[cabfpub] Ballot 120

Ben Wilson ben at digicert.com
Thu May 22 17:58:37 UTC 2014


Kirk Hall of TrendMicro made the following motion and Jeremy Rowley of
DigiCert and Cecilia Kam of Symantec have endorsed it:

 

Ballot 120 - Affiliate Authority to Verify Domain

 

Reasons for proposed ballot

 

Ballot 72 in May 2012 reorganized the EV Guidelines by moving certain
definitions and common provisions to the Baseline Requirements and replacing
them with cross references to the Baseline Requirements.   In July 2013,
Ballot 104 was a similar replacement with a cross reference to avoid
unnecessary duplication between the two sets of guidelines , but it
inadvertently removed domain verification through a parent or subsidiary
from  EV Guidelines Sec. 11.6.2 (now renumbered as EVGL 11.6.1), which had
listed it as part of the allowed verification process.  Ballot 104
essentially deleted the separately listed EVGL 11.6.2 methods for verifying
domain ownership, and instead inserted a cross-reference to the methods of
verifying domain ownership in BR 11.1.1 (except for subsection (7) - "any
other method of confirmation" - which was not deemed reliable enough for
EV).    

 

There was no discussion to indicate that the removal was intentional, and no
one caught the mistake during the review period.   (If you want to see EVGL
11.6.2 before the changes deleting the former parent/subsidiary language,
see https://cabforum.org/wp-content/uploads/EV-V1_4_2.pdf.)  

 

Because Ballot 104 inadvertently wiped out the ability to rely on
parent-subsidiary/affiliate ownership of domains for all types of certs,
previously only found in EVGL 11.6.2, the EV WG determined that corrections
to both the EVGL and BR are needed.  

 

"Affiliate" was copied over to the BR definitions and removed from the EVGL,
but other related definitions were not.   We allow use of "affiliate" data
for EV vetting in other contexts, and many CAs have applied the
parent-subsidiary/affiliate rule in former EVGL 11.6.2 to vetting domains
for both DV and OV certs, on the grounds that some companies have specially
designated affiliates for holding intellectual property, like domain names,
and also if the domain vetting method was good enough for EV certs, it was
good enough for DV and OV certs as well.

 

Ballot 120 would simply restore the prior rule of former EVGL 11.6.2,
inadvertently wiped out by Ballot 104, and fix the copying and updating of
definitions that were not done in Ballot 72.   This will clarify that (1)
domain ownership by a parent, subsidiary, or affiliate (under both the BRs
and EVGL) would again be sufficient to let a customer obtain a certificate
for its domain, and (2) ensure the corrected rule applies to all classes of
server certs - EV, OV, and DV.  Ballot 120 is not intended to change prior
approved practices for domain confirmation.  

 

---MOTION BEGINS---

 

The Baseline Requirements would be amended as follows:

 

(1)  MOVE definitions for "Control", "Country", "Parent Company," "Sovereign
State," and "Subsidiary Company" from the EV Guidelines to the Baseline
Requirements, and

                                                    

DELETE the following definitions from the EV Guidelines  as redundant
(because the definitions already exist or will exist in the Baseline
Requirements):

 

"Control", "Country", "Government Entity," "Parent Company," "Sovereign
State," and "Subsidiary Company" ;

 

(2) Amend BR 11.1.1 to read as follows:

 

BR 11.1.1 Authorization by Domain Name Registrant

 

For each Fully-Qualified Domain Name listed in a Certificate, the CA SHALL
confirm that, as of the date the Certificate was issued, the Applicant (or
the Applicant's Parent Company, Subsidiary Company, or Affiliate,
collectively referred to as "Applicant" for the purposes of this section)
either is the Domain Name Registrant or has control over the FQDN by:

 

1. Confirming the Applicant as the Domain Name Registrant directly with the
Domain Name Registrar;

 

2. Communicating directly with the Domain Name Registrant using an address,
email, or telephone number provided by the Domain Name Registrar;

 

3. Communicating directly with the Domain Name Registrant using the contact
information listed in the WHOIS record's "registrant", "technical", or
"administrative" field;

 

4. Communicating with the Domain's administrator using an email address
created by pre-pending 'admin', 'administrator', 'webmaster', 'hostmaster',
or 'postmaster' in the local part, followed by the at-sign ("@"), followed
by the Domain Name, which may be formed by pruning zero or more components
from the requested FQDN;

 

5. Relying upon a Domain Authorization Document;

 

6. Having the Applicant demonstrate practical control over the FQDN by
making an agreed-upon change to information found on an online Web page
identified by a uniform resource identifier containing the FQDN; or

 

7. Using any other method of confirmation, provided that the CA maintains
documented evidence that the method of confirmation establishes that the
Applicant is the Domain Name Registrant or has control over the FQDN to at
least the same level of assurance as those methods previously described. ***


 

 

(3) Amend EVGL 11.6.1(1) to read as follows:

 

EVGL  11.6.1  Verification Requirements 

 

(1) For each Fully-Qualified Domain Name listed in a Certificate, the CA
SHALL confirm that, as of the date the Certificate was issued, the Applicant
(or the Applicant's Parent Company, Subsidiary Company, or Affiliate,
collectively referred to as "Applicant" for the purposes of this section)
either is the Domain Name Registrant or has control over the FQDN using a
procedure specified in Section 11.1.1 of the Baseline Requirements, except
that a CA MAY NOT verify a domain using the procedure described 11.1.1(7).
***

---MOTION ENDS---

 

The review period for this ballot shall commence at 2200 UTC on Thursday,
May 22, 2014, and will close at 2200 UTC on Thursday, May 29, 2014. 

Unless the motion is withdrawn during the review period, the voting period
will start immediately thereafter and will close at 2200 UTC on Thursday,
June 5, 2014. Votes must be cast by posting an on-list reply to this thread.


A vote in favor of the motion must indicate a clear 'yes' in the response. 

A vote against must indicate a clear 'no' in the response. 

A vote to abstain must indicate a clear 'abstain' in the response. Unclear
responses will not be counted. 

The latest vote received from any representative of a voting member before
the close of the voting period will be counted. 

Voting members are listed here: https://cabforum.org/members/ 

In order for the motion to be adopted, two thirds or more of the votes cast
by members in the CA category and more than one half of the votes cast by
members in the browser category must be in favor. Quorum is currently six
(6) members- at least six members must participate in the ballot, either by
voting in favor, voting against, or by abstaining for the vote to be valid. 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140522/6cb96503/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140522/6cb96503/attachment.p7s>


More information about the Public mailing list