SSL.com votes Yes on Ballot 218 version 2. Regards, Fotis
On 29/01/2018 11:51 μμ, Tim Hollebeek via Public wrote: > > > I’m highly skeptical that discussing this for another month will change > anybody’s minds. It has already been discussed for over a month, > including at three validation working group meetings and once on the > management call, with extensive discussion on this list as well. > > > > There have been a number of clever attempts to distract from the matter > at hand. Everybody seems to agree that methods #1 and #5 as currently > written are insufficient to validate certificates, and efforts to > improve method #1 have all either been shown to be similarly weak, or > have turned the validation method into one of the other existing > validation methods. In fact, this demonstrates an obvious transition > path for CAs currently using method #1: use method #2 or method #3. > > > > Since methods #1 and #5 do not sufficiently validate certificates, they > should not be used, and six months should be more than enough time to > cease using them. > > > > Here is the final version of the ballot, with voting times. A redlined > document is attached (I encourage other proposers to post ballot > redlines, even if it isn’t required). > > > > -Tim > > > > ----- Ballot 218 version 2: Remove validation methods #1 and #5 ----- > > > > Purpose of Ballot: Section 3.2.2.4 says that it “defines the permitted > processes and procedures for validating the Applicant’s ownership or > control of the domain.” Most of the validation methods actually do > validate ownership and control, but two do not, and can be completed > solely based on an applicant’s own assertions. > > > > Since these two validation methods do not meet the objectives of section > 3.2.2.4, and are actively being used to avoid validating domain control > or ownership, they should be removed, and the other methods that do > validate domain control or ownership should be used. > > > > The following motion has been proposed by Tim Hollebeek of DigiCert and > endorsed by Ryan Sleevi of Google and Rich Smith of Comodo. > > > > -- MOTION BEGINS – > > > > This ballot modifies the “Baseline Requirements for the Issuance and > Management of Publicly-Trusted Certificates” as follows, based upon > Version 1.5.4: > > > > In Section 1.6.1, in the definition of “Domain Contact”, after “in a DNS > SOA record”, add “, or as obtained through direct contact with the > Domain Name Registrar” > > > > In Section 3.2.2.4.1, add text at the end: “For certificates issued on > or after August 1, 2018, this method SHALL NOT be used for validation, > and completed validations using this method SHALL NOT be used for the > issuance of certificates.” > > > > In Section 3.2.2.4.5, add text at the end: “For certificates issued on > or after August 1, 2018, this method SHALL NOT be used for validation, > and completed validations using this method SHALL NOT be used for the > issuance of certificates.” > > > > After Section 3.2.2.4.10, add following two new subsections: > > “3.2.2.4.11 Any Other Method > > > > This method has been retired and MUST NOT be used. > > > > 3.2.2.4.12 Validating Applicant as a Domain Contact > > > > Confirming the Applicant's control over the FQDN by validating the > Applicant is the Domain Contact. This method may only be used if the CA > is also the Domain Name Registrar, or an Affiliate of the Registrar, of > the Base Domain Name. > > > > Note: Once the FQDN has been validated using this method, the CA MAY > also issue Certificates for other FQDNs that end with all the labels of > the validated FQDN. This method is suitable for validating Wildcard > Domain Names.“ > > > > In Section 4.2.1, after the paragraph that begins “After the change to > any validation method”, add the following paragraph: “Validations > completed using methods specified in Section 3.2.2.4.1 or Section > 3.2.2.4.5 SHALL NOT be re-used on or after August 1, 2018.” > > > > -- MOTION ENDS – > > > > For the purposes of section 4.2.1, the new text added to 4.2.1 from this > ballot is “specifically provided in a [this] ballot.” > > > > The procedure for approval of this ballot is as follows: > > > > Discussion (7+ days) > > Start Time: 2017-01-22 21:30:00 UTC > > End Time: 2017-01-29 21:50:00 UTC > > > > Vote for approval (7 days) > > Start Time: 2017-01-29 21:50:00 UTC > > End Time: 2017-02-05 21:50 UTC > > > > > > _______________________________________________ > Public mailing list > Public@cabforum.org > https://cabforum.org/mailman/listinfo/public > -- Fotis Loukos, PhD Director of Security Architecture SSL Corp e: fot...@ssl.com w: https://www.ssl.com _______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public