[cabf_validation] Agenda for this week

Bruce Morton Bruce.Morton at entrustdatacard.com
Wed Jan 3 14:39:35 MST 2018


I agree with Doug's approach and like the idea of the new method.

I really think it would be much better if the Validation working group tried to improve and add validation methods, rather than the CAB Forum just abruptly removing methods.

Bruce.

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Tim Hollebeek via Validation
Sent: January 2, 2018 4:06 PM
To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: [EXTERNAL]Re: [cabf_validation] Agenda for this week

That's an excellent point.

-Tim

From: Doug Beattie [mailto:doug.beattie at globalsign.com]
Sent: Tuesday, January 2, 2018 2:02 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com<mailto:tim.hollebeek at digicert.com>>; CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Subject: RE: Agenda for this week

If the web site operator can install a new certificate (or a test cert like method 9) that shows administrative control over the domain.  If the domain changed hands and the entity running the web site can still install a certificate (or put a file in the /well-known directory for that matter), then the "renewal" would happen even if domain "ownership" had changed.  I'm not sure I see the difference.

Doug



From: Tim Hollebeek [mailto:tim.hollebeek at digicert.com]
Sent: Tuesday, January 2, 2018 3:54 PM
To: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>; CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Subject: RE: Agenda for this week

I personally think this has about zero chance of flying with the browsers, who have expressed concern about the domain no longer being under the same ownership if no validation is done for renewals.

But I'm happy to discuss anything anyone wants to discuss, so we can get everyone's perspective.  I'll add it.

-Tim

From: Doug Beattie [mailto:doug.beattie at globalsign.com]
Sent: Tuesday, January 2, 2018 1:50 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com<mailto:tim.hollebeek at digicert.com>>; CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Subject: RE: Agenda for this week

Hi Tim,

This isn't super important, but something I would like to discuss at some point as a new domain validation method for domain re-validation only.  I think I brought this up casually once a while back.
-        Once you have a domain, or set of domains validated and a cert issued with a bunch of SANs, is it possible to verify that when the new certificate is present on a SAN (within 30 days) it constitutes a new domain validation for that SAN and that would re-set the 825 day domain validation clock?  It's basically #9 but with a production certificate (which is OK, because going into this the domains were all validated using one of the approved methods for initial domain validation).  If the CA wanted to re-use the domain validation for more than one SAN in that certificate, then each SAN would need to be verified to have the new certificate present.

If we did this, then CAs would effectively not need to do new domain validations if the SANs didn't change as long as they recorded the applicable validations (for each SAN, you found the new certificate).

Doug

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Tim Hollebeek via Validation
Sent: Tuesday, January 2, 2018 2:45 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Subject: [cabf_validation] Agenda for this week


Please let me know if you have other topics you want discussed.


  1.  Continue IP validation discussion.
  2.  EV improvement discussion.

Homework from previous call:

-        continue to think about ways to improve EV
-        be familiar with the methods your company uses to validate IPs (if any)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180103/37f4de0b/attachment-0001.html>


More information about the Validation mailing list