[cabf_validation] Using for future domains

Tim Hollebeek tim.hollebeek at digicert.com
Wed Mar 21 03:37:47 MST 2018

Given that I said I was just thinking about this, and leaning towards *not* doing anything, and perhaps moving towards being mildly in favor of this sort of thing, what is your justification for “it sounds like you're very much in favor of ripping out all validation methods and starting over (which is what it'd take)” ?


All I said was, contrary to your assertion that this problem is unsolvable and therefore all discussion of it must cease (which I think is unreasonable), that it’s worth continuing to keep the issue in mind as we discuss improving the validation methods and thinking about the consequences.  I think that’s a pretty reasonable position.


Specifically, if we’ve decided that our assumptions have changed about what we are validating (which we haven’t nailed down well enough anyway, and probably should), we should think about what those implications are.  For example, are we being too strict with freshness of other methods if we allow these sorts of things with these methods?




From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, March 21, 2018 10:26 AM
To: Tim Hollebeek <tim.hollebeek at digicert.com>
Cc: Wayne Thayer <wthayer at mozilla.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>; Peter Bowen <pzb at amzn.com>
Subject: Re: [cabf_validation] Using for future domains


OK. If we're willing to explore no longer using DNS or email to validate domains, then I agree, this could be a fruitful exercise. We probably won't have any technically valid way to validate domains, but sure, if we want to go down that route, ok, then it's worth thinking about.


I hope we're better focused at scoping our work, and more pragmatic in recognizing that unless we're willing to rip it all out, it's very much a moot point, but it sounds like you're very much in favor of ripping out all validation methods and starting over (which is what it'd take).


On Wed, Mar 21, 2018 at 6:22 AM, Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> > wrote:

Oh, it certainly is possible to meaningfully do things about it.  They just might result in validation requirements that look a lot different from today’s validation requirements.  Given that we’ve currently embarked on a process of evaluating our current validation requirements and possibly making them very different, this would seem to be a good time to think about this.


So I don’t think your argument that many of the current validation methods can be used to do this is a reasonable argument for why we can’t have a discussion about it.





These sorts of things turn that on their head.  That may be fine, but we should look at them with a critical eye and see if they do what we want.  The answer may be yes.  I’m still thinking them through.


Right, and I'm disagreeing with that framing for how to approach it. If we're going to Have Opinions about it, we first have to explore whether it's even possible to meaningfully do anything about it. If not, it's a lot of handwringing and pearl-clasping for nothing.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180321/3d5deee2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180321/3d5deee2/attachment-0001.p7s>

More information about the Validation mailing list