[cabf_validation] Draft Notes from Today's Call

Ben Wilson ben.wilson at digicert.com
Thu May 4 09:24:30 MST 2017

Here are my notes from today's call.


In attendance:  Ben Wilson, Tim Hollebeek, Kirk Hall, Jeremy Rowley, Bruce
Morton, Li-Chun Chen, Doug Beattie, Robin Alden, Wayne Thayer, Peter Bowen,
and Chris Bailey


Jeremy reviewed the current ballots.


Ballot 191 - EV Place of Business.  The purpose of the ballot was to point
to provisions of the BRs, and make State optional, whereas it is currently
unclear in the EV Guidelines.  Bruce is proposing, Jeremy was an endorser,
and Robin agreed to endorse.


Latin Notary revision - Doug was the proposer, Jeremy was one of the
endorsers, and Kirk agreed to endorse.


Ballot 199 - Contents of Subordinate CA CNs - Gerv has proposed to require
the common name in intermediate CA certificates.  Voting has started.  Peter
had comments he wanted to provide.  Bruce said that he had comments, too.
The group noted that for each CA key pair, it should have the same
distinguished name every time.  Peter noted that the  ballot may eliminate
the concept of the "vanity CA".   Ben will send an email to Gerv asking for


ASN1 grammar ballot to add jurisdiction of incorporation information to EV
Guidelines.  Peter is proposer, Jeremy is endorser, and Li-Chun is an
additional endorser.  Peter wanted the shorter version that only included
jurisdiction of incorporation.  


"Applicant's legal or physical address" ballot was suggested by Li Chun.
Jeremy said that the address of "existence or operation" was unclear for
non-native English speakers and needed to be clarified.  


Ballot on RFC 5280 exceptions - We dropped the 64-character exception from
the draft ballot leaving only the addition of underscores.  Ryan had some
comments that Ben was going to incorporate.  Jeremy is concerned about
making the ballot more complicated than it needs to be.  Ben said that he
would try to keep changes to a minimum.  Peter offered to review Ben's new


"Other name" ballot - we still need to create a procedure for "other names"


IP address validation ballot - was circulated to the mailing list, Rick had
comments, Ryan said he wasn't concerned.  Kirk asked, in light of Ballot
190, does this mean that all IP address validations need to be redone if
this  ballot passes?  Jeremy acknowledged that this was a concern and
suggested we wait until Ballot 190 issues get worked out.


Ballot 190 is being discussed on the public list.  Jeremy wanted to discuss
a proposed compromise and Gerv's proposal.  Kirk said the problem is that an
OID is not a good solution.  He wants to discuss whether it is appropriate
to revalidate everything, allow reuse of information, or to come up with
some other solution.  Peter said the other solution is that you reuse the
validation information and re-perform the validation process under the new
methods.  Kirk said that it will be incredibly difficult for CAs to do this.
Peter said that Amazon's emails sent in the past had more than 112 bits of
entropy in them,  which would meet the new requirements, and that when
Ballot 169 was being drafted, CAs had the opportunity to come forward with
their practices.  Kirk said that there has been no showing of what the
security risks are.  Peter said that he had provided instances of
certificate requests that weren't authorized by Amazon.  Chris asked what
type of certificates they were -  EV, OV or DV.  Kirk said it's never been
an issue for OV or EV.  Peter suggested that there may be a way to resolve
it along those lines.  Kirk said he did not oppose re-performing validation
if there were evidence presented about the actual threats.  


Jeremy said we should discuss Gerv's proposal.  This ballot is only intended
to remove the any other method, and put a date next to those as to when
those would expire.  Kirk said that it adds complexity he still doesn't see
the need to start down the re-validation road.  Wayne said if WHOIS hasn't
changed in 5 years, then it doesn't make sense to re-perform validation.
Peter said that CAs need to update their validation methods.  Kirk agreed,
but said he hasn't seen an actual complaint based on Method 6.  Peter said
that if the CA reconfirms that the domain registrant is the named
organization, they can reuse the information.  Chris said that is difficult
in many situations, for instance, in some TLDs, the domain registrant is
obfuscated.  Doug said under BR 3.2.5, the applicant's authority still has
to be confirmed and that revalidation of 100 domains in SANs in a single
certificate can take a lot of work.  Jeremy said he sees Ryan's concern, but
we need a compromise - a cutoff date after a period of time or an OID at
least gives relying parties a way to decide what they'll trust.  Wayne would
like to set a date and be done with it.  The OID would map to the version of
the BRs under which the certificate was issued.  Chris said that the OID
would only be needed for a limited period of time because it would get
audited within one year.  Auditors would look to whether the validation
information is older than 825 days.  Peter asked Chris about a certificate
that is validated under the new methods.  Chris said that under that
scenario, it would still have to be revalidated in 825 days.  Chris also
wondered about the severity of the problem we're trying to fix.  Peter said
that Ryan's concerns are from provable security vulnerabilities. Chris
wondered whether Amazon's problem would be solved by CAA records.  There was
discussion of why CAA would not solve the problem.


Meeting adjourned.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170504/2c63e0c8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170504/2c63e0c8/attachment.bin>

More information about the Validation mailing list