[cabfpub] Ballot 218 version 2: Remove validation methods #1 and #5

Tim Hollebeek tim.hollebeek at digicert.com
Wed Jan 24 09:26:51 MST 2018


The premise that this ballot presumes both ownership and control must be
validated is wrong.

 

This ballot explicitly blesses one validation method (#12) that only
verifies ownership.  But if you are going to go the ownership route instead
of the domain control validation route, you have to actually validate
ownership, or you have validated nothing at all.

 

-Tim

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Adriano
Santoni via Public
Sent: Wednesday, January 24, 2018 12:34 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Ballot 218 version 2: Remove validation methods #1
and #5

 

It seems to me that the premise of this ballot is wrong. The various methods
under section 3.2.2.4, with the exception of #1 and #5, only validate domain
control - not ownership. I cannot see how they validate ownership.

Besides, the implied notion that ownership and control must _both_ be
validated seems to conflict with several occurances of "OR" (either
ownership OR control) in the BRs.

If this ballot implies that the traditional "OR" should be replaced by an
"AND", then other parts of the BRs should also be revised accordingly.

Apart from that, ownership of a domain (which implies control, while the
opposite is obviously untrue) seems to me a sound basis on which to issue a
certificate, of course provided that ownership is properly validated.

I am also perplexed about the statement that methods .1 and .5 are "actively
being used to avoid validating domain control or ownership": what evidence
do we have of that?

Adriano



Il 22/01/2018 22:30, Tim Hollebeek via Public ha scritto:

 

Ballot 218 version 2: Remove validation methods #1 and #5

 

Purpose of Ballot: Section 3.2.2.4 says that it "defines the permitted
processes and procedures for validating the Applicant's ownership or control
of the domain."  Most of the validation methods actually do validate
ownership and control, but two do not, and can be completed solely based on
an applicant's own assertions.

 

Since these two validation methods do not meet the objectives of section
3.2.2.4, and are actively being used to avoid validating domain control or
ownership, they should be removed, and the other methods that do validate
domain control or ownership should be used.

 

The following motion has been proposed by Tim Hollebeek of DigiCert and
endorsed by Ryan Sleevi of Google and Rich Smith of Comodo.

 

-- MOTION BEGINS -

 

This ballot modifies the "Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates" as follows, based upon Version
1.5.4:

 

In Section 1.6.1, in the definition of "Domain Contact", after "in a DNS SOA
record", add ", or as obtained through direct contact with the Domain Name
Registrar"

 

In Section 3.2.2.4.1, add text at the end: "For certificates issued on or
after August 1, 2018, this method SHALL NOT be used for validation, and
completed validations using this method SHALL NOT be used for the issuance
of certificates."

 

In Section 3.2.2.4.5, add text at the end: "For certificates issued on or
after August 1, 2018, this method SHALL NOT be used for validation, and
completed validations using this method SHALL NOT be used for the issuance
of certificates."

 

After Section 3.2.2.4.10, add following two new subsections:

"3.2.2.4.11 Any Other Method

 

This method has been retired and MUST NOT be used.

 

3.2.2.4.12 Validating Applicant as a Domain Contact

 

Confirming the Applicant's control over the FQDN by validating the Applicant
is the Domain Contact. This method may only be used if the CA is also the
Domain Name Registrar, or an Affiliate of the Registrar, of the Base Domain
Name.

 

Note: Once the FQDN has been validated using this method, the CA MAY also
issue Certificates for other FQDNs that end with all the labels of the
validated FQDN. This method is suitable for validating Wildcard Domain
Names."

 

In Section 4.2.1, after the paragraph that begins "After the change to any
validation method", add the following paragraph: "Validations completed
using methods specified in Section 3.2.2.4.1 or Section 3.2.2.4.5 SHALL NOT
be re-used on or after August 1, 2018."

 

-- MOTION ENDS -

 

For the purposes of section 4.2.1, the new text added to 4.2.1 from this
ballot is "specifically provided in a [this] ballot."

 

The procedure for approval of this ballot is as follows:

 

Discussion (7+ days) 

  Start Time: 2017-01-22  21:30:00 UTC  

  End Time: Not Before 2017-01-29 21:30:00 UTC

 

Vote for approval (7 days) 

  Start Time: TBD   

  End Time: TBD

 

 






_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180124/f8ad590c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20180124/f8ad590c/attachment-0001.p7s>


More information about the Public mailing list