[cabfpub] Restarting discussion period for Ballot 190 v4 dated June 30, 2017
doug.beattie at globalsign.com
Wed Jul 5 12:30:54 MST 2017
Three things I wanted to comment on.
1) The second paragraph in 18.104.22.168 the statement “as of the date the Certificate issues” doesn’t make sense. Should this be “as of the date the Certificate is issued”?
- The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.
2) The proposed “note” is still a bit vague, overly restrictive and prone to misinterpretation because we use the term FQDN 3 times in different contexts: “Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN and have more labels than it.”
Point 1: We should be able to reuse the Validated FQDN to approve FQDNs that have the same or more labels (not just more). So, I would edit the above “..validated FQDN and have the same or more labels than it the requested FQDN.
Point 2: We should define the term “Validated FQDN”. If we did that, then the proposed “note” would be more clear.
Point 3: We should be clear that reuse of domain validation must be only allowed if it’s the same (authenticated) Applicant requesting subsequent validation of FQDNs. As it’s currently stated, it seems like the CA can go ahead and issue certificates to anyone with any subdomain under a Validated FQDN. When ordering through resellers this becomes increasingly difficult and we need to be sure that the CA is authenticating the applicant each time if they want to reuse this vetting data.
I propose this:
- Note: Once the FQDN has been validated using this method, the CA MAY issue Certificates for FQDNs that end with all the labels of the Validated FQDN and have the same or more labels than the Validated FQDN for the same Applicant.
- Validated FQDN: The FQDN validated by the CA. The requested FQDN is generally equal to, or a subdomain of the Validated FQDN.
3) What we’re striving for is to re-use vetting documents collected during one validation for subsequent validations. If the FQDN is foo.wibble-fish.com and we validate wibble-fish.com (the Validated FQDN), we’d like to be able to use this to validate www.wibble-fish.com<http://www.wibble-fish.com>. I think we agree on this, but wanted to state it explicitly.
The intent is that for all Validated FQDNs the CA validated within the past 39 months (or 825 days starting March 2018), the CA may reuse these Validated FQDNs to approve orders for subdomains, as long as the validations were done in compliance with the BRs at that time (which includes “any other method”). If a CA did file based validation using a location other than the currently specified “.well-known/pki-validation” directory 38 months ago, the CA WOULD be permitted to reuse that for issuance of new certificates today. I’m hoping we all interpret this ballot to allow this.
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Kirk Hall via Public
Sent: Saturday, July 1, 2017 1:29 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: [cabfpub] Restarting discussion period for Ballot 190 v4 dated June 30, 2017
Gerv has made a good suggestion for changing Ballot 190 still further (see below). It's a holiday weekend in the US and Canada, so I don't think we will get much of a dialogue going.
Gerv, I think your modification makes sense, but I'd like to let others comment if they see a problem or have an alternative suggestion for wording.
Right now, the discussion period for Ballot 190 ends on Sunday, July 2 (tomorrow) at 23:00 UTC. With regret, we are withdrawing Ballot 190 and terminating the current discussion period now, and simultaneously reintroducing Ballot 190 and restarting the discussion period now so we can work out this wording next week. Also, I want to correct my spelling of one endorser’s name – it’s Mads Henriksveen of Buypass (I misspelled it before – sorry, Mads).
Accordingly, Ballot 190 v4 is reintroduced with the following new Discussion Period and Voting Period.
Discussion Period: July 1, 2017 at 18:00 UTC through July 8, 2017 at 18:00 UTC
Voting Period: July 8, 2017 at 18:00 UTC through July 15, 2017 at 18:00 UTC.
We would like input from members over the next week. Should we change the following language in v4 of the Ballot to Gerv’s proposed language (which would be included in a new v5)?
Current v4 language:
Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that have more labels than the validated FQDN and end in the validated FQDN.
Gerv’s proposed language:
Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN and have more labels than it.
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Friday, June 30, 2017 5:54 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: [EXTERNAL]Re: [cabfpub] Updated Ballot 190 v4 dated June 30, 2017
On 30/06/17 17:19, Kirk Hall via Public wrote:
> “_Note_: Once the FQDN has been validated using this method, the CA
> MAY also issue Certificates for other FQDNs that have more labels than
> the validated FQDN and end in the validated FQDN.”
If we are going to be pedantic, foo.wibble-fish.com has more labels than fish.com and still "ends in" the validated FQDN in the same sense the was objected to.
It would be much better to phrase this entirely in terms of labels.
Here's my first stab:
_Note_: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN and have more labels than it.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public