[cabf_validation] Ballot Proposal: Validation Method in certificatePolicies

Wayne Thayer wthayer at mozilla.com
Fri Jun 8 05:42:57 MST 2018


I have drafted a ballot that reflects my understanding of the outcome of
the discussion on disclosing validation methods during the WG meeting on
Tuesday. I have not attempted to tackle the issue of encoding validation
methods in CAA records. Please take a look and respond with your comments.
I'm also seeking two endorsers.

- Wayne
===========================
Ballot 226: Validation Method in certificatePolicies

Purpose of Ballot: The methods defined in BR section 3.2.2.4 and 3.2.2.5 to
confirm control or ownership of each domain name or IP address placed in a
TLS certificate have varying security properties. This ballot proposes a
standard format for expressing the method(s) the CA used to validate domain
control or ownership of the Authorization Domain Name(s) placed in a
certificate, and requires conforming CAs to include this information in
certificates issued on or after April 1, 2019. This information is useful
when vulnerabilities in specific methods are identified, and disclosing it
will benefit the PKI ecosystem.

The following motion has been proposed by Wayne Thayer of Mozilla and
endorsed by XXX of YYY and XXX of YYY.

— MOTION BEGINS –
This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” as follows, based upon Version
1.5.7:

Add the following definitions to section 1.2:

{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140)
certificate‐policies(1) baseline‐ requirements(2)
domain-validation-methods(4)} (2.23.140.1.2.4).
{joint‐iso‐itu‐t(2) international‐organizations(23) ca‐browser‐forum(140)
certificate‐policies(1) baseline‐ requirements(2)
IP-address-validation-methods(5)} (2.23.140.1.2.5).

Update section 7.1.2.3(a), as follows:

This extension MUST be present and SHOULD NOT be marked critical.
certificatePolicies:policyIdentifier (Required)
A Policy Identifier, defined by the issuing CA, that indicates a
Certificate Policy asserting the issuing CA's adherence to and compliance
with these Requirements.

Required on or after 1-April, 2019: One or more Policy Identifiers that
assert every distinct method performed by the CA to validate domain control
or ownership of each FQDN contained in the subjectAlternativeName, in the
following format:
* 2.23.140.1.2.4. concatenated with the subsection number of section
3.2.2.4 corresponding to the domain validation method that was used to
validate one or more subjectAlternativeNames in this certificate (e.g.
2.23.140.1.2.4.2'); or,
* 2.23.140.1.2.5 concatenated with the subsection number of section 3.2.2.5
corresponding to the IP address validation method that was used to validate
one or more subjectAlternativeNames in the certificate (e.g.
'2.23.140.1.2.5.1').

The following extensions MAY be present:
certificatePolicies:policyQualifiers:policyQualifierId (Recommended)
id-qt 1 [RFC 5280]. certificatePolicies:policyQualifiers:qualifier:cPSuri
(Optional)
HTTP URL for the Subordinate CA's Certification Practice Statement, Relying
Party Agreement or other pointer to online information provided by the CA.

— MOTION ENDS –
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180608/3942aaea/attachment.html>


More information about the Validation mailing list