[cabf_validation] Ballot 190 follow-up discussion

Doug Beattie doug.beattie at globalsign.com
Thu May 4 09:12:04 MST 2017


I think we need a specific date when the cached results from old validation methods can no longer be used, June 1, 2018, or similar. For those CAs that complied with the March 1 2017 date of ballot 169, this is 15 months to revalidate all domains (given that 27 months is the limit, this brings in the requirement by 12 months).  Is that feasible for everyone?

Optionally, if it helps security, then we could also levy requirements on the CA to do CAA and/or CT if they do reuse this older data:

-          By September, support CAA (which is meaningless since it's mandatory anyway...)

-          By September, post all certificates to CT logs if you used validation data collected under methods other than the 10 listed.

Is supporting CT and CAA within 5 months good enough mitigation for using such domain validation data till the proposed cutoff?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 15052 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170504/f0bb98cb/attachment-0001.bin>


More information about the Validation mailing list