[cabfpub] Ballot 193: Problem 4

Ryan Sleevi sleevi at google.com
Thu Mar 2 02:40:05 UTC 2017


On Wed, Mar 1, 2017 at 4:50 PM, Ryan Sleevi <sleevi at google.com> wrote:
>
> It's unclear whether you disagree with the substance of my analysis, and
> are thus stating it was intentional to weaken the Baseline Requirements, or
> if you're simply providing clarification for the intent, for which the
> weakening of the Baseline Requirements was unintentional?
>
> If this was unintentional, we can work to resolve this in a way that
> achieves the intended resolve. However, if this was intentional, we will
> continue to disagree, and thus will find it necessary to vote against this
> ballot. I can only hope that, like Ballot 188, this was merely an
> unintentional side-effect, and hopefully one we can resolve through
> collaboration.
>

It was pointed out that my description of the issues may not have been
clear for some members, so I'll try to restate the various ways in which
this proposal, whether intentional or not, weakens the current security
guarantees provided by the Baseline Requirements.

In the effort of providing greater clarity, I have created several new
threads to help inform this discussion.


Proposed for Section 4.2.1
"If an Applicant has a currently valid Certificate issued by the CA, a CA
MAY rely on its prior authentication and verification of the Applicant's
right to use the specified Domain Name under Section 3.2.2.4, provided that
the CA verifies that the WHOIS record still shows the same registrant as
when the CA verified the specified Domain Name for the existing
Certificate."

Problem Summary: This paragraph is presented without any linkage to the
overall intent or preceding paragraphs. As such, when compared to the
immediately preceding two paragraphs, it creates ambiguity as whether they
represent "AND" or "OR" conjunctions. This would allow CAs to create
'perma-certificates', provided the WHOIS information does not change.

Explanation: By lacking in prosaic text that establishes a relationship
with the previous conditions, a CA may indefinitely rely on a domain
authorization, despite it no longer belonging to the Applicant, and well
beyond the 825 period proposed in modification. That is, if a CA reads the
above text as an "OR" interpretation, than any party who obtained a
certificate once may continue to do so indefinitely, provided that they
ensure the WHOIS information does not change.

Conclusion: The consequence of such certificates would significantly
undermine public trust, by allowing a chain of certificates to continue
well beyond the defined period.

Suggestion: Remove this entire section.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170301/f9c409a2/attachment-0002.html>


More information about the Public mailing list