[Servercert-wg] Voting begins: Ballot SC14 version 5: Updated

Wayne Thayer wthayer at mozilla.com
Fri Feb 1 07:32:19 MST 2019


Hello Li-Chun,

Your message was received after voting had ended, so your vote will not be
counted.

https://cabforum.org/pipermail/servercert-wg/2019-January/000597.html

- Wayne

On Thu, Jan 31, 2019 at 6:40 PM 陳立群 via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Chunghwa Telecom votes Yes on SC14 v5
>
> Thanks.
>
>        Li-Chun Chen
>
>
>
> From: Servercert-wg [mailto:servercert-wg-bounces at cabforum.org] On Behalf
> Of Daymion T. Reynolds via Servercert-wg
> Sent: Friday, February 01, 2019 1:22 AM
> To: Doug Beattie; CA/B Forum Server Certificate WG Public Discussion List
> Subject: [外部郵件] Re: [Servercert-wg] Voting begins: Ballot SC14 version 5:
> Updated Phone Validation Methods
>
> Godaddy votes yes on SC14 v5
>
> From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of
> Doug Beattie via Servercert-wg
> Sent: Thursday, January 24, 2019 11:15 AM
> To: CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> Subject: [Servercert-wg] Voting begins: Ballot SC14 version 5: Updated
> Phone Validation Methods
>
>
> Voting begins for Ballot SC14 today and ends in one week on 2019-01-31
> 13:15 Eastern
>
>
>
> Ballot SC14: Updated Phone Validation Methods
>
> Purpose of Ballot: As discussed during the Validation Summit, Method 3 of
> the Baseline Requirements could use some improvements to close off some
> potential bad practices that might lead to security risks.  This Ballot
> tightens up the rules around phone validation in order to make sure domain
> authorization or control is verified with a person who is authorized to do
> so by introducing a replacement for Method 3.  Validations done under
> Method 3 will continue to be valid until the end of the data reuse period,
> but new phone based validations must use the new method by the date
> specified in the ballot below.
>
> This ballot also builds on “Ballot SC13: CAA Contact Property and
> Associated E-mail Validation Methods” to permit domain owners to publish
> Domain Validation phone numbers in DNS TXT records.  Since these phone
> numbers are specifically for the purpose of validating domains, it’s not
> permissible to be transferred to a different number.
>
> The following motion has been proposed by Doug Beattie of GlobalSign and
> endorsed by Bruce Morton of Entrust and Tim Hollebeek of DigiCert.
>
> --- MOTION BEGINS ---
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based on Version
> 1.6.2 with ballot SC13 changes:
>
> Add the following definition to section 1.6.1:
>
> DNS TXT Record Phone Contact: The phone number defined in section B.2.2.
>
> In section 3.2.2.4.3, after the end of the second paragraph add the
> following text as a new paragraph: ”CAs SHALL NOT perform validations using
> this method after May 31, 2019.  Completed validations using this method
> SHALL continue to be valid for subsequent issuance per the applicable
> certificate data reuse periods.”
>
>
> Add sections 3.2.2.4.15 and  3.2.2.4.16 as follows:
>
> 3.2.2.4.15 Phone Contact with Domain Contact
>
> Confirm the Applicant's control over the FQDN by calling the Domain
> Contact’s phone number and obtain a confirming response to validate the
> ADN. Each phone call MAY confirm control of multiple ADNs provided that the
> same Domain Contact phone number is listed for each ADN being verified and
> they provide a confirming response for each ADN.
>
> In the event that someone other than a Domain Contact is reached, the CA
> MAY request to be transferred to the Domain Contact.
>
> In the event of reaching voicemail, the CA may leave the Random Value and
> the ADN(s) being validated. The Random Value MUST be returned to the CA to
> approve the request.
>
> The Random Value SHALL remain valid for use in a confirming response for
> no more than 30 days from its creation. The CPS MAY specify a shorter
> validity period for Random Values.
>
> Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN.  This method is suitable for validating Wildcard Domain
> Names.
>
> 3.2.2.4.16 Phone Contact with DNS TXT Record Phone Contact
>
> Confirm the Applicant's control over the FQDN by calling the DNS TXT
> Record Phone Contact’s phone number and obtain a confirming response to
> validate the ADN. Each phone call MAY confirm control of multiple ADNs
> provided that the same DNS TXT Record Phone Contact phone number is listed
> for each ADN being verified and they provide a confirming response for each
> ADN.
>
> The CA MAY NOT knowingly be transferred or request to be transferred as
> this phone number has been specifically listed for the purposes of Domain
> Validation.
>
> In the event of reaching voicemail, the CA may leave the Random Value and
> the ADN(s) being validated.  The Random Value MUST be returned to the CA to
> approve the request.
>
> The Random Value SHALL remain valid for use in a confirming response for
> no more than 30 days from its creation. The CPS MAY specify a shorter
> validity period for Random Values.
>
> Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN.  This method is suitable for validating Wildcard Domain
> Names.
>
>
> Add appendix section B.2.2 as follows:
>
> B.2.2. DNS TXT Record Phone Contact
>
> The DNS TXT record MUST be placed on the "_validation-contactphone"
> subdomain of the domain being validated.  The entire RDATA value of this
> TXT record MUST be a valid Global Number as defined in RFC 3966 section
> 5.1.4, or it cannot be used.
>
>
> --- MOTION ENDS ---
>
> *** WARNING ***: USE AT YOUR OWN RISK.  THE REDLINE BELOW IS NOT THE
> OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):
>
> A comparison of the changes can be found at:
> https://github.com/dougbeattie/documents/compare/master...dougbeattie:SC14---Phone-validation-updates
>
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 2019-01-16 16:30 Eastern
>
> End Time: Not before 2019-01-23 16:30 Eastern
>
> Vote for approval (7 days)
>
> Start Time: 2019-01-24 13:15 Eastern
>
> End Time: 2019-01-31 13:15 Eastern
>
>
>
>
>
>
> 本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件.
> 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
> Please be advised that this email message (including any attachments)
> contains confidential information and may be legally privileged. If you are
> not the intended recipient, please destroy this message and all attachments
> from your system and do not further collect, process, or use them. Chunghwa
> Telecom and all its subsidiaries and associated companies shall not be
> liable for the improper or incomplete transmission of the information
> contained in this email nor for any delay in its receipt or damage to your
> system. If you are the intended recipient, please protect the confidential
> and/or personal information contained in this email with due care. Any
> unauthorized use, disclosure or distribution of this message in whole or in
> part is strictly prohibited. Also, please self-inspect attachments and
> hyperlinks contained in this email to ensure the information security and
> to protect personal information.
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190201/79b93dce/attachment-0001.html>


More information about the Servercert-wg mailing list