On 2/5/2017 11:59 μμ, Jeremy Rowley via Public wrote:
Okay. Based on the discussion, I propose we do the following to move
things forward:
1. Include an extension in the EE certs indicating compliance with a
certain version of the BRs. This addresses Ryan’s concerns of
knowing which certs were issued under new methods compared to
relying on older documentation.
2. Permit document reuse for 13 months after which all certs must be
validated using one of the new methods. This addresses Kirk’s
concern of having to revalidate every customer as of the effective
date, permitting roughly half to expire while the other half are
revalidated.
Does this make everyone equally unhappy?
I think Gerv's proposal
(https://cabforum.org/pipermail/public/2017-April/010804.html) is a big
improvement because some validation information is harder to acquire
than others. Methods that can be automated (like 3.2.2.4.6 or 3.2.2.4.7)
could re-use information for a lot less than 13 months.
It would also be great if there was guidance on which of the 10 domain
validation methods can be used to prove domain namespace ownership (or
wildcard validation as Gerv mentioned in his proposal) and which, should
be limited to only verify ownership for a single FQDN.
It would also be nice to write requirements for reuse of validation
information for Domain ownership (for each method) and validation
information for Identities (that doesn't change so often, for example
Identify Information for IV Certificates). So, a CA could be allowed to
reuse identify information for IV Certificates for 39 months, and for OV
Certificates reuse for 24 months.
Dimitris.
Jeremy
*From:*Ryan Sleevi [mailto:[email protected]]
*Sent:* Tuesday, May 2, 2017 12:43 PM
*To:* Jeremy Rowley <[email protected]>
*Cc:* CA/Browser Forum Public Discussion List <[email protected]>;
Gervase Markham <[email protected]>
*Subject:* Re: [cabfpub] Ballot 190
Just to be clear: My initial proposal was simply to indicate "All
information in this certificate has been validated in accordance with
the explicit methods in Version X"
That is, even if information is reused, that the information was
compatible with version X. If version X+1 or X+3 changes things
substantially - but still permits reuse of Version X data - then you'd
continue to assert Version X. If Version X+3's validation was still
compatible with Version X (perhaps it added a new method, or changed
something unrelated), you could assert either X, X+1, X+2, or X+3 and
still be in full compliance. Asserting X+3 is, of course, a stronger
security assurance, but asserting X is still compliant/compatible :)
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
