[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies

Doug Beattie doug.beattie at globalsign.com
Wed Jul 25 07:30:39 MST 2018


We can, but I was more concerned with what happens when a method is removed.  I guess we can just replace the certificate with updated OIDs in this extension as long as we keep track of “all” the methods that were used for that domain validation.  The hidden requirement here is that we should keep track of all validation methods that were used for the domain.

 

Doug

 

From: Bruce Morton <Bruce.Morton at entrustdatacard.com> 
Sent: Wednesday, July 25, 2018 9:26 AM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>; Doug Beattie <doug.beattie at globalsign.com>; Wayne Thayer <wthayer at mozilla.com>
Subject: RE: [EXTERNAL]Re: [cabf_validation] Ballot Proposal: Validation Method in certificatePolicies

 

Can we put multiple methods into a certificate?

 

Bruce.

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Tim Hollebeek via Validation
Sent: July 25, 2018 9:24 AM
To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>; Wayne Thayer <wthayer at mozilla.com>
Subject: [EXTERNAL]Re: [cabf_validation] Ballot Proposal: Validation Method in certificatePolicies

 

Clearly the CA chooses and declares what validation method it is intending to comply with, even if the actions might also comply with another method, right?

 

That seems like the only reasonable interpretation to me.  You’re right it might be worth explicitly stating.

 

-Tim

 

From: Validation <validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org> > On Behalf Of Doug Beattie via Validation
Sent: Wednesday, July 25, 2018 8:57 AM
To: Wayne Thayer <wthayer at mozilla.com <mailto:wthayer at mozilla.com> >
Cc: CA/Browser Forum Validation WG List <validation at cabforum.org <mailto:validation at cabforum.org> >
Subject: Re: [cabf_validation] Ballot Proposal: Validation Method in certificatePolicies

 

Wayne,

 

When you work on the updated ballot text, it would be good to understand what happens when the domain validation is compliant with more than one method. For example, if we obtained/computed the same email for methods 2 and 4 (and maybe 13 and 15), which method do we put into the certificate? 

 

Doug

 

From: Validation <validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org> > On Behalf Of Wayne Thayer via Validation
Sent: Saturday, June 23, 2018 8:23 PM
To: Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> >
Cc: CA/Browser Forum Validation WG List <validation at cabforum.org <mailto:validation at cabforum.org> >
Subject: Re: [cabf_validation] Ballot Proposal: Validation Method in certificatePolicies

 

Thanks for the feedback Ryan. I think the new extension is cleaner and would like to propose that approach. Are you comfortable defining the syntax of the new extension in a new sub (g) of section 7.1.2.3 - roughly as follows?

 

g.   cabf-BRValidationMethod (2.23.140.1.11) (required on or after April 1, 2019)

 

This extension contains a list of one or more OIDs that assert every distinct method performed by the CA to validate domain control or ownership of each FQDN contained in the certificate's subjectAlternativeName.

 

These OIDs representing validation methods SHALL be defined as follows:
* 2.23.140.1.2.4. concatenated with the subsection number of section 3.2.2.4 corresponding to the domain validation method that was used to validate one or more subjectAlternativeNames in this certificate (e.g. 2.23.140.1.2.4.2'); or,
* 2.23.140.1.2.5 concatenated with the subsection number of section 3.2.2.5 corresponding to the IP address validation method that was used to validate one or more subjectAlternativeNames in the certificate (e.g. '2.23.140.1.2.5.1').

 

OIDs representing validation methods MUST be encoded in this extension as follows:

 

cabf-BRValidationMethod OBJECT IDENTIFIER ::= { 2.23.140.1.NN }

 

BRValidationMethodSyntax ::=

SEQUENCE SIZE (1..MAX) OF OBJECT IDENTIFIER

 

}

If this is headed in the right direction, I'll update the ballot proposal on GitHub.

 

- Wayne

 

On Sat, Jun 9, 2018 at 4:19 PM Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> > wrote:

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180725/05780ce3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5736 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180725/05780ce3/attachment-0001.p7s>


More information about the Validation mailing list