[Servercert-wg] VOTING BEGINS: Ballot SC33: TLS Using ALPN Method
Christopher Kemmerer
chris at ssl.com
Wed Aug 12 10:44:49 MST 2020
SSL.com votes YES on SC33.
- Chris K
On 8/7/2020 3:06 PM, Wayne Thayer via Servercert-wg wrote:
> This begins the voting period for ballot SC33: TLS Using ALPN Method
>
> Purpose of Ballot:
>
> In January 2018, a vulnerability affecting the ACME TLS-SNI-01 method
> of domain validation was disclosed [1]. That method is an
> implementation of BR 3.2.2.4.10, which is still permitted by the BRs
> despite the vulnerability. Some Browsers have banned the use of method
> 10 unless mitigations for the vulnerability have been put into place,
> and one approach to mitigation - using application-layer protocol
> negotiation (ALPN) - has now been standardized by the IETF as RFC
> 8737. This ballot replaces the poorly specified and potentially
> insecure 'method 10' with a new 'method 20' based on RFC 8737.
>
> The ballot proposed no transition period during which method 10, or
> validations performed using method 10 may continue to be relied upon.
> The only known current use of method 10 is an implementation of RFC
> 8737 that would remain compliant (although it may require changes to
> the CA's CPS and the identifier of the method that is being logged
> when performing validations).
>
> This ballot also limits the use of the new method to the specific FQDN
> that was validated - different subdomains require new validations, and
> wildcards are not permitted. This requirement is not the result of a
> specific known risk but rather stems from a belief that DNS-based
> validation methods are more appropriate for verifying control over an
> entire subdomain.
>
> [1]
> https://groups.google.com/d/msg/mozilla.dev.security.policy/RHsIInIjJA0/LKrNi35aAQAJ
>
>
> The following motion has been proposed by Wayne Thayer of Mozilla and
> endorsed by Roland Shoemaker of Let's Encrypt and Tim Hollebeek of
> DigiCert.
>
> -- MOTION BEGINS --
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based on
> Version 1.7.0:
>
> MODIFY section 3.2.2.4 as defined in the following redline:
> https://github.com/cabforum/documents/compare/df5bd3b00e3a215202dedafa68bf8f608d47041b...26913aa7f75a78eff1af5cb628451b9433011a67
>
>
> -- MOTION ENDS --
>
>
> This ballot proposes a Final Maintenance Guideline.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 31-July, 2020 17:00 UTC
>
> End Time: not before 7-August, 2020 17:00 UTC
>
> Vote for approval (7 days)
>
> Start Time: 7-August, 2020 20:00 UTC
>
> End Time: 14-August, 2020 20:00 UTC
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
--
Chris Kemmerer
Manager of Operations
SSL.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~ To find the reefs, look~~~~~~~~
~~~~ for the wrecks. ~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200812/6665716b/attachment.html>
More information about the Servercert-wg
mailing list