[cabf_validation] Ballot SC##: TLS Using ALPN Method

Wayne Thayer wthayer at gmail.com
Thu Jul 30 12:50:01 MST 2020


Thank you Roland and Tim. I will assign a ballot number and get the
discussion period started.

- Wayne

On Thu, Jul 30, 2020 at 12:12 PM Tim Hollebeek <tim.hollebeek at digicert.com>
wrote:

> I’m willing to endorse this Ballot.
>
>
>
> -Tim
>
>
>
> *From:* Validation <validation-bounces at cabforum.org> *On Behalf Of *Wayne
> Thayer via Validation
> *Sent:* Monday, July 27, 2020 7:20 PM
> *To:* CABforum3 <validation at cabforum.org>
> *Subject:* [cabf_validation] Ballot SC##: TLS Using ALPN Method
>
>
>
> I am seeking two endorsers for the following ballot that replaces domain
> validation method 3.2.2.4.10 with the TLS ALPN method defined in RFC 8737.
>
>
>
> Thanks,
>
>
>
> Wayne
>
> =============
>
> Purpose of Ballot:
>
>
>
> In January 2018, a vulnerability affecting the ACME TLS-SNI-01 method of
> domain validation was disclosed [1]. That method is an implementation of BR
> 3.2.2.4.10, which is still permitted by the BRs despite the vulnerability.
> Some Browsers have banned the use of method 10 unless mitigations for the
> vulnerability have been put into place, and one approach to mitigation -
> using application-layer protocol negotiation (ALPN) - has now been
> standardized by the IETF as RFC 8737. This ballot replaces the poorly
> specified and potentially insecure 'method 10' with a new 'method 20' based
> on RFC 8737.
>
>
>
> The ballot proposed no transition period during which method 10, or
> validations performed using method 10 may continue to be relied upon. The
> only known current use of method 10 is an implementation of RFC 8737 that
> would remain compliant (although it may require changes to the CA's CPS and
> the name of the method being logged when performing validations).
>
>
>
> This ballot also limits the use of the new method to the specific FQDN
> that was validated - different subdomains require new validations and
> wildcards are not permitted. This requirement is not the result of a
> specific known risk but rather stems from a belief that DNS-based
> validation methods are more appropriate for verifying control over an
> entire subdomain.
>
>
>
> [1]
> https://groups.google.com/d/msg/mozilla.dev.security.policy/RHsIInIjJA0/LKrNi35aAQAJ
>
>
>
>
>
> The following motion has been proposed by Wayne Thayer of Mozilla and
> endorsed by xxx of yyy and xxx of yyy.
>
>
> -- MOTION BEGINS --
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based on Version
> 1.7.0:
>
>
>
> MODIFY section 3.2.2.4 as defined in the following redline:
> https://github.com/cabforum/documents/pull/205/files
>
>
>
> -- MOTION ENDS --
>
>
> This ballot proposes two Final Maintenance Guidelines.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: TBD
>
> End Time: TBD
>
>
>
> Vote for approval (7 days)
>
> Start Time: TBD
>
> End Time: TBD
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20200730/e32258bc/attachment-0001.html>


More information about the Validation mailing list