[cabf_validation] Ballot 190 Section 2

Doug Beattie doug.beattie at globalsign.com
Mon Apr 24 12:23:53 MST 2017


Until method 7 or method 11 is retired, any data we collect and use is valid under section 3.2 and can be reused.  Even if a method was changed, the old method can be used because it falls under Any Other Method.
The only issue is when we remove Any Other Method.  When we do this we need to clarify what data is permitted to be reused and for how long.
I don't think that Ryan wants to allow reuse of data not covered in methods 1-10 for the next 825 days, but we can propose that.  Regardless of the look-back period, how do we get these words into the BRs?  Section 3.2, section 4.2?  Some other place?  That is the hard part.
Doug

From: Kirk Hall [mailto:Kirk.Hall at entrustdatacard.com]
Sent: Monday, April 24, 2017 3:11 PM
To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>; Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: RE: Ballot 190 Section 2

Doug, why are you focused only on Method 11 for this issue?
If "at time of issuance" is intended to override the data reuse rules (which was never how CAs and browsers interpreted these two sets of rules in the past - the data reuse rules meant what they said, and data could be reused even if a method had later changed), then wouldn't that apply to all validation methods, not just 11?  I don't think that is a correct interpretation of BR 3.2 "at time of issuance", by the way.
Are you only focused on Method 11 (introduced in Ballots 180 and 181 for IPR purposes), and only for that limited period of time (60 days or so)?  Or are you saying somehow that old Method 7 "any other method" is also affected?  I'm not following.
From: Doug Beattie [mailto:doug.beattie at globalsign.com]
Sent: Monday, April 24, 2017 12:07 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>; Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: [EXTERNAL]RE: Ballot 190 Section 2

Section 3.2 lists the approved methods "at time of issuance".  Section 4.2 says how long you can reuse data.  So we need a statement somewhere that says method 11 data is permissible for use for the next 825 days, will that solve the issue?


From: Kirk Hall [mailto:Kirk.Hall at entrustdatacard.com]
Sent: Monday, April 24, 2017 3:00 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>; Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>
Cc: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>
Subject: RE: Ballot 190 Section 2

Right now, we are in the process of reducing the reuse period for domain and other validation data from 39 months to 825 days.  Isn't that the rule that applies here, even to domain validations under old method 7 and new method 11 ("any other method")?  I'm not sure we need to layer on more rules.
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie via Validation
Sent: Monday, April 24, 2017 11:52 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>; CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>
Subject: [EXTERNAL]Re: [cabf_validation] Ballot 190 Section 2

OK, so we need to say that as of some date (the date we remove method 11, the ballot effective date) you can't re-use cert data if it hasn't been collected since January 1, 2015 (or some date) under one of the current 10 domain verification methods.

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Monday, April 24, 2017 2:41 PM
To: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>; CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Subject: RE: Ballot 190 Section 2

Essentially, but the issue is not just 39 months. For example, a certificate issued five years ago (which is before the BRs were required) could use no validation and still be okay. The documentation for those certs would still be valid, even if there isn't any.

From: Doug Beattie [mailto:doug.beattie at globalsign.com]
Sent: Monday, April 24, 2017 12:35 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>
Subject: RE: Ballot 190 Section 2


The "any other method"  still remains as a valid option and the problem outlined below is only when this method is removed, correct?  We basically need to grandfather in validation data collected under method 11 for some period of time.  Ryan does not want this to be 39 months for all the reasons he listed.
Is that the crux of the issue?
Doug


From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Jeremy Rowley via Validation
Sent: Monday, April 24, 2017 1:37 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>
Subject: [cabf_validation] Ballot 190 Section 2

Section 190 was withdrawn because of objections to Section 2 of the ballot:
"This provisions of Ballot Section 1 will apply only to the validation of domain names occurring after this Ballot 190's effective date.  Validation of domain names that occurs before this Ballot's effective date and the resulting validation data may continue to be used for the periods specified in BR 4.2.1 and EVGL 11.14.3 so long as the validations were conducted in compliance with the BR Section 3.2.2.4 validation methods in effect at the time of each validation."
Basically, the browsers would like a date when this cuts off so that old certificate validation data can't be reused. Any thoughts on how to reconcile?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170424/048671b1/attachment.html>


More information about the Validation mailing list