On Fri, Mar 23, 2018 at 6:22 PM, Wayne Thayer via dev-security-policy < [email protected]> wrote:
> I've drafted these changes: > https://github.com/mozilla/pkipolicy/commit/e5269ff0d6ced93a6c6af65947712b > 8e4b2e18b8 > > On Tue, Mar 20, 2018 at 9:57 AM, Tim Hollebeek <[email protected] > > > wrote: > > > > > > * Add a new bullet on IP Address validation that forbids the use of BR > > > 3.2.2.5(4) (“any other method”) and requires disclosure of IP Address > > > validation processes in the CA’s CP/CPS. > > > > This is a bit premature. Most CA's IP validation procedures still fall > > under > > any other method, and the draft ballot that we've been trying to pass > > for a year or so is not done yet (I was writing it when the Validation > > Summit started taking over my life...) There's a good chance we will > > get a ballot passed on this issue this summer, but there's also a good > > chance that work on improving the non-IP validation methods will be > > prioritized above it. > > > > It might make sense, though, to require that if you use 3.2.2.4.8, you > > cannot use 3.2.2.5(4). That would eliminate the ability to use .5(4) to > > validate domain names. > > > > My commit includes this compromise. > > The IP validation disclosure language is fine and would actually help > > get a ballot passed. I've been trying to get everyone to disclose their > > IP validation practices and whether they issue IP certificates, but it > > turns out that "the CABF Validation Chair is politely asking for your > > cooperation" has some positive impact, but is mostly ignored. > > > > This is the new 2.2 (4) in my commit. > > I think disclosure and eliminating the loophole that allows IP validation > > method risk to bleed into domain names is a good place to start. > > > > -Tim > > I think this looks good, and paves a path for further simplification as the IP validation methods are reformed. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
