On 5/1/17, Ryan Sleevi <r...@sleevi.com> wrote:
> On Mon, May 1, 2017 at 1:53 PM, Lee via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>> On 5/1/17, Gervase Markham via dev-security-policy
>> <dev-security-policy@lists.mozilla.org> wrote:
>> > The last CA Communication laid down our policy of only permitting the
>> > 10
>> > Blessed Methods of domain validation. A CA Communication is an official
>> > vehicle for Mozilla Policy so this is now policy, but it's not
>> > reflected
>> > in the main policy doc. I was planning to wait until the latest version
>> > of the BRs had all 10 methods in, but that ballot (ballot 190) seems to
>> > be taking a bit of time to draft. So perhaps it would be good to add
>> > language to indicate direction of travel.
>> >
>> > This would involve replacing section 2.2.3 of the policy with:
>> >
>> > "for a certificate capable of being used for SSL-enabled servers, the
>> > CA
>> > must ensure that the applicant has registered the domain(s) referenced
>> > in the certificate or has been authorized by the domain registrant to
>> > act on their behalf. This must be done using one or more of the 10
>> > methods documented in section of version 1.4.1 (and not any
>> > other version) of the CA/Browser Forum Baseline Requirements. The CA's
>> > CP/CPS must clearly specify the procedure(s) that the CA employs, and
>> > each documented procedure should state which subsection of it
>> > is
>> > complying with. Even if the current version of the BRs contains a
>> > method
>> >, CAs are not permitted to use this method."
>> You seem to be replacing a "meets or exceeds" requirement with a
>> "strictly meets" requirement.
>> I'd suggest something along the lines of
>> The CA MUST use one of the allowed methods of domain validation
>> (<insert reference to the 10 Blessed Methods here>) and, in addition,
>> MAY use additional and/or stricter methods of domain validation.
>> In other words, make it clear to an auditor that while the CA must
>> meet the baseline requirements, it's not an audit failure if they go
>> above & beyond the minimum requirements of domain validation.
>> Regards,
>> Lee
> You can only go "above and beyond" if you're implementing those literal 10
> methods. That is, there is a real risk with that MAY that it may be
> interpreted as reintroducing the "Any other method" loophole that's
> explicitly trying to be avoided.
> Any CA who is "exceeding" this method strictly meets the definition.

Maybe it's because I've worked with some incredibly bad auditors, but
the way I read the proposal, doing anything other than one of those
exact 10 methods is risking an audit failure.

How would you word the policy to make it clear that while a CA is
required to use one of those 10 methods, the CA is also allowed to do
additional/stricter checks?

dev-security-policy mailing list

Reply via email to