Note that Interested Parties cannot participate in meetings, whether F2F or Phone, unless explicitly invited, nor participate on the Wiki or Members mail list.
On Fri, Feb 2, 2018 at 2:38 PM, James Burton via Public <[email protected] > wrote: > That's an excellent idea. > > I would like to spend some time in discussing extended validation vetting. > I feel that extended validated is not vetted to enough to acceptable > standards. > > James > > > On Fri, Feb 2, 2018 at 7:21 PM, Wayne Thayer via Public < > [email protected]> wrote: > >> Gerv and I, with support from Tim as chair of the Validation Working >> Group, would like to dedicate the entire first day (Tuesday) of the >> upcoming meeting hosted by Amazon to a “Validation Summit” where security >> experts help us to review all of the existing domain validation methods. >> Doing this would push other WG meetings in to time slots on Wednesday or >> Thursday. I believe there would still be adequate time available for these >> WG meetings. >> >> Given the recent issues discovered with BR 3.2.2.4 methods 1, 5, 9, and >> 10, a more comprehensive, proactive review of all the BR methods of domain >> validation is urgently needed. It has been pointed out that this has never >> been done - the methods as they currently exist are just documentation of >> existing practices. These methods should be analyzed by experts under an >> adversarial threat model to identify and address risks and deficiencies. >> >> Our proposed agenda for the day is: >> 1. Discuss the intent of 3.2.2.4. Is proving ownership enough, or is >> domain control and/or owner consent required? >> 2. For each of the 10 current methods: >> a. Introduce the method and discuss what it is intended to validate >> b. Describe in detail how CAs typically implement the method >> c. Model and analyze threats to the method >> d. Discuss improvements to the method >> e. Decide if the method needs to be improved or discarded, or is >> acceptable as-is. >> 3. Time permitting, perform the same analysis on IP address validation >> methods described in section 3.2.2.5 >> 4. Wrap-up - summarize conclusions and action items >> >> We plan to extend an invitation to deeply technical and security minded >> folks who are familiar with the CA industry and typical CA processes to >> sign the IPR agreement, become Interested Parties, and attend this portion >> of the meeting. Given that the meeting is one month from now, we need to >> move quickly to recruit these experts. >> >> Are there any objections to this proposal? I will interpret silence as >> consent. (And if you think this is a great idea, feel free to tell us!) >> >> If you know someone who has the expertise to contribute to this exercise, >> please consider recruiting him or her to become an Interested Party and >> attend this meeting. >> >> Finally, please consider if your company would sponsor a researcher to >> attend the meeting in person. My assumption is that at least some of the >> folks we’d benefit from having in the room will be deterred from attending >> because they’ll have to cover their own travel expenses. >> >> Thanks, >> >> Wayne >> >> _______________________________________________ >> Public mailing list >> [email protected] >> https://cabforum.org/mailman/listinfo/public >> >> > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
