No, the BRs codify requirements, not security goals. The Mozilla root program requires all CAs to comply with the baseline requirements at all times.
Something similar to PCI/DSS compensating controls existed as Method 11 in the BRs previously. It was removed last year in favor of explicit requirements. It is not acceptable to validate domains with a method that does not comply with one of the ten approved methods. Any certificates issued based on such validations are mississued and should be revoked. -Tim > -----Original Message----- > From: Sebastian Nielsen [mailto:sebast...@sebbe.eu] > Sent: Tuesday, January 23, 2018 10:00 AM > To: Tim Hollebeek <tim.holleb...@digicert.com>; 'Jacob Hoffman-Andrews' > <j...@eff.org>; acme@ietf.org > Subject: SV: Re: [Acme] Assisted-DNS challenge type [invalid signature!] > [invalid signature!] > > I have seen the BR, and what I understand, the purpose of BRs are to provide a > specific security goal. > In this case, to prevent someone from aquiring control of a domain, and then > subsuquently, after losing control of said domain, being able to still renew > and > reissue certificates for said domain. > > If the same security goal can be implemented using another method, my > understanding is that its acceptable, provided that method provides equal or > greater security than one of the accepted methods in BR right? > Think like "compensating controls" in PCI/DSS. > > -----Ursprungligt meddelande----- > Från: Tim Hollebeek [mailto:tim.holleb...@digicert.com] > Skickat: den 23 januari 2018 17:54 > Till: Sebastian Nielsen <sebast...@sebbe.eu>; 'Jacob Hoffman-Andrews' > <j...@eff.org>; acme@ietf.org > Ämne: RE: Re: [Acme] Assisted-DNS challenge type [invalid signature!] [invalid > signature!] > > > I think that it could be acceptable to "reuse" an old validation provided > > WHOIS > > is checked right? > > Eg, if a hash is made of all the WHOIS data, and all the WHOIS data stays > > identical from last validation, then theres proof that control of domain has > > not > > shifted in the meantime, which is the main reason to implement random > > challenge checks. > > No. See the BRs for what "reuse" means. People have to stop re-interpreting > the BRs to mean what they want them to mean. > > You don't get to make up your own methods that satisfy whatever "main > reason" that you believe motivates the requirements. That's method 11, > which we spent over a year removing (and for good reason). > > -Tim >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme