[cabfpub] Voting begins: Ballot 218 version 2

Tim Hollebeek tim.hollebeek at digicert.com
Wed Jan 31 18:19:55 UTC 2018

Yup, the ballot text is what matters, the redline is for convenience.  I'll
fix the redline.  Thanks for the feedback.




From: Doug Beattie [mailto:doug.beattie at globalsign.com] 
Sent: Wednesday, January 31, 2018 10:50 AM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Public
Discussion List <public at cabforum.org>
Subject: RE: Voting begins: Ballot 218 version 2


GlobalSign votes Yes on ballot 218, version 2.


Note that the redlined ballot that Tim attached incorrectly lists the new
method, "Validating Applicant as a Domain Contact" as method 10.
Sequentially it follows section so I'm sure that is a typo, but
it's something that needs to be fixed.


We use method 1 quite often and feel our approach is solid; however, given
the documented lack of direct communication to the domain registrant or
technical validation techniques at the time of validation, we will change
our practices to use alternate methods.  While it's not that hard to modify
manual methods, we want to have suffice time to:

*	complete the process of re-validating domains within our managed
service that used this method well before the August 1st date, and
*	Implement system updates to drive all OV/EV customers to use one of
the automated methods (2, 4, 6 or 7).  


We believe the August date is tight, but achievable to accomplish both of




From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Tim Hollebeek
via Public
Sent: Monday, January 29, 2018 4:52 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org
<mailto:public at cabforum.org> >
Subject: [cabfpub] Voting begins: Ballot 218 version 2



I'm highly skeptical that discussing this for another month will change
anybody's minds.  It has already been discussed for over a month, including
at three validation working group meetings and once on the management call,
with extensive discussion on this list as well.


There have been a number of clever attempts to distract from the matter at
hand.  Everybody seems to agree that methods #1 and #5 as currently written
are insufficient to validate certificates, and efforts to improve method #1
have all either been shown to be similarly weak, or have turned the
validation method into one of the other existing validation methods.  In
fact, this demonstrates an obvious transition path for CAs currently using
method #1: use method #2 or method #3.


Since methods #1 and #5 do not sufficiently validate certificates, they
should not be used, and six months should be more than enough time to cease
using them.


Here is the final version of the ballot, with voting times.  A redlined
document is attached (I encourage other proposers to post ballot redlines,
even if it isn't required).




----- Ballot 218 version 2: Remove validation methods #1 and #5 -----


Purpose of Ballot: Section says that it "defines the permitted
processes and procedures for validating the Applicant's ownership or control
of the domain."  Most of the validation methods actually do validate
ownership and control, but two do not, and can be completed solely based on
an applicant's own assertions.


Since these two validation methods do not meet the objectives of section, and are actively being used to avoid validating domain control or
ownership, they should be removed, and the other methods that do validate
domain control or ownership should be used.


The following motion has been proposed by Tim Hollebeek of DigiCert and
endorsed by Ryan Sleevi of Google and Rich Smith of Comodo.




This ballot modifies the "Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates" as follows, based upon Version


In Section 1.6.1, in the definition of "Domain Contact", after "in a DNS SOA
record", add ", or as obtained through direct contact with the Domain Name


In Section, add text at the end: "For certificates issued on or
after August 1, 2018, this method SHALL NOT be used for validation, and
completed validations using this method SHALL NOT be used for the issuance
of certificates."


In Section, add text at the end: "For certificates issued on or
after August 1, 2018, this method SHALL NOT be used for validation, and
completed validations using this method SHALL NOT be used for the issuance
of certificates."


After Section, add following two new subsections:

" Any Other Method


This method has been retired and MUST NOT be used. Validating Applicant as a Domain Contact


Confirming the Applicant's control over the FQDN by validating the Applicant
is the Domain Contact. This method may only be used if the CA is also the
Domain Name Registrar, or an Affiliate of the Registrar, of the Base Domain


Note: Once the FQDN has been validated using this method, the CA MAY also
issue Certificates for other FQDNs that end with all the labels of the
validated FQDN. This method is suitable for validating Wildcard Domain


In Section 4.2.1, after the paragraph that begins "After the change to any
validation method", add the following paragraph: "Validations completed
using methods specified in Section or Section SHALL NOT
be re-used on or after August 1, 2018."




For the purposes of section 4.2.1, the new text added to 4.2.1 from this
ballot is "specifically provided in a [this] ballot."


The procedure for approval of this ballot is as follows:


Discussion (7+ days) 

  Start Time: 2017-01-22  21:30:00 UTC  

  End Time: 2017-01-29 21:50:00 UTC


Vote for approval (7 days) 

  Start Time: 2017-01-29 21:50:00 UTC

  End Time: 2017-02-05 21:50 UTC


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180131/cd6bd21b/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180131/cd6bd21b/attachment-0003.p7s>

More information about the Public mailing list