[Servercert-wg] VOTING BEGINS: Ballot SC33: TLS Using ALPN Method

Roland Shoemaker roland at letsencrypt.org
Mon Aug 10 11:31:36 MST 2020


Let's Encrypt votes YES to SC33.

On Fri, Aug 7, 2020 at 1:06 PM Wayne Thayer via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> This begins the voting period for ballot SC33: TLS Using ALPN Method
>
> Purpose of Ballot:
>
> In January 2018, a vulnerability affecting the ACME TLS-SNI-01 method of
> domain validation was disclosed [1]. That method is an implementation of BR
> 3.2.2.4.10, which is still permitted by the BRs despite the vulnerability.
> Some Browsers have banned the use of method 10 unless mitigations for the
> vulnerability have been put into place, and one approach to mitigation -
> using application-layer protocol negotiation (ALPN) - has now been
> standardized by the IETF as RFC 8737. This ballot replaces the poorly
> specified and potentially insecure 'method 10' with a new 'method 20' based
> on RFC 8737.
>
> The ballot proposed no transition period during which method 10, or
> validations performed using method 10 may continue to be relied upon. The
> only known current use of method 10 is an implementation of RFC 8737 that
> would remain compliant (although it may require changes to the CA's CPS and
> the identifier of the method that is being logged when performing
> validations).
>
> This ballot also limits the use of the new method to the specific FQDN
> that was validated - different subdomains require new validations, and
> wildcards are not permitted. This requirement is not the result of a
> specific known risk but rather stems from a belief that DNS-based
> validation methods are more appropriate for verifying control over an
> entire subdomain.
>
> [1]
> https://groups.google.com/d/msg/mozilla.dev.security.policy/RHsIInIjJA0/LKrNi35aAQAJ
>
>
> The following motion has been proposed by Wayne Thayer of Mozilla and
> endorsed by Roland Shoemaker of Let's Encrypt and Tim Hollebeek of DigiCert.
>
> -- MOTION BEGINS --
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based on Version
> 1.7.0:
>
> MODIFY section 3.2.2.4 as defined in the following redline:
> https://github.com/cabforum/documents/compare/df5bd3b00e3a215202dedafa68bf8f608d47041b...26913aa7f75a78eff1af5cb628451b9433011a67
>
> -- MOTION ENDS --
>
>
> This ballot proposes a Final Maintenance Guideline.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 31-July, 2020 17:00 UTC
>
> End Time: not before 7-August, 2020 17:00 UTC
>
> Vote for approval (7 days)
>
> Start Time: 7-August, 2020 20:00 UTC
>
> End Time: 14-August, 2020 20:00 UTC
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200810/e5d895ac/attachment.html>


More information about the Servercert-wg mailing list