[cabfpub] Ballot 190
sleevi at google.com
Fri Apr 28 06:09:27 MST 2017
On Fri, Apr 28, 2017 at 1:32 AM, Kirk Hall <Kirk.Hall at entrustdatacard.com>
> One other comment. Remember that for the last few months, new Methods 1-4
> and 7-10 were actually included under Method 11 “any other method” after
> Ballot 181’s effective date, and that situation will continue until the
> effective date of Ballot 190. Also, the same is true for any validations
> that followed old Method 7 “any other method” prior to the effective date
> of Ballot 169. So be very careful in saying anything in Ballot 190 that
> would invalidate validations done prior to Ballot 190 under “any other
> method” so long as they complied with any of Methods 1-10 of the new
> methods or Methods 1-6 of the old methods.
> I would be open to saying that any prior vetting done under old Method 7
> or more recent Method 11 “any other method” must be revalidated upon the
> effective date of Ballot 190 IF they did not follow EITHER Methods 1-6 (as
> the existed before Ballot 169) or Methods 1-10 (as put forward in Ballot
> 169). In other words, the ONLY validations that have to be redone before
> the expiration of the re-use period are validations that were done that did
> not comply with either old Methods 1-6 or new Methods 1-10. That should
> flush out any unknown and unsecure validations that occurred in the past.
Not quite, because if you recall, Google's interest in reforming these
began with the fact that a website demonstration of control was not secure.
That is, 220.127.116.11.6 under pre-169 is not acceptable.
Kirk, given your support for other forms of indicating that a CA has
performed extra diligence, such as the inclusion of OV certificates, would
you be supportive in general of a means of expressing, within a
certificate, conformance with the 'new' validation methods, so that
subscribers can have assurances of the security?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public