[cabf_validation] Outline of Method 1 Replacement

Jeremy Rowley jeremy.rowley at digicert.com
Fri Mar 9 16:01:38 MST 2018


Not sure if this is legit Mozilla or not, but this could totally get an OV cert under method 1 as written/proposed:

 

https://secure.utah.gov/bes/details.html?entity=7141900-0143

 

Note that I could confirm authenticity with Ben Galbrath (replace that name with Jeremy Rowley). The address matches Mozilla’s mountain view address. If Ben had wanted, he could have listed his phone number there as well, allowing the authenticity check to complete with just Ben’s information. 

 

EV would be more difficult as the jurisdiction info isn’t correct (and the status is listed as expired)

 

From: Validation <validation-bounces at cabforum.org> On Behalf Of Wayne Thayer via Validation
Sent: Friday, March 9, 2018 12:23 PM
To: Jonathan Rudenberg <jonathan at titanous.com>
Cc: CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] Outline of Method 1 Replacement

 

On Fri, Mar 9, 2018 at 11:53 AM, Jonathan Rudenberg <jonathan at titanous.com <mailto:jonathan at titanous.com> > wrote:


Is there a compelling reason to bring back a new version of this method?

 

Yes, we're asking the same question.

 

It seems like any modification that adds the appropriate security properties would bring it very close to 3.2.2.4.2 / 3.2.2.4.3. Based on my understanding of the use of this method in the wild, it makes more sense to me for CAs to switch to .2 and .3 for domain ownership authorization and then do necessary additional subject validation with 3.2.2.1 or EVGL 11.8.3.

 

The obvious example to me is when the CA is already performing EV validation, in which case this could save a step. There are also cases where having a contractual relationship could make this method appealing to a CA. In general, while I see your point, I'm trying not to make assumptions.

 

Thanks,

 

Wayne

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180309/1b44703e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180309/1b44703e/attachment.p7s>


More information about the Validation mailing list