[cabf_validation] Ballot 190 follow-up discussion

Doug Beattie doug.beattie at globalsign.com
Thu May 4 11:25:13 MST 2017

OK, what do you propose as a cutoff date for reusing previously collected
domain validation data for approval of certificates with those domains?


From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com] 
Sent: Thursday, May 4, 2017 1:19 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Cc: Doug Beattie <doug.beattie at globalsign.com>
Subject: RE: Ballot 190 follow-up discussion


I think the difficulty is understanding whether a previous validation was
done under the permitted 10 or some other method. I think we should just do
a cut off date and call it good.


From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Doug
Beattie via Validation
Sent: Thursday, May 4, 2017 10:12 AM
To: validation (validation at cabforum.org) <validation at cabforum.org>
Cc: Doug Beattie <doug.beattie at globalsign.com>
Subject: [cabf_validation] Ballot 190 follow-up discussion


I think we need a specific date when the cached results from old validation
methods can no longer be used, June 1, 2018, or similar. For those CAs that
complied with the March 1 2017 date of ballot 169, this is 15 months to
revalidate all domains (given that 27 months is the limit, this brings in
the requirement by 12 months).  Is that feasible for everyone?


Optionally, if it helps security, then we could also levy requirements on
the CA to do CAA and/or CT if they do reuse this older data:

-          By September, support CAA (which is meaningless since it's
mandatory anyway.)

-          By September, post all certificates to CT logs if you used
validation data collected under methods other than the 10 listed.  


Is supporting CT and CAA within 5 months good enough mitigation for using
such domain validation data till the proposed cutoff?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170504/495747a4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5662 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170504/495747a4/attachment.bin>

More information about the Validation mailing list