Note that Interested Parties cannot participate in meetings, whether F2F or
Phone, unless explicitly invited, nor participate on the Wiki or Members
mail list.

On Fri, Feb 2, 2018 at 2:38 PM, James Burton via Public <
> wrote:

> That's an excellent idea.
> I would like to spend some time in discussing extended validation vetting.
> I feel that extended validated is not vetted to enough to acceptable
> standards.
> James
> On Fri, Feb 2, 2018 at 7:21 PM, Wayne Thayer via Public <
>> wrote:
>> Gerv and I, with support from Tim as chair of the Validation Working
>> Group, would like to dedicate the entire first day (Tuesday) of the
>> upcoming meeting hosted by Amazon to a “Validation Summit” where security
>> experts help us to review all of the existing domain validation methods.
>> Doing this would push other WG meetings in to time slots on Wednesday or
>> Thursday. I believe there would still be adequate time available for these
>> WG meetings.
>> Given the recent issues discovered with BR methods 1, 5, 9, and
>> 10, a more comprehensive, proactive review of all the BR methods of domain
>> validation is urgently needed. It has been pointed out that this has never
>> been done - the methods as they currently exist are just documentation of
>> existing practices. These methods should be analyzed by experts under an
>> adversarial threat model to identify and address risks and deficiencies.
>> Our proposed agenda for the day is:
>> 1. Discuss the intent of Is proving ownership enough, or is
>> domain control and/or owner consent required?
>> 2. For each of the 10 current methods:
>>     a. Introduce the method and discuss what it is intended to validate
>>     b. Describe in detail how CAs typically implement the method
>>     c. Model and analyze threats to the method
>>     d. Discuss improvements to the method
>>     e. Decide if the method needs to be improved or discarded, or is
>> acceptable as-is.
>> 3. Time permitting, perform the same analysis on IP address validation
>> methods described in section
>> 4. Wrap-up - summarize conclusions and action items
>> We plan to extend an invitation to deeply technical and security minded
>> folks who are familiar with the CA industry and typical CA processes to
>> sign the IPR agreement, become Interested Parties, and attend this portion
>> of the meeting. Given that the meeting is one month from now, we need to
>> move quickly to recruit these experts.
>> Are there any objections to this proposal? I will interpret silence as
>> consent. (And if you think this is a great idea, feel free to tell us!)
>> If you know someone who has the expertise to contribute to this exercise,
>> please consider recruiting him or her to become an Interested Party and
>> attend this meeting.
>> Finally, please consider if your company would sponsor a researcher to
>> attend the meeting in person. My assumption is that at least some of the
>> folks we’d benefit from having in the room will be deterred from attending
>> because they’ll have to cover their own travel expenses.
>> Thanks,
>> Wayne
>> _______________________________________________
>> Public mailing list
> _______________________________________________
> Public mailing list
Public mailing list

Reply via email to