[cabf_validation] Ballot 190 follow-up discussion

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu May 4 13:29:12 MST 2017


Did DNS validation without sufficient entropy meet the requirement of old Methods 1-6?  If yes, then yes.  If no, then no, would have to be done again.

If carve outs to the rule below are needed, we could do that.  I assumed that all the "standard" old Method 7 methods had been included in new Methods 7-10...  But if the entropy requirements were increased in new Methods 7-10, I see the problem.

I guess we could grandfather prior validations under old Method 7 if they used a lower entropy but otherwise complied with new Methods 1-10.

From: Doug Beattie [mailto:doug.beattie at globalsign.com]
Sent: Thursday, May 4, 2017 1:26 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>; Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: [EXTERNAL]RE: Ballot 190 follow-up discussion

Kirk,

There could possibly be CAs that used DNS validation without sufficient entropy.  Would a check like this be no good for issuance past the date you specified below?

Doug


From: Kirk Hall [mailto:Kirk.Hall at entrustdatacard.com]
Sent: Thursday, May 4, 2017 3:49 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>; Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>
Cc: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>
Subject: RE: Ballot 190 follow-up discussion

I proposed this previously, but I'll post again.

I think we all agree that validation by "any other method" that did not qualify under EITHER old methods 1-6 OR new methods 1-10 should not be reused.  So what if we add transition rules like the following in the ballot - this would solve the "any other method" problem.

1.  The data from any domain validation that was completed prior to the effective date of Ballot 190 may be reused for the period specified in BR 4.2.1 and EVGL 11.14.3 so long as the validation was completed in accordance with [old methods 1-6] or [new methods 1-10].  [Pick the best way to describe the items in brackets, maybe by specific BR version number and BR number.]

2. The data from all other domain validations that occurred before the effective date of Ballot 190 may not be reused under BR 4.2.1 or EVGL 11.14.3.


From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie via Validation
Sent: Thursday, May 4, 2017 11:25 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>; CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>
Subject: [EXTERNAL]Re: [cabf_validation] Ballot 190 follow-up discussion

OK, what do you propose as a cutoff date for reusing previously collected domain validation data for approval of certificates with those domains?

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Thursday, May 4, 2017 1:19 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>
Subject: RE: Ballot 190 follow-up discussion

I think the difficulty is understanding whether a previous validation was done under the permitted 10 or some other method. I think we should just do a cut off date and call it good.

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie via Validation
Sent: Thursday, May 4, 2017 10:12 AM
To: validation (validation at cabforum.org<mailto:validation at cabforum.org>) <validation at cabforum.org<mailto:validation at cabforum.org>>
Cc: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>
Subject: [cabf_validation] Ballot 190 follow-up discussion

I think we need a specific date when the cached results from old validation methods can no longer be used, June 1, 2018, or similar. For those CAs that complied with the March 1 2017 date of ballot 169, this is 15 months to revalidate all domains (given that 27 months is the limit, this brings in the requirement by 12 months).  Is that feasible for everyone?

Optionally, if it helps security, then we could also levy requirements on the CA to do CAA and/or CT if they do reuse this older data:
-          By September, support CAA (which is meaningless since it's mandatory anyway...)
-          By September, post all certificates to CT logs if you used validation data collected under methods other than the 10 listed.

Is supporting CT and CAA within 5 months good enough mitigation for using such domain validation data till the proposed cutoff?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170504/b0acc3ea/attachment-0001.html>


More information about the Validation mailing list