[cabf_validation] Suggested edit to IP Address Ballot

Kirk Hall Kirk.Hall at entrustdatacard.com
Wed Oct 4 19:15:57 MST 2017


Jeremy - I have one preliminary edit to suggest.

Your new ballot on 3.2.2.5 starts with the following language:

The CA SHALL confirm that, as of the date the Certificate issues, that the CA verified each IP Address listed in the Certificate using at a method specified in this section 3.2.2.5. ***

Before Ballot 190, that similar language “as of the date the Certificate issues” used to be in the starting paragraph of BR 3.2.2.4 on domain validation:

BR 3.2.2.4 BEFORE Ballot 190:

The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.

But during the discussion of Ballot 190, some people interpreted the language “as of the date the Certificate issues” as requiring revalidation of a domain EVERY TIME the customer ordered a new cert - and therefore would not let a CA re-use domain validation information as permitted under BR 4.2.1.  That was not the actual practice and not what we wanted.

To fix this and clarify the language to make it clear that domain validation language can be reused without revalidation for the period allowed under BR. 4.2.1, we modified the beginning paragraphs of BR 3.2.2.4 to read as follows:

BR 3.2.2.4 AFTER Ballot 190:

The CA SHALL confirm that prior to issuance, the CA or a Delegated Third Party has validated each Fully‐Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below .

Can you modify the first paragraph of your new ballot on BR 3.2.2.5 so that it reads as follows?  I think that is your actual intent:

3.2.2.5. Authentication for an IP Address

This section defines the permitted processes and procedures for validating the Applicant’s ownership or control of an IP Address listed in the Certificate.

The CA SHALL confirm that, as of the date the Certificate issues, that  prior to issuance, the CA verified each IP Address listed in the Certificate using at a method specified in this section 3.2.2.5. ***



From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Jeremy Rowley via Validation
Sent: Monday, October 2, 2017 2:04 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: [EXTERNAL][cabf_validation] IP Address Ballot

Attached is a revised IP address ballot. This was revised with the latest comments from Ryan (back in March) and based on 190 passing.

Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20171005/73cd63a8/attachment.html>


More information about the Validation mailing list