[cabf_validation] Agenda for March 1st prep call for Validation Summit

Tim Hollebeek tim.hollebeek at digicert.com
Thu Mar 1 06:27:06 MST 2018

First of all, I'm all for doing as much prep work ahead of time as possible.
Everyone please feel free to go nuts on this mailing list.  I only have 30
minutes at the end for pros/cons/strengths/weaknesses b/c I was hoping by
that point we'd already discussed every method's strengths and weaknesses,
and will just be summarizing/comparing.  It's entirely possible that's not
enough time, and if it isn't, we'll extend that discussion as it's one of
the most important things that can come out of the summit.


Several other people wanted to start with what we are validating.  If that
turns out to be less productive in the abstract, and we need to move on to
concrete discussions more quickly than the schedule anticipates, I'm fine
with that.


If we do get to IP addresses, yeah, we should summarize the analysis and
concerns that have been done on VWG calls up front.  It's a complex topic.


Sorry I've been slower than usual to respond, I'm in the middle of an epic
standards road trip.




From: Doug Beattie [mailto:doug.beattie at globalsign.com] 
Sent: Tuesday, February 27, 2018 1:00 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Validation
WG List <validation at cabforum.org>
Subject: RE: [cabf_validation] Agenda for March 1st prep call for Validation


Hi Tim,


I'm not clear on what we're spending the first hour on and would suggest we
get right to the descriptions of the 12 methods as quickly as possible.


I'm hoping we can discuss the pros and cons of each method and document the
strengths and weaknesses, but you have only 30 minutes for that at the end.
I don't think Hour 5 is fully loaded, so maybe there is time there?  Can we
find more time for this, or prepare ahead of time?  I'd like to understand
things like this, which I think is the most important thing we can do:

*	For email validation using constructed email addresses: If the
domain owner permits email on the domain and they don't lock down the
approved email boxes (admin, root, etc.) then they are at risk (the domain
owner needs to take action to protect their domain)
*	For well-known: 

*	If the hosting entity can insert web site content, then the web
provider can get certs for any site they host.  If you've delegated control
of your web site, then perhaps you've knowingly delegated cert issuance.
But, maybe you didn't understand what you delegated. (Same goes for DNS
*	If the server follows redirects, and there are blanket redirects,
then that opens up the system to attacks (per Ryan and I probably have this
incorrectly stated)

*	For methods 9 and 10, if the hosting provider does not separate
different customers on shared IP addresses sufficiently well, then one
customer can obtain certificates for any other customer on their shared IP
address.  In order to use these methods, you need the hosting entity to
acknowledge they are abiding by these rules.


Would it make sense to start defining these prior to the summit?  If so,
maybe we should create a shared document like Wayne did for his "Ground
Rules" document.  What do you think?





IP address validation: We should lay out the top level questions and
assumptions.  We discussed this on a call or two and I think we understand
some of the concerns which would be a good starting point.





From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Tim
Hollebeek via Validation
Sent: Tuesday, February 27, 2018 2:15 PM
To: validation at cabforum.org <mailto:validation at cabforum.org> 
Subject: [cabf_validation] Agenda for March 1st prep call for Validation


See attached.


If you have any comments or questions, please respond on this thread.  The
more we can handle before the summit, the more time we will have for
discussion at the summit.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180301/3f5bd79e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180301/3f5bd79e/attachment-0001.p7s>

More information about the Validation mailing list