On Wed, Mar 1, 2017 at 4:50 PM, Ryan Sleevi <[email protected]> wrote: > > It's unclear whether you disagree with the substance of my analysis, and > are thus stating it was intentional to weaken the Baseline Requirements, or > if you're simply providing clarification for the intent, for which the > weakening of the Baseline Requirements was unintentional? > > If this was unintentional, we can work to resolve this in a way that > achieves the intended resolve. However, if this was intentional, we will > continue to disagree, and thus will find it necessary to vote against this > ballot. I can only hope that, like Ballot 188, this was merely an > unintentional side-effect, and hopefully one we can resolve through > collaboration. >
It was pointed out that my description of the issues may not have been clear for some members, so I'll try to restate the various ways in which this proposal, whether intentional or not, weakens the current security guarantees provided by the Baseline Requirements. In the effort of providing greater clarity, I have created several new threads to help inform this discussion. Proposed for Section 4.2.1 "If an Applicant has a currently valid Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of the Applicant's right to use the specified Domain Name under Section 3.2.2.4, provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the existing Certificate." Problem Summary: This paragraph is presented without any linkage to the overall intent or preceding paragraphs. As such, when compared to the immediately preceding two paragraphs, it creates ambiguity as whether they represent "AND" or "OR" conjunctions. This would allow CAs to create 'perma-certificates', provided the WHOIS information does not change. Explanation: By lacking in prosaic text that establishes a relationship with the previous conditions, a CA may indefinitely rely on a domain authorization, despite it no longer belonging to the Applicant, and well beyond the 825 period proposed in modification. That is, if a CA reads the above text as an "OR" interpretation, than any party who obtained a certificate once may continue to do so indefinitely, provided that they ensure the WHOIS information does not change. Conclusion: The consequence of such certificates would significantly undermine public trust, by allowing a chain of certificates to continue well beyond the defined period. Suggestion: Remove this entire section.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
