I wasn’t able to do the research to respond to your message below until now.
I think the Ballot 190 language amending BR 4.2.1 that you object to was first introduced in the ballot version sent to the Public list on June 17: https://cabforum.org/pipermail/public/2017-June/011358.html And I think the new language was a result of some emails from Peter (starting at https://cabforum.org/pipermail/validation/2017-June/000594.html) plus some discussion of the topic on a Forum teleconference that seemed to make a distinction between reuse of validation information during the permitted reuse period under BR 4.2.1, versus reuse of a completed prior validation using that data – I think there was a concern by at least one member that there was some ambiguity in the BRs that would require revalidation of existing data for any domain validation method that was changed by Ballot 190, even though BR 4.2.1 says the prior data can be reused. As I recall, the problem cited by someone tied that interpretation to the specific word “validation” somewhere in the BRs. We wanted to make sure that interpretation would not require revalidation of all domain validation information for methods changed by Ballot 190, so added the clarifying language. I don’t agree with your interpretation of the effect of the amendments to BR 4.2.1 – I don’t think it poses the danger you do – so I’m not in a position to propose alternative language that would be responsive to your interpretation and concerns. Because of that, I still believe the best next step would be for you to draft something that fixes the problem you see based on your interpretation and circulate the new language to the Public list. From: Ryan Sleevi [mailto:[email protected]] Sent: Thursday, September 7, 2017 8:35 PM To: Kirk Hall <[email protected]> Cc: CA/Browser Forum Public Discussion List <[email protected]>; Peter Bowen <[email protected]> Subject: Re: [EXTERNAL]Re: [cabfpub] Ballot 190 - Discussion Period is starting Hi Kirk, That does seem uncharitably dismissive, and while I hope that wasn't your intent, I do want to draw your attention to it. I would note that members typically raise issues in part to understand the authors intent, as well as express the concerns, to try to collaboratively find a solution. As your response indicated you disagreed with the assessment, it does not seem like we would be able to come to a successful conclusion until you appropriately understood the concern. Despite this concern having been raised several times, you have continued to discard it, and it remains unclear whether that is an intentional dismissal of feedback that you disagreed with, or whether it we because you simply didn't understand the concern. That is why I highlighted the concern of DV, to see if it helps you understand how the scenario raised is possible, and thus, to help determine whether it is your intent to permit such a case. Separately, as to language on how to resolve that, I would note that there had been suggestions offered on how to resolve this. It would be useful to know whether this is a case where this is another case where, due to the length of the discussions, you've forgotten that feedback, whether you disagree with that feedback, or whether you may not have understood how that feedback would have addressed this. I do want to keep the discussion productive, and so I do want to make sure you understand the issue and agree it is an issue first, since that can save a considerable amount of time in explaining how alternatives address that issue. On Thu, Sep 7, 2017 at 7:19 PM, Kirk Hall <[email protected]<mailto:[email protected]>> wrote: Typically when a Forum member is unhappy with the language of a pending ballot, s/he proposes specific alternate wording for consideration. If you want to propose an amendment to pending Ballot 190 that addresses your concerns, but that also addresses the problem we were solving as described in my email below, please do and we’ll all give it a look. From: Ryan Sleevi [mailto:[email protected]<mailto:[email protected]>] Sent: Thursday, September 7, 2017 3:23 PM To: Kirk Hall <[email protected]<mailto:[email protected]>>; CA/Browser Forum Public Discussion List <[email protected]<mailto:[email protected]>> Cc: Peter Bowen <[email protected]<mailto:[email protected]>> Subject: [EXTERNAL]Re: [cabfpub] Ballot 190 - Discussion Period is starting On Wed, Sep 6, 2017 at 9:14 PM, Kirk Hall via Public <[email protected]<mailto:[email protected]>> wrote: Peter, let me first review how BR 4.2.1 got where it is in Ballot 190. We started the ballot by adding back 7 validation methods from Ballot 169. Then there was a question of whether this meant CA could, or could not, reuse domain validation data under 4.2.1 for validation methods that had changed. The Validation Working Group did not intend that data that was still in the permissible “re-use” period under 4.2.1 had to be thrown out, so we made that clear in an amendment to 4.2.1. Then there was an additional question of whether a “validation” itself (for example, combining vetting data for both an organization and its domains in OV vetting a week before the Ballot 190 becomes effective) could still be used under 4.2.1 – this was tied to some very specific language that some were