[cabfpub] Updated Ballot 190 v5 dated July 6, 2017
sleevi at google.com
Thu Jul 6 12:28:47 MST 2017
Just because it's important to capture for those who were not on the
call - since it's likely this ballot will proceed to voting before
such minutes are available, a few thoughts from the call to be
1) At least one member highlighted the concern that, by making
modifications to this ballot, as proposed, this introduces additional
IP risk that the Forum was specifically trying to address with Bylaws
1.6. The best path to address this risk is to remove the "Note"
2) At least one member highlighted that the Validation WG, with the
proposal of Ballot 169, spent considerable time trying to address the
ambiguity problem that the "Note" is trying to address (but does so
3) At least one member highlighted that the "Note", by being
non-normative, is neither urgent nor essential to resolve in this
version. However, by introducing the currently proposed language, it
creates potential issues that there is no guarantee will be able to be
resolved easily or in a timely fashion. As the Forum already has
methods to address ambiguity - both through the questions@ list and
through subsequent ballots - it seems far more appropriate to remove
the proposed text, thus aligning with Ballot 169, and thus resolving a
significant objection towards forwards progress.
I do not understand, nor agree with, the proposal to force a vote on
this, when concerns have been repeatedly raised, and which are trivial
to address in a way that allows us to make forward progress on the far
more substantive aspect.
Further, I have not seen any attempt to address and/or resolve the
concerns highlighted in
As the ballot proposer, can you please make an effort to address
and/or respond to these concerns, which introduce substantially new
risk and confusion? I have hopefully provided clear suggestions about
ways to resolve, and it's unclear whether your lack of acknowledgement
represents a need for additional time to review (in which case, we
should stop the discussion period), a disagreement on principle (in
which case, I hope you can clearly state so), or if my concerns are
unclear (in which case, we should stop the discussion period, and I'm
more than happy to work with you to explain them).
I understand and appreciate your eagerness to see this through to
conclusion, but believe it at least deserves some response and
engagement on the substance of these real and pressing security
concerns, rather than dismissing them as fixing them after. After all,
it is worth noting that it has taken us nearly a year to get to this
point in which we're somewhat close to a ballot, so you can understand
why I am quite troubled by the suggestion that we can somehow quickly
fix these real security issues after-the-fact.
On Thu, Jul 6, 2017 at 2:39 PM, Kirk Hall via Public
<public at cabforum.org> wrote:
> Based on the CABF teleconference discussion today, it’s clear there is still
> a difference of opinion on the best way to express the ability of a CA to
> re-use the validation of an FQDN and issue certs for other FQDNs that
> include additional nodes to the left (except for validation Method 8).
> Jeremy and Ben are collecting all the suggestions for how to express this,
> and once Ballot 190 is adopted will immediately consider appropriate edits.
> But we need to get Ballot 190 done in order to end the “any other method”
> authorization and meet Mozilla deadlines as well.
> For now, we have this formulation of the rule posted by Gerv last Friday,
> which looks good to me:
> “Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN and have more labels than it.”
> I have dropped in that language in the attached Version 5 of Ballot 190 (and
> specified this is not true for Method 8). Otherwise, the ballot is the same
> as v4 which was previously circulated.
> Ballot 190 v5 (6-30-2017) is now the official Ballot 190 under consideration
> by the Forum. The discussion period ends on July 8 at 18:00 UTC, after
> which voting will start.
> Public mailing list
> Public at cabforum.org
More information about the Public