[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies

Wayne Thayer wthayer at mozilla.com
Wed Oct 10 07:56:15 MST 2018 

That's an oversight on my part. Thanks for pointing it out. I will change
it to "Validation Method in Certificate" when I assign a ballot number.

- Wayne

On Tue, Oct 9, 2018 at 9:58 PM Tomas Gustavsson via Validation <
validation at cabforum.org> wrote:

>
> Hi,
>
> A question, why is this ballot called "Validation Method in Certificate
> Policies Extension" when it is not in the Certificate Policies Extension?
>
> Regards,
> Tomas
>
> On 2018-10-09 21:07, Wayne Thayer via Validation wrote:
> > Thanks for the suggestion Tim - I made the change.
> >
> > Here is a draft ballot - are two members willing to endorse?
> >
> > - Wayne
> > ===============================================
> > Ballot SC#: Validation Method in Certificate Policies Extension
> >
> > Purpose of Ballot
> > Late in 2017 a number of vulnerabilities were discovered in existing
> > domain validation methods. There was and still is no way to accurately
> > determine the scope of the problem. Since then, the Validation
> > subcommittee has discussed the need for better data on the use of
> > validation methods. At the London Face-to-face meeting, a proposal to
> > gather this data by encoding validation methods in a certificate
> > extensions was discussed, and since then the proposal has been refined
> > to address technical concerns.
> >
> > This ballot requires disclosure of the domain and IP address validation
> > methods used in the vetting of all TLS certificates issued on or after
> > July 1, 2019. Disclosure is made by encoding this information in a new
> > extension in the certificate. Care has been taken to minimize the
> > increase in the size of certificates by encoding this information as a
> > series of bits.
> >
> > The following motion has been proposed by Wayne Thayer of Mozilla and
> > endorsed by XXX of YYY and XXX of YYY.
> >
> > --- MOTION BEGINS ---
> >
> > This ballot modifies the “Baseline Requirements for the Issuance and
> > Management of Publicly-Trusted Certificates” as follows, based on
> > Version 1.6.0: Add subsections (g) and (h) to section 7.1.2.3 as follows:
> >
> >  g.   cabf-BRDomainValidation (2.23.140.1.11) (required on or after July
> > 1, 2019 if the certificate contains any subjectAlternativeName entries
> > of type DNSName)
> >
> > This extension contains a binary encoding of every distinct method
> > performed by the CA to validate domain control or ownership of each FQDN
> > contained in the certificate's subjectAlternativeName. If an FQDN has
> > been validated using multiple methods, the CA MAY assert more than one
> > of the methods. This extension SHOULD NOT be marked critical.
> >
> > Bits representing the use of one or more section 3.2.2.4 domain
> > validation methods MUST be encoded in this extension as follows:
> >
> > The leading bit in position 0 is reserved. Each subsequent bit
> > represents the corresponding subsection of section 3.2.2.4 used to
> > perform domain validation. The corresponding bit MUST be set to indicate
> > that the method was used for validation.
> >
> > BRDomainValidationMethods ::= BIT STRING {
> >   unused (0),
> >   method3224_1 (1),
> >   method3224_2 (2),
> >   method3224_3 (3),
> >   method3224_4 (4),
> >   method3224_5 (5),
> >   method3224_6 (6),
> >   method3224_7 (7),
> >   method3224_8 (8),
> >   method3224_9 (9),
> >   method3224_10 (10),
> >   method3224_11 (11),
> >   method3224_12 (12)
> > }
> >
> > id-cabf-BRDomainValidation OBJECT IDENTIFIER ::= { 2.23.140.1.11 }
> >
> > ext-cabf-BRDomainValidation EXTENSION ::= { SYNTAX
> > BRDomainValidationMethods IDENTIFIED BY id-cabf-BRDomainValidation }
> >
> >  h.   cabf-BRIPAddressValidation (2.23.140.1.12) (required on or after
> > July 1, 2019 if the certificate contains any subjectAlternativeName
> > entries of type IPAddress)
> >
> > This extension contains a binary encoding of every distinct method
> > performed by the CA to validate IP address control or ownership of each
> > IP address contained in the certificate's subjectAlternativeName. If an
> > IP address has been validated using multiple methods, the CA MAY assert
> > more than one of the methods. This extension SHOULD NOT be marked
> critical.
> >
> > Bits representing the use of one or more section 3.2.2.5 IP address
> > validation methods MUST be encoded in this extension as follows:
> >
> > The leading bit in position 0 is reserved. Each subsequent bit
> > represents the corresponding subsection of section 3.2.2.5 used to
> > perform domain validation. The corresponding bit MUST be set to indicate
> > that the method was used for validation.
> >
> > BRIPAddressValidationMethods ::= BIT STRING {
> >   unused (0),
> >   method3225_1 (1),
> >   method3225_2 (2),
> >   method3225_3 (3),
> >   method3225_4 (4),
> > }
> >
> > id-cabf-BRIPAddressValidation OBJECT IDENTIFIER ::= { 2.23.140.1.12 }
> >
> > ext-cabf-BRIPAddressValidation EXTENSION ::= { SYNTAX
> > BRIPAddressValidationMethods IDENTIFIED BY id-cabf-BRIPAddressValidation
> }
> >
> > --- MOTION ENDS ---
> >
> > This ballot proposes a Final Maintenance Guideline. A comparison of the
> > changes can be found at:
> > https://github.com/cabforum/documents/compare/master...wthayer:Ballot226
> >
> > The procedure for approval of this ballot is as follows:
> >
> > Discussion (7+ days)
> > Start Time: TBD UTC
> > End Time: TBD UTC
> >
> > Vote for approval (7 days)
> > Start Time: TBD UTC
> > End Time: TBD UTC
> >
> > On Mon, Oct 8, 2018 at 9:56 AM Tim Hollebeek <tim.hollebeek at digicert.com
> > <mailto:tim.hollebeek at digicert.com>> wrote:
> >
> >     Might want to use underscores to make it clear where the method
> >     number starts.____
> >
> >     __ __
> >
> >     E.g. “method3224_1” through “method3224_12”.____
> >
> >     __ __
> >
> >     -Tim____
> >
> >
> >
> >
> > _______________________________________________
> > Validation mailing list
> > Validation at cabforum.org
> > https://cabforum.org/mailman/listinfo/validation
> >
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181010/5da84341/attachment-0001.html>

More information about the Validation mailing list