[cabfpub] Ballot 182/190 revision
pzb at amzn.com
Mon Jul 17 19:11:28 MST 2017
To start, I applied the changes from Ballot 190 v6 (7-6-2017) on top of BR 1.4.9 with Ballot 202 changes integrated. I then tried to address several items that had been raised, including things discussed during the validation working group call.
You are correct that I dropped the modifications to 4.2.1, instead creating a new method 11 that covers existing validations. It is not “any other method”, but is specifically all the methods that were pre-ballot 169 methods except “any other”. In drafting it, tried to use the existing language and dates — notably March 1, 2017 is taken directly from section 1.2.2 “Relevant Dates” of the current BRs. This section says "2017‐03‐01: CAs MUST follow revised validation requirements in section 22.214.171.124.” It is very possible I misunderstood the discussion, but it was my impression that you and others want to use validations allowed by the BRs in force at the time of the validation. According to the changes table the March 2017 date was added to the BRs on August 5, 2016 so this date had plenty of notice.
I also attempted to address your concern about older validations not using the “.well-known” path for website authentication by explicitly referencing the old validation methods which did not specify a path. The list of methods I included is every method that is not “any other”, which is also the exact same list as what is allowed in the EV Guidelines. My proposed text also explicitly calls out both Authorization Domain Name and Base Domain Name to give full flexibility to CAs and avoid any question about wildcard names.
I can build a redline of v6 versus my revision if you would find it helpful to compare the two.
> On Jul 17, 2017, at 5:27 PM, Kirk Hall via Public <public at cabforum.org> wrote:
> Peter, I just started going through your draft, and it appears you did not work from the Ballot 190 draft v6 proposed by Entrust, Buypass, and GlobalSign, but started a new ballot from scratch. Is that correct?
> For example, Ballot 190 as we proposed it included edits to BR 4.2.1 on data and prior validation reuse to respond to questions in the Forum and clarify the rules - but these changes are not included in your attached draft - was this inadvertent?
> When we pulled Ballot 190 v6 from the discussion period, it was to give you time to work on the critical definitions such as Authorized Domain Name so we could eliminate the Notes at the end of each validation method. We certainly did not expect you to completely rewrite the whole ballot, and many things you have suggested won't be acceptable to the proposer and endorsers. For example, you have left in Method 11 "any other method" but with a number of new limitations (including a limitation date for use of the method of March 1, 2017, before anyone knew such a limitation would be imposed - in general, after the fact restrictions are not fair and not a good idea) - we have already discussed this issue extensively, including on the last teleconference call where Mozilla stated its policy of allowing previous validation data and validations to be reused, so this Method 11 proposal is just not acceptable.
> At this point, your proposed rewrite of Ballot 190 isn't going to work, but we will review to see if there are some suggestions in the ballot that we can include in a new Ballot 190 v7. Also, once we complete an update of the critical definitions (perhaps in Ballot 202, perhaps moved back to Ballot 190), we can try to finish up Ballot 190 and get it to a vote.
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen via Public
> Sent: Thursday, July 13, 2017 4:29 PM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Subject: [EXTERNAL][cabfpub] Ballot 182/190 revision
> As Kirk mentioned in a prior email, I’ve been working on updates to draft Ballot 190 which itself is a revision to Ballot 182. Attached is my attempt at a revision.
> The base document includes changes from Ballots 204 (passed) and 202 (not yet passed). With that base, the only two sections this modifies are definitions (1.6.1) and 126.96.36.199.
> I believe that this addresses the many of the concerns previously raised, but I know there are some unresolved open issues that the Validation Working Group has identified.
> <CA-Browser Forum BR 1.4.10 draft with 182bis.docx>_______________________________________________
> Public mailing list
> Public at cabforum.org
More information about the Public