[cabf_validation] Ballot SC##: TLS Using ALPN Method

Roland Shoemaker roland at letsencrypt.org
Tue Jul 28 12:20:36 MST 2020


Let's Encrypt would be happy to endorse.

On Mon, Jul 27, 2020 at 4:20 PM Wayne Thayer via Validation <
validation at cabforum.org> wrote:

> I am seeking two endorsers for the following ballot that replaces domain
> validation method 3.2.2.4.10 with the TLS ALPN method defined in RFC 8737.
>
> Thanks,
>
> Wayne
> =============
> Purpose of Ballot:
>
> In January 2018, a vulnerability affecting the ACME TLS-SNI-01 method of
> domain validation was disclosed [1]. That method is an implementation of BR
> 3.2.2.4.10, which is still permitted by the BRs despite the vulnerability.
> Some Browsers have banned the use of method 10 unless mitigations for the
> vulnerability have been put into place, and one approach to mitigation -
> using application-layer protocol negotiation (ALPN) - has now been
> standardized by the IETF as RFC 8737. This ballot replaces the poorly
> specified and potentially insecure 'method 10' with a new 'method 20' based
> on RFC 8737.
>
> The ballot proposed no transition period during which method 10, or
> validations performed using method 10 may continue to be relied upon. The
> only known current use of method 10 is an implementation of RFC 8737 that
> would remain compliant (although it may require changes to the CA's CPS and
> the name of the method being logged when performing validations).
>
> This ballot also limits the use of the new method to the specific FQDN
> that was validated - different subdomains require new validations and
> wildcards are not permitted. This requirement is not the result of a
> specific known risk but rather stems from a belief that DNS-based
> validation methods are more appropriate for verifying control over an
> entire subdomain.
>
> [1]
> https://groups.google.com/d/msg/mozilla.dev.security.policy/RHsIInIjJA0/LKrNi35aAQAJ
>
>
> The following motion has been proposed by Wayne Thayer of Mozilla and
> endorsed by xxx of yyy and xxx of yyy.
>
> -- MOTION BEGINS --
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based on Version
> 1.7.0:
>
> MODIFY section 3.2.2.4 as defined in the following redline:
> https://github.com/cabforum/documents/pull/205/files
>
> -- MOTION ENDS --
>
>
> This ballot proposes two Final Maintenance Guidelines.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: TBD
>
> End Time: TBD
>
> Vote for approval (7 days)
>
> Start Time: TBD
>
> End Time: TBD
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/validation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200728/b4573b27/attachment.html>


More information about the Validation mailing list