On 3/1/2018 9:21 μμ, Tim Hollebeek via Public wrote:
Ballot 218: Remove validation methods #1 and #5
Purpose of Ballot: Section 3.2.2.4 says that it “defines the permitted
processes and procedures for validating the Applicant’s ownership or
control of the domain.” Most of the validation methods actually do
validate ownership and control, but two do not, and can be completed
solely based on an applicant’s own assertions.
Since these two validation methods do not meet the objectives of
section 3.2.2.4, and are actively being used to avoid validating
domain control or ownership, they should be removed, and the other
methods that do validate domain control or ownership should be used.
The following motion has been proposed by Tim Hollebeek of DigiCert
and endorsed by Ryan Sleevi of Google and Rich Smith of Comodo.
-- MOTION BEGINS –
This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” as follows, based upon
Version 1.5.4:
In Section 3.2.2.4.1, add text at the end: “For certificates issued on
or after March 1, 2018, this method SHALL NOT be used for validation,
and completed validations using this method SHALL NOT be used for the
issuance of certificates.”
In Section 3.2.2.4.5, add text at the end: “For certificates issued on
or after March 1, 2018, this method SHALL NOT be used for validation,
and completed validations using this method SHALL NOT be used for the
issuance of certificates.”
In Section 4.2.1, after the paragraph that begins “After the change to
any validation method”, add the following paragraph: “Validations
completed using methods specified in Section 3.2.2.4.1 or Section
3.2.2.4.5 SHALL NOT be re-used on or after March 1, 2018.”
-- MOTION ENDS –
For the purposes of section 4.2.1, the new text added to 4.2.1 from
this ballot is “specifically provided in a [this] ballot.”
The procedure for approval of this ballot is as follows:
Discussion (7+ days)
Start Time: 2017-01-03 19:30:00 UTC
End Time: Not Before 2017-01-10 19:30:00 UTC
Vote for approval (7 days)
Start Time: TBD
End Time: TBD
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public
This is the current text of 3.2.2.4.1:
--- BEGIN QUOTE ---
3.2.2.4.1 Validating the Applicant as a Domain Contact
Confirming the Applicant's control over the FQDN by validating the
Applicant is the Domain Contact directly with the Domain Name Registrar.
This method may only be used if:
1. The CA authenticates the Applicant's identity under BR Section
3.2.2.1 and the authority of the Applicant Representative under BR
Section 3.2.5, OR
2. The CA authenticates the Applicant's identity under EV Guidelines
Section 11.2 and the agency of the Certificate Approver under EV
Guidelines Section 11.8; OR
3. The CA is also the Domain Name Registrar, or an Affiliate of the
Registrar, of the Base Domain Name. Note: Once the FQDN has been
validated using this method, the CA MAY also issue Certificates for
other FQDNs that end with all the labels of the validated FQDN. This
method is suitable for validating Wildcard Domain Names.
--- END QUOTE ---
Methods 3.2.2.4.2 and 3.2.2.4.3 rely on publicly available (usually
WHOIS) information about domain registrants which are usually provided
by public suffix registries. There are cases (like the gr public suffix
domains) where domain registrant information is not publicly available.
The only method of acquiring information of domain registrants is to
contact the Registrar.
Our proposal to the the ballot proposer and endorsers is to update
method 3.2.2.4.1 instead of completely removing it, so that:
1. it MUST NOT be used for domains that have publicly-available domain
registrant information, which can be validated directly via method
3.2.2.4.2 OR 3.2.2.4.3.
2. for the restricted public suffix registry cases, allow the CA to
obtain Domain Registrant information directly with the Domain Name
Registrar, which will then MUST be combined with method 3.2.2.4.2 OR
3.2.2.4.3.
We would also like to keep option 3, in cases where the CA is also the
Domain Name Registrar of the Base Domain Name to reduce unnecessary
duplication of work.
Please consider the following language:
--- BEGIN updated language for 3.2.2.4.1 ---
Confirming the Applicant's control over the FQDN by validating the
Applicant is the Domain Contact directly with the Domain Name Registrar.
This method may only be used if:
1. The CA validates Domain Contact information obtained from the Domain
Registrar by using the process described in section 3.2.2.4.2 OR
3.2.2.4.3; OR
2. The CA is also the Domain Name Registrar, or an Affiliate of the
Registrar, of the Base Domain Name.
Note: Once the FQDN has been validated using this method, the CA MAY
also issue Certificates for other FQDNs that end with all the labels of
the validated FQDN. This method is suitable for validating Wildcard
Domain Names.
--- END updated language for 3.2.2.4.1 ---
Best regards,
Dimitris.
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public
