[cabf_validation] Ballot 190 Section 2

Doug Beattie doug.beattie at globalsign.com
Mon Apr 24 11:51:49 MST 2017 

OK, so we need to say that as of some date (the date we remove method 11,
the ballot effective date) you can't re-use cert data if it hasn't been
collected since January 1, 2015 (or some date) under one of the current 10
domain verification methods.

 

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com] 
Sent: Monday, April 24, 2017 2:41 PM
To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum Validation
WG List <validation at cabforum.org>
Subject: RE: Ballot 190 Section 2

 

Essentially, but the issue is not just 39 months. For example, a certificate
issued five years ago (which is before the BRs were required) could use no
validation and still be okay. The documentation for those certs would still
be valid, even if there isn't any. 

 

From: Doug Beattie [mailto:doug.beattie at globalsign.com] 
Sent: Monday, April 24, 2017 12:35 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: RE: Ballot 190 Section 2

 

 

The "any other method"  still remains as a valid option and the problem
outlined below is only when this method is removed, correct?  We basically
need to grandfather in validation data collected under method 11 for some
period of time.  Ryan does not want this to be 39 months for all the reasons
he listed.

Is that the crux of the issue?  

Doug

 

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of
Jeremy Rowley via Validation
Sent: Monday, April 24, 2017 1:37 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Jeremy Rowley <jeremy.rowley at digicert.com
<mailto:jeremy.rowley at digicert.com> >
Subject: [cabf_validation] Ballot 190 Section 2

 

Section 190 was withdrawn because of objections to Section 2 of the ballot:

"This provisions of Ballot Section 1 will apply only to the validation of
domain names occurring after this Ballot 190's effective date.  Validation
of domain names that occurs before this Ballot's effective date and the
resulting validation data may continue to be used for the periods specified
in BR 4.2.1 and EVGL 11.14.3 so long as the validations were conducted in
compliance with the BR Section 3.2.2.4 validation methods in effect at the
time of each validation."

Basically, the browsers would like a date when this cuts off so that old
certificate validation data can't be reused. Any thoughts on how to
reconcile? 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170424/9e5af8f7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5662 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170424/9e5af8f7/attachment-0001.bin>

More information about the Validation mailing list