[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies

Ryan Sleevi sleevi at google.com
Wed Aug 15 10:40:57 MST 2018


Ah, thanks for clarifying. I think that, barring some consideration not
taken into account, then either of these two solutions work.

1) Corey's solution:
  - 1 extension for DNS validation methods
  - 1 extension for IP address validation methods
  - Looking at the CT logs, I see there's only 482 certs/precerts in CT for
the period 2018-01-01 to 2018-08-10 with both DNS & IP addresses, compared
to 209,560,065 entries for that same period (note: this includes compliance
monitoring certs)
2) Assigning a distinct ID for each validation method within the respective
3.2.2.4 and 3.2.2.5 sections
  - That is, the IP address section may say "The ID of this validation
method is 17"
  - A newly added DNS method may say "The ID of this validation method is
18"

I think an informative (non-normative) table can benefit Approach 2, but
that could be managed as part of the change process (e.g. "ID method 17
refers to method 3.2.2.5.13, introduced in BRs 1.6.9 and removed in BRs
1.9.2" or the like), but that's not essential. Happy to help draft text to
demonstrate that, if it would help.

On Wed, Aug 15, 2018 at 12:55 PM Wayne Thayer <wthayer at mozilla.com> wrote:

> On Wed, Aug 15, 2018 at 9:40 AM Ryan Sleevi <sleevi at google.com> wrote:
>
>> Just checking if I understand:
>>
>> Are you suggesting folding the document into a single section (that is,
>> combining 3.2.2.4 and 3.2.2.5)?
>>
> >
> Not necessarily, although that could work. I'm asking how you think this
> should be implemented.
> >
>
>> Could you explain what the concerns would be for the alternative
>> solution, which is just, within each section, e.g. 3.2.2.4.1
>>
>> This ID of this validation method is 1.
>>
>> >
> That is what I'm suggesting. Moreover, I want to get some general sense of
> how to implement this before drafting the language.
> >
>
>> That is, I'd like to try to understand a bit more the desire for a need
>> for a separate mapping table, and how the existence or absence of alignment
>> between the document and the identifiers helps or hinders the use cases you
>> envisage for this.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180815/104104ad/attachment.html>


More information about the Validation mailing list