates.”
> 
> In Section 3.2.2.4.5, add text at the end: “For certificates issued on 
> or after March 1, 2018, this method SHALL NOT be used for validation, 
> and completed validations using this method SHALL NOT be used for the 
> issuance of certificates.”
> 
> In Section 4.2.1, after the paragraph that begins “After the change to 
> any validation method”, add the following paragraph: “Validations 
> completed using methods specified in Section 3.2.2.4.1 or Section 
> 3.2.2.4.5 SHALL NOT be re-used on or after March 1, 2018.”
> 
> -- MOTION ENDS –
> 
> For the purposes of section 4.2.1, the new text added to 4.2.1 from this 
> ballot is “specifically provided in a [this] ballot.”
> 
> The procedure for approval of this ballot is as follows:
> 
> Discussion (7+ days)
> 
>    Start Time: 2017-01-03  19:30:00 UTC
> 
>    End Time: Not Before 2017-01-10 19:30:00 UTC
> 
> Vote for approval (7 days)
> 
>    Start Time: TBD
> 
>    End Time: TBD
> 
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 

-- 
Masaki SHIMAOKA, Ph.D.
<m-shimaoka at secom.co.jp>
+81 422 76 2111 (4131)
SECOM IS Lab.

More information about the Public mailing list