Note that Interested Parties cannot participate in meetings, whether F2F or
Phone, unless explicitly invited, nor participate on the Wiki or Members
mail list.

On Fri, Feb 2, 2018 at 2:38 PM, James Burton via Public <public@cabforum.org
> wrote:

> That's an excellent idea.
>
> I would like to spend some time in discussing extended validation vetting.
> I feel that extended validated is not vetted to enough to acceptable
> standards.
>
> James
>
>
> On Fri, Feb 2, 2018 at 7:21 PM, Wayne Thayer via Public <
> public@cabforum.org> wrote:
>
>> Gerv and I, with support from Tim as chair of the Validation Working
>> Group, would like to dedicate the entire first day (Tuesday) of the
>> upcoming meeting hosted by Amazon to a “Validation Summit” where security
>> experts help us to review all of the existing domain validation methods.
>> Doing this would push other WG meetings in to time slots on Wednesday or
>> Thursday. I believe there would still be adequate time available for these
>> WG meetings.
>>
>> Given the recent issues discovered with BR 3.2.2.4 methods 1, 5, 9, and
>> 10, a more comprehensive, proactive review of all the BR methods of domain
>> validation is urgently needed. It has been pointed out that this has never
>> been done - the methods as they currently exist are just documentation of
>> existing practices. These methods should be analyzed by experts under an
>> adversarial threat model to identify and address risks and deficiencies.
>>
>> Our proposed agenda for the day is:
>> 1. Discuss the intent of 3.2.2.4. Is proving ownership enough, or is
>> domain control and/or owner consent required?
>> 2. For each of the 10 current methods:
>>     a. Introduce the method and discuss what it is intended to validate
>>     b. Describe in detail how CAs typically implement the method
>>     c. Model and analyze threats to the method
>>     d. Discuss improvements to the method
>>     e. Decide if the method needs to be improved or discarded, or is
>> acceptable as-is.
>> 3. Time permitting, perform the same analysis on IP address validation
>> methods described in section 3.2.2.5
>> 4. Wrap-up - summarize conclusions and action items
>>
>> We plan to extend an invitation to deeply technical and security minded
>> folks who are familiar with the CA industry and typical CA processes to
>> sign the IPR agreement, become Interested Parties, and attend this portion
>> of the meeting. Given that the meeting is one month from now, we need to
>> move quickly to recruit these experts.
>>
>> Are there any objections to this proposal? I will interpret silence as
>> consent. (And if you think this is a great idea, feel free to tell us!)
>>
>> If you know someone who has the expertise to contribute to this exercise,
>> please consider recruiting him or her to become an Interested Party and
>> attend this meeting.
>>
>> Finally, please consider if your company would sponsor a researcher to
>> attend the meeting in person. My assumption is that at least some of the
>> folks we’d benefit from having in the room will be deterred from attending
>> because they’ll have to cover their own travel expenses.
>>
>> Thanks,
>>
>> Wayne
>>
>> _______________________________________________
>> Public mailing list
>> Public@cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
>>
>
> _______________________________________________
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Reply via email to