On 5/1/17, Ryan Sleevi <r...@sleevi.com> wrote: > On Mon, May 1, 2017 at 1:53 PM, Lee via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On 5/1/17, Gervase Markham via dev-security-policy >> <dev-security-policy@lists.mozilla.org> wrote: >> > The last CA Communication laid down our policy of only permitting the >> > 10 >> > Blessed Methods of domain validation. A CA Communication is an official >> > vehicle for Mozilla Policy so this is now policy, but it's not >> > reflected >> > in the main policy doc. I was planning to wait until the latest version >> > of the BRs had all 10 methods in, but that ballot (ballot 190) seems to >> > be taking a bit of time to draft. So perhaps it would be good to add >> > language to indicate direction of travel. >> > >> > This would involve replacing section 2.2.3 of the policy with: >> > >> > "for a certificate capable of being used for SSL-enabled servers, the >> > CA >> > must ensure that the applicant has registered the domain(s) referenced >> > in the certificate or has been authorized by the domain registrant to >> > act on their behalf. This must be done using one or more of the 10 >> > methods documented in section 3.2.2.4 of version 1.4.1 (and not any >> > other version) of the CA/Browser Forum Baseline Requirements. The CA's >> > CP/CPS must clearly specify the procedure(s) that the CA employs, and >> > each documented procedure should state which subsection of 3.2.2.4 it >> > is >> > complying with. Even if the current version of the BRs contains a >> > method >> > 3.2.2.4.11, CAs are not permitted to use this method." >> >> You seem to be replacing a "meets or exceeds" requirement with a >> "strictly meets" requirement. >> >> I'd suggest something along the lines of >> The CA MUST use one of the allowed methods of domain validation >> (<insert reference to the 10 Blessed Methods here>) and, in addition, >> MAY use additional and/or stricter methods of domain validation. >> >> In other words, make it clear to an auditor that while the CA must >> meet the baseline requirements, it's not an audit failure if they go >> above & beyond the minimum requirements of domain validation. >> >> Regards, >> Lee > > > You can only go "above and beyond" if you're implementing those literal 10 > methods. That is, there is a real risk with that MAY that it may be > interpreted as reintroducing the "Any other method" loophole that's > explicitly trying to be avoided. > > Any CA who is "exceeding" this method strictly meets the definition.
Maybe it's because I've worked with some incredibly bad auditors, but the way I read the proposal, doing anything other than one of those exact 10 methods is risking an audit failure. How would you word the policy to make it clear that while a CA is required to use one of those 10 methods, the CA is also allowed to do additional/stricter checks? Regards, Lee _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
