[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies

Wayne Thayer wthayer at mozilla.com
Thu Aug 2 17:05:06 MST 2018


I've addressed all the feedback that I have received in the version of the
ballot below and at [1].

I'm a complete rookie at ABNF and I've almost certainly botched the syntax.
Can someone help me get the encoding right?

I'm also looking for two endorsers, and of course, any additional feedback.

- Wayne

==========================================================

Ballot SC#: Validation Method Encoded in Certificates

Purpose of Ballot: The methods defined in BR section 3.2.2.4 and 3.2.2.5 to
confirm control or ownership of each domain name or IP address placed in a
TLS certificate have varying security properties. This ballot proposes a
standard format for expressing the method(s) the CA used to validate domain
control or ownership of the Authorization Domain Name(s) placed in a
certificate, and requires conforming CAs to include this information in
certificates issued on or after July 1, 2019. This information is useful
for quantification and analysis when vulnerabilities in specific methods
are identified, and disclosing it will benefit the PKI ecosystem. As
specified, this information is not useful or intended for making trust
decisions in user agents.

The following motion has been proposed by Wayne Thayer of Mozilla and
endorsed by XXX of YYY and XXX of YYY.

— MOTION BEGINS –
This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” as follows, based upon Version
1.5.7:

Add the following definitions to section 1.2:

{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140)
certificate‐policies(1) baseline‐ requirements(2)
domain-validation-methods(4)} (2.23.140.1.2.4).
{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140)
certificate‐policies(1) baseline‐ requirements(2)
IP-address-validation-methods(5)} (2.23.140.1.2.5).

Add section 7.1.2.3(g), as follows:

This extension MUST be present and SHOULD NOT be marked critical. g.
cabf-BRValidationMethod (2.23.140.1.11) (required on or after April 1, 2019)

This extension contains a list of one or more OIDs that assert every
distinct method performed by the CA to validate domain control or ownership
of each FQDN contained in the certificate's subjectAlternativeName. If an
FQDN has been validated using multiple methods, the CA MAY assert more than
one of the methods. This extension SHOULD NOT be marked critical.

These OIDs representing validation methods SHALL be defined as follows:
    * 2.23.140.1.2.4. concatenated with the subsection number of section
3.2.2.4 corresponding to the domain validation method that was used to
validate one or more subjectAlternativeNames in this certificate (e.g.
2.23.140.1.2.4.2'); or,

    * 2.23.140.1.2.5 concatenated with the subsection number of section
3.2.2.5 corresponding to the IP address validation method that was used to
validate one or more subjectAlternativeNames in the certificate (e.g.
'2.23.140.1.2.5.1').

OIDs representing validation methods MUST be encoded in this extension as
follows:

cabf-BRValidationMethod OBJECT IDENTIFIER ::= { 2.23.140.1.11 }

BRValidationMethodSyntax ::= SEQUENCE SIZE (1..MAX) OF
DomainOrIpAddressValidationMethodId

DomainOrIpAddressValidationMethodId ::= OBJECT IDENTIFIER


— MOTION ENDS –

[1]
https://github.com/cabforum/documents/compare/master...wthayer:Ballot226#diff-7f6d14a20e7f3beb696b45e1bf8196f2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180802/68cd32d2/attachment-0001.html>


More information about the Validation mailing list