interpreting as requiring revalidation of data where a domain method had changed. So we clarified that as well by another amendment to 4.2.1 – a prior completed validation (domain and/or organization) could still be reused under 4.2.1 for the permitted period. I’m not sure I completely follow your examples below. If someone has collected OV validation data (both organization data and domain data) on July 1, 2017, then both the data itself and the validation using that date can be reused under 4.2.1 (right now) for 39 months from that date. If the customer wants to add a new domain on July 20, 2017, that bit of data could also be reused for 39 months, but the related organization validation data will expire 39 months after it was collected on July 1, 2017. No one could rebundle the old data one day before expiration and say “look, I just revalidated the organization and domains” and use it for another extended period under 4.2.1. Hi Kirk, Please consider this example in the case of DV. I believe you will see Peter's point and the security risk that both Amazon and Google have highlighted would be introduced in the current ballot. I hope you can consider addressing this security risk prior to voting on the ballot. As we've seen, promises to do this "after" passing take considerable time, and since the security risk here is so significant, it's difficult to believe that it would be wise or in our users interest to support. Again, the only reason we added “the validation itself” to the ballot was to counter a different interpretation offered on the list. I don’t think the amended 4.2.1 language could be used as you suggest – but if you want to come up with a better way to express these concepts in a post-190 ballot, please draft it and add it to the list of further improvements the VWG will be working on. We agree on the ultimate goal. From: Peter Bowen [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, September 6, 2017 12:53 PM To: Kirk Hall <[email protected]<mailto:[email protected]>>; CA/Browser Forum Public Discussion List <[email protected]<mailto:[email protected]>> Subject: [EXTERNAL]Re: [cabfpub] Ballot 190 - Discussion Period is starting Kirk, As I have said previously, I think the changes in 4.2.1 regarding reuse are problematic for two reasons. First, the proposed text says "the CA obtained the data or document from a source specified under Section 3.2 or completed the validation itself”. It is not clear if the CA can choose to do both, which would effectively extend the reuse period, or if these are mutually exclusive options. For example, assuming a reuse of 825 days, can a CA do the following? - 1 March 2018 - Fetch a copy of domain registration information and corporate registration, complete a new validation, and issue a certificate - 1 May 2020 - Reuse the previously obtained registration information, complete a new validation, and issue a new certificate with the same info as the previous certificate - 1 July 2022 - Reuse the last validation and issue a new certificate with the same info as the previous certificates Second, the proposed text says "After the change to any validation method specified […], a CA may continue to reuse […] the validation itself, for the period stated in this BR 4.2.1 unless otherwise specifically provided in a ballot.” Right now CAs can reuse data and documents collected during validation. It isn’t that hard to run the validation workflow for each certificate issuance, using the existing data, and make sure you have everything in place. I don’t think having the output reusable makes a lot of sense. Thanks, Peter On Sep 5, 2017, at 10:52 AM, Kirk Hall via Public <[email protected]<mailto:[email protected]>> wrote: As agreed on our CABF teleconference last week, we are starting the formal discussion period for Ballot 190 (in this case, v8). I have attached the ballot in two formats and in three modes. The title of the actual ballot to be voted on uses all capital letters “BALLOT 190 v8 (9-5-2017)”. I also attach a version that includes some explanatory comments, and a “clean” version showing how the BRs will read if Ballot 190 v8 is adopted “Ballot 190 v8 (9-5-2017) (showing BRs if adopted)”. The discussion period ends Sept. 12 at 18:00 UTC, and the voting period runs Sept. 12-19. This version 8 is based on the prior version 7, but includes a limited number of changes as outlined in emails among me, Ryan, and Doug on Aug. 29-30. We are almost there! Thanks to everyone who has worked on this effort over the past two years. Assuming Ballot 190 passes, the Validation Working Group can then start work on further amendments as outlined in my prior emails. <BALLOT 190 v8 (9-5-2017).docx><BALLOT 190 v8 (9-5-2017).pdf><Ballot 190 v8 (9-5-2017) with comments.docx><Ballot 190 v8 (9-5-2017) with comments.pdf><Ballot 190 v8 (9-5-2017) (showing BRs if adopted).docx><Ballot 190 v8 (9-5-2017) (showing BRs if adopted).pdf>_______________________________________________ Public mailing list [email protected]<mailto:[email protected]> https://cabforum.org/mailman/listinfo/public _______________________________________________ Public mailing list [email protected]<mailto:[email protected]> https://cabforum.org/mailman/listinfo/public
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
