On Fri, Apr 28, 2017 at 1:32 AM, Kirk Hall <[email protected]> wrote:
> One other comment. Remember that for the last few months, new Methods 1-4 > and 7-10 were actually included under Method 11 “any other method” after > Ballot 181’s effective date, and that situation will continue until the > effective date of Ballot 190. Also, the same is true for any validations > that followed old Method 7 “any other method” prior to the effective date > of Ballot 169. So be very careful in saying anything in Ballot 190 that > would invalidate validations done prior to Ballot 190 under “any other > method” so long as they complied with any of Methods 1-10 of the new > methods or Methods 1-6 of the old methods. > > > > I would be open to saying that any prior vetting done under old Method 7 > or more recent Method 11 “any other method” must be revalidated upon the > effective date of Ballot 190 IF they did not follow EITHER Methods 1-6 (as > the existed before Ballot 169) or Methods 1-10 (as put forward in Ballot > 169). In other words, the ONLY validations that have to be redone before > the expiration of the re-use period are validations that were done that did > not comply with either old Methods 1-6 or new Methods 1-10. That should > flush out any unknown and unsecure validations that occurred in the past. > Not quite, because if you recall, Google's interest in reforming these began with the fact that a website demonstration of control was not secure. That is, 3.2.2.4.6 under pre-169 is not acceptable. Kirk, given your support for other forms of indicating that a CA has performed extra diligence, such as the inclusion of OV certificates, would you be supportive in general of a means of expressing, within a certificate, conformance with the 'new' validation methods, so that subscribers can have assurances of the security?
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
