Apple votes YES on Ballot 218. Curt
> On Jan 29, 2018, at 1:51 PM, Tim Hollebeek via Public <public@cabforum.org> > wrote: > > > I’m highly skeptical that discussing this for another month will change > anybody’s minds. It has already been discussed for over a month, including > at three validation working group meetings and once on the management call, > with extensive discussion on this list as well. > > There have been a number of clever attempts to distract from the matter at > hand. Everybody seems to agree that methods #1 and #5 as currently written > are insufficient to validate certificates, and efforts to improve method #1 > have all either been shown to be similarly weak, or have turned the > validation method into one of the other existing validation methods. In > fact, this demonstrates an obvious transition path for CAs currently using > method #1: use method #2 or method #3. > > Since methods #1 and #5 do not sufficiently validate certificates, they > should not be used, and six months should be more than enough time to cease > using them. > > Here is the final version of the ballot, with voting times. A redlined > document is attached (I encourage other proposers to post ballot redlines, > even if it isn’t required). > > -Tim > > ----- Ballot 218 version 2: Remove validation methods #1 and #5 ----- > > Purpose of Ballot: Section 3.2.2.4 says that it “defines the permitted > processes and procedures for validating the Applicant’s ownership or control > of the domain.” Most of the validation methods actually do validate > ownership and control, but two do not, and can be completed solely based on > an applicant’s own assertions. > > Since these two validation methods do not meet the objectives of section > 3.2.2.4, and are actively being used to avoid validating domain control or > ownership, they should be removed, and the other methods that do validate > domain control or ownership should be used. > > The following motion has been proposed by Tim Hollebeek of DigiCert and > endorsed by Ryan Sleevi of Google and Rich Smith of Comodo. > > -- MOTION BEGINS – > > This ballot modifies the “Baseline Requirements for the Issuance and > Management of Publicly-Trusted Certificates” as follows, based upon Version > 1.5.4: > > In Section 1.6.1, in the definition of “Domain Contact”, after “in a DNS SOA > record”, add “, or as obtained through direct contact with the Domain Name > Registrar” > > In Section 3.2.2.4.1, add text at the end: “For certificates issued on or > after August 1, 2018, this method SHALL NOT be used for validation, and > completed validations using this method SHALL NOT be used for the issuance of > certificates.” > > In Section 3.2.2.4.5, add text at the end: “For certificates issued on or > after August 1, 2018, this method SHALL NOT be used for validation, and > completed validations using this method SHALL NOT be used for the issuance of > certificates.” > > After Section 3.2.2.4.10, add following two new subsections: > “3.2.2.4.11 Any Other Method > > This method has been retired and MUST NOT be used. > > 3.2.2.4.12 Validating Applicant as a Domain Contact > > Confirming the Applicant's control over the FQDN by validating the Applicant > is the Domain Contact. This method may only be used if the CA is also the > Domain Name Registrar, or an Affiliate of the Registrar, of the Base Domain > Name. > > Note: Once the FQDN has been validated using this method, the CA MAY also > issue Certificates for other FQDNs that end with all the labels of the > validated FQDN. This method is suitable for validating Wildcard Domain Names.“ > > In Section 4.2.1, after the paragraph that begins “After the change to any > validation method”, add the following paragraph: “Validations completed using > methods specified in Section 3.2.2.4.1 or Section 3.2.2.4.5 SHALL NOT be > re-used on or after August 1, 2018.” > > -- MOTION ENDS – > > For the purposes of section 4.2.1, the new text added to 4.2.1 from this > ballot is “specifically provided in a [this] ballot.” > > The procedure for approval of this ballot is as follows: > > Discussion (7+ days) > Start Time: 2017-01-22 21:30:00 UTC > End Time: 2017-01-29 21:50:00 UTC > > Vote for approval (7 days) > Start Time: 2017-01-29 21:50:00 UTC > End Time: 2017-02-05 21:50 UTC > > <CA-Browser Forum BR 1.5.4 - Ballot 218 > redline.doc>_______________________________________________ > Public mailing list > Public@cabforum.org > https://cabforum.org/mailman/listinfo/public
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
