[Servercert-wg] Ballot SC15: Remove Validation Method Number 9

Ryan Sleevi sleevi at google.com
Thu Jan 17 13:00:29 MST 2019


Thanks for confirming intent! Unfortunately, it's explicitly permitted by
Section 4.2.1 unless otherwise stated. That was something I'd flagged
during the Ballot 190 discussion, since it means the default leaves
undesirable stuff in. To achieve that goal, we'd need something in the
ballot to explicitly state it (as 4.2.1 mentions)

I suspect this would mean that the section is more explicitly:

This method has been retired and MUST NOT be used. Prior validations using
this method and validation data gathered according to this method may not
be used to issue certificates.


I think with that change, we'd be happy to endorse. As mentioned in the
Validation WG, because this has been effectively prohibited by Root
Programs for some time now, there really doesn't need to be a phase-in date.

On Thu, Jan 17, 2019 at 2:49 PM Doug Beattie <doug.beattie at globalsign.com>
wrote:

> Ryan,
>
>
>
> None of the previously completed validations can be used for new
> issuance.  I think it’s written that way, but I can add something in the
> ballot prefix that specifically states that if you think it’s necessary.
>
>
>
>
>
>
>
> *From:* Ryan Sleevi <sleevi at google.com>
> *Sent:* Thursday, January 17, 2019 2:43 PM
> *To:* Bruce Morton <Bruce.Morton at entrustdatacard.com>; CA/B Forum Server
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Cc:* Doug Beattie <doug.beattie at globalsign.com>
> *Subject:* Re: [Servercert-wg] Ballot SC15: Remove Validation Method
> Number 9
>
>
>
> Doug:
>
> What about previously completed validations? Can/should they be reused? I
> don't think so, and that certainly aligns with various root program
> requirements, but I'm curious if it was intentional.
>
>
>
> On Thu, Jan 17, 2019 at 2:21 PM Bruce Morton via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
> I will endorse.
>
>
>
> Bruce.
>
>
>
> *From:* Servercert-wg [mailto:servercert-wg-bounces at cabforum.org] *On
> Behalf Of *Doug Beattie via Servercert-wg
> *Sent:* January 17, 2019 2:21 PM
> *To:* servercert-wg at cabforum.org
> *Subject:* [EXTERNAL][Servercert-wg] Ballot SC15: Remove Validation
> Method Number 9
>
>
>
>
>
> I’m looking for 2 endorsers.
>
>
>
>
>
> Ballot SC15: Remove Validation Method Number 9
>
>
>
> Purpose of Ballot:  Method 9, Test Certificate, is insecure when web
> hosting platforms use a single IP address for more than one Domain Name, so
> this method must not be used.
>
>
>
> The following motion has been proposed by Doug Beattie of GlobalSign and
> endorsed by XXX and YYY
>
>
>
> --- MOTION BEGINS ---
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based on Version
> 1.6.2:
>
>
>
> Replace the content of section 3.2.2.4.9 with:
>
>
>
> This method has been retired and MUST NOT be used.
>
>
>
>
>
> --- MOTION ENDS ---
>
>
>
> *** WARNING ***: USE AT YOUR OWN RISK.  THE REDLINE BELOW IS NOT THE
> OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):
>
>
>
> A comparison of the changes can be found at:
> https://github.com/dougbeattie/documents/compare/master...dougbeattie:SC15---Remove-Method-9
>
>
>
>
>
> The procedure for approval of this ballot is as follows:
>
>
>
> Discussion (7+ days)
>
>
>
> Start Time: TBD
>
>
>
> End Time: TBD
>
>
>
> Vote for approval (7 days)
>
>
>
> Start Time: TBD
>
>
>
> End Time: TBD
>
>
>
>
>
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190117/00b228c8/attachment.html>


More information about the Servercert-wg mailing list