[cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Ryan Sleevi sleevi at google.com
Tue Mar 28 15:05:51 UTC 2017


On Tue, Mar 28, 2017 at 9:54 AM, Gervase Markham via Public <
public at cabforum.org> wrote:

> Hi everyone,
>
> Here's a draft of a ballot to forbid DTPs from doing Domain Validation, as
> discussed at the F2F. Again, this is early text, so comments on both the
> approach and the wording are very welcome.
>
> Is an Enterprise RA a subset of Delegated Third Party, or a different
> thing? The BRs seem a little unclear on this. I think they are a separate
> thing, but there are some bits of wording this ballot modifies or removes
> that suggest that they are a subset. Comments?
>

An enterprise RA is a subset of DTPs. That is, they may perform name
validation (beneath their DNS tree), or may perform other forms of identity
or organizational validation for their name space.


>
> Gerv
>
>
> *Ballot XXX - Forbid DTPs from doing Domain/IP Ownership Validation *
>
> *Purpose of Ballot: *At the moment, CAs are permitted to delegate the
> process of domain and IP address validation. However, permitting such
> delegations is problematic due to the way audits work - the auditing of
> such work may or may not be required and, if it is, those audit documents
> may not make it back to root programs for consideration. Although the audit
> situation also needs fixing, domain validation is an important enough
> component of a CA's core competencies that it seems wiser to remove it from
> the larger problem and forbid its delegation. The purpose of this ballot is
> to ensure that CAs or their Affiliates are always the ones performing
> domain/IP address ownership validation for certificates that CA is
> responsible for.
>
> The following motion has been proposed by Gervase Markham of Mozilla and
> endorsed by XXX of XXX and XXX of XXX:
>
> -- MOTION BEGINS --
>
> 1) In section 1.3.2 of the Baseline Requirements, replace the following sentence:
>
> "The CA MAY delegate the performance of all, or any part, of Section 3.2 requirements to a Delegated Third Party, provided that the process as a whole fulfills all of the requirements of Section 3.2."
>
> with:
>
> "With the exception of sections 3.2.2.4 and 3.2.2.5, the CA MAY delegate the performance of all, or any part, of Section 3.2 requirements to a Delegated Third Party, provided that the process as a whole fulfills all of the requirements of Section 3.2."
>
> 2) In sections 3.2.2.4 and 3.2.2.4.11 (if still present in the text at the time the ballot passes), replace the following text:
>
> "either the CA or a Delegated Third Party"
>
> with:
>
> "the CA"
>
> 3) In section 3.2.2.4.6, remove the words "or Delegated Third Party".
>
> 4) In section 8.4, remove the paragraph beginning: "If a Delegated Third Party is not currently audited...".
>
> 5) In section 8.4, replace the following text:
>
> "If the CA is not using one of the above procedures and the Delegated Third Party is not an Enterprise RA, then"
>
> with:
>
> "For Delegated Third Parties (but not Enterprise RAs)".
>
> Could you explain why you reworded this? Was this based on your
interpretation that Enterprise RAs aren't DTPs?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170328/bfede6ec/attachment-0003.html>


More information about the Public mailing list