On Mon, May 1, 2017 at 1:53 PM, Lee via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 5/1/17, Gervase Markham via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > The last CA Communication laid down our policy of only permitting the 10 > > Blessed Methods of domain validation. A CA Communication is an official > > vehicle for Mozilla Policy so this is now policy, but it's not reflected > > in the main policy doc. I was planning to wait until the latest version > > of the BRs had all 10 methods in, but that ballot (ballot 190) seems to > > be taking a bit of time to draft. So perhaps it would be good to add > > language to indicate direction of travel. > > > > This would involve replacing section 2.2.3 of the policy with: > > > > "for a certificate capable of being used for SSL-enabled servers, the CA > > must ensure that the applicant has registered the domain(s) referenced > > in the certificate or has been authorized by the domain registrant to > > act on their behalf. This must be done using one or more of the 10 > > methods documented in section 3.2.2.4 of version 1.4.1 (and not any > > other version) of the CA/Browser Forum Baseline Requirements. The CA's > > CP/CPS must clearly specify the procedure(s) that the CA employs, and > > each documented procedure should state which subsection of 3.2.2.4 it is > > complying with. Even if the current version of the BRs contains a method > > 3.2.2.4.11, CAs are not permitted to use this method." > > You seem to be replacing a "meets or exceeds" requirement with a > "strictly meets" requirement. > > I'd suggest something along the lines of > The CA MUST use one of the allowed methods of domain validation > (<insert reference to the 10 Blessed Methods here>) and, in addition, > MAY use additional and/or stricter methods of domain validation. > > In other words, make it clear to an auditor that while the CA must > meet the baseline requirements, it's not an audit failure if they go > above & beyond the minimum requirements of domain validation. > > Regards, > Lee You can only go "above and beyond" if you're implementing those literal 10 methods. That is, there is a real risk with that MAY that it may be interpreted as reintroducing the "Any other method" loophole that's explicitly trying to be avoided. Any CA who is "exceeding" this method strictly meets the definition. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
