[cabf_validation] Ballot 190 follow-up discussion

Jeremy Rowley jeremy.rowley at digicert.com
Thu May 4 10:18:53 MST 2017

I think the difficulty is understanding whether a previous validation was
done under the permitted 10 or some other method. I think we should just do
a cut off date and call it good.


From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Doug
Beattie via Validation
Sent: Thursday, May 4, 2017 10:12 AM
To: validation (validation at cabforum.org) <validation at cabforum.org>
Cc: Doug Beattie <doug.beattie at globalsign.com>
Subject: [cabf_validation] Ballot 190 follow-up discussion


I think we need a specific date when the cached results from old validation
methods can no longer be used, June 1, 2018, or similar. For those CAs that
complied with the March 1 2017 date of ballot 169, this is 15 months to
revalidate all domains (given that 27 months is the limit, this brings in
the requirement by 12 months).  Is that feasible for everyone?


Optionally, if it helps security, then we could also levy requirements on
the CA to do CAA and/or CT if they do reuse this older data:

*	By September, support CAA (which is meaningless since it's mandatory
*	By September, post all certificates to CT logs if you used
validation data collected under methods other than the 10 listed.  


Is supporting CT and CAA within 5 months good enough mitigation for using
such domain validation data till the proposed cutoff?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170504/9f738bdc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170504/9f738bdc/attachment-0001.bin>

More information about the Validation mailing list