[Servercert-wg] VOTING BEGINS: Ballot SC33: TLS Using ALPN Method
Chema Lopez
clopez at firmaprofesional.com
Tue Aug 11 03:05:36 MST 2020
Firmaprofesional votes "YES" on ballot SC33.
*Chema López*
Director Área Innovación, Cumplimiento y Tecnología
+34 666 429 224
*Barcelona *Av. Torre Blanca 57, Edif. Esadecreapolis, Local 3B6 - 08173
Sant Cugat del Vallès | +34 934 774 245
*Madrid *C/ Velázquez 59, 1º Ctro-Izda. - 28001 Madrid | +34 915 762 181
www.firmaprofesional.com
*El contenido de este correo electrónico y de sus anexos es confidencial.
Si usted recibe este mensaje por error, debe saber que está prohibido hacer
uso, divulgación y/o copia del mismo. En tal caso le agradeceríamos que
advierta de inmediato a su remitente y que proceda a destruir el mensaje.*
*Le informamos que, cumpliendo la normativa en materia de protección de
datos, FIRMAPROFESIONAL tratará sus datos con la finalidad de garantizar
las relaciones con la empresa, entidad u organización a la que usted
representa o en la que trabaja y por el período que dure dicha
relación. Podrá ejercer sus derechos de acceso, rectificación, supresión,
limitación, portabilidad y oposición al tratamiento ante el Responsable:
FIRMAPROFESIONAL, S.A., Av. Torre Blanca, 57, local 3B6 (Edificio
Esadecreapolis), 08173 Sant Cugat del Vallès (Barcelona), o bien mediante
correo electrónico a: rgpd at firmaprofesional.com
<rgpd at firmaprofesional.com>, en cualquier caso adjuntando una copia de su
D.N.I. o documento equivalente. Asimismo, podrá formular reclamaciones ante
la Agencia Española de Protección de Datos. Para más información puede
consultar nuestra política de privacidad
<https://www.firmaprofesional.com/esp/aviso-legal>.*
On Fri, 7 Aug 2020 at 22:06, Wayne Thayer via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> This begins the voting period for ballot SC33: TLS Using ALPN Method
>
> Purpose of Ballot:
>
> In January 2018, a vulnerability affecting the ACME TLS-SNI-01 method of
> domain validation was disclosed [1]. That method is an implementation of BR
> 3.2.2.4.10, which is still permitted by the BRs despite the vulnerability.
> Some Browsers have banned the use of method 10 unless mitigations for the
> vulnerability have been put into place, and one approach to mitigation -
> using application-layer protocol negotiation (ALPN) - has now been
> standardized by the IETF as RFC 8737. This ballot replaces the poorly
> specified and potentially insecure 'method 10' with a new 'method 20' based
> on RFC 8737.
>
> The ballot proposed no transition period during which method 10, or
> validations performed using method 10 may continue to be relied upon. The
> only known current use of method 10 is an implementation of RFC 8737 that
> would remain compliant (although it may require changes to the CA's CPS and
> the identifier of the method that is being logged when performing
> validations).
>
> This ballot also limits the use of the new method to the specific FQDN
> that was validated - different subdomains require new validations, and
> wildcards are not permitted. This requirement is not the result of a
> specific known risk but rather stems from a belief that DNS-based
> validation methods are more appropriate for verifying control over an
> entire subdomain.
>
> [1]
> https://groups.google.com/d/msg/mozilla.dev.security.policy/RHsIInIjJA0/LKrNi35aAQAJ
>
>
> The following motion has been proposed by Wayne Thayer of Mozilla and
> endorsed by Roland Shoemaker of Let's Encrypt and Tim Hollebeek of DigiCert.
>
> -- MOTION BEGINS --
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based on Version
> 1.7.0:
>
> MODIFY section 3.2.2.4 as defined in the following redline:
> https://github.com/cabforum/documents/compare/df5bd3b00e3a215202dedafa68bf8f608d47041b...26913aa7f75a78eff1af5cb628451b9433011a67
>
> -- MOTION ENDS --
>
>
> This ballot proposes a Final Maintenance Guideline.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 31-July, 2020 17:00 UTC
>
> End Time: not before 7-August, 2020 17:00 UTC
>
> Vote for approval (7 days)
>
> Start Time: 7-August, 2020 20:00 UTC
>
> End Time: 14-August, 2020 20:00 UTC
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200811/41fcef00/attachment.html>
More information about the Servercert-wg
mailing list