[cabf_validation] FW: Suggested edit to IP Address Ballot

Ben Wilson ben.wilson at digicert.com
Thu Nov 16 09:21:26 MST 2017


Recirculating this one too.



Ben Wilson, JD, CISA, CISSP

VP Compliance

+1 801 701 9678





From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of
Jeremy Rowley via Validation
Sent: Wednesday, October 4, 2017 11:22 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Validation
WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] Suggested edit to IP Address Ballot



Done. I also made a redline…



From: Kirk Hall [mailto:Kirk.Hall at entrustdatacard.com]
Sent: Wednesday, October 4, 2017 8:16 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com
<mailto:jeremy.rowley at digicert.com> >; CA/Browser Forum Validation WG List
<validation at cabforum.org <mailto:validation at cabforum.org> >
Subject: Suggested edit to IP Address Ballot



Jeremy - I have one preliminary edit to suggest.



Your new ballot on 3.2.2.5 starts with the following language:



The CA SHALL confirm that, as of the date the Certificate issues, that the
CA verified each IP Address listed in the Certificate using at a method
specified in this section 3.2.2.5. ***



Before Ballot 190, that similar language “as of the date the Certificate
issues” used to be in the starting paragraph of BR 3.2.2.4 on domain
validation:



BR 3.2.2.4 BEFORE Ballot 190:



The CA SHALL confirm that, as of the date the Certificate issues, either the
CA or a Delegated Third Party has validated each Fully-Qualified Domain Name
(FQDN) listed in the Certificate using at least one of the methods listed
below.



But during the discussion of Ballot 190, some people interpreted the
language “as of the date the Certificate issues” as requiring revalidation
of a domain EVERY TIME the customer ordered a new cert - and therefore would
not let a CA re-use domain validation information as permitted under BR 4.2.
1.  That was not the actual practice and not what we wanted.



To fix this and clarify the language to make it clear that domain validation
language can be reused without revalidation for the period allowed under BR.
4.2.1, we modified the beginning paragraphs of BR 3.2.2.4 to read as
follows:



BR 3.2.2.4 AFTER Ballot 190:



The CA SHALL confirm that prior to issuance, the CA or a Delegated Third
Party has validated each Fully‐Qualified Domain Name (FQDN) listed in the
Certificate using at least one of the methods listed below .



Can you modify the first paragraph of your new ballot on BR 3.2.2.5 so that
it reads as follows?  I think that is your actual intent:



3.2.2.5. Authentication for an IP Address



This section defines the permitted processes and procedures for validating
the Applicant’s ownership or control of an IP Address listed in the
Certificate.



The CA SHALL confirm that, as of the date the Certificate issues, that
prior to issuance, the CA verified each IP Address listed in the Certificate
using at a method specified in this section 3.2.2.5. ***







From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of
Jeremy Rowley via Validation
Sent: Monday, October 2, 2017 2:04 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Subject: [EXTERNAL][cabf_validation] IP Address Ballot



Attached is a revised IP address ballot. This was revised with the latest
comments from Ryan (back in March) and based on 190 passing.



Jeremy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20171116/df21d8de/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 6109 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20171116/df21d8de/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IP Address Ballot.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 14744 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20171116/df21d8de/attachment-0001.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4934 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20171116/df21d8de/attachment-0001.p7s>


More information about the Validation mailing list