> On Jan 25, 2018, at 13:09, Wayne Thayer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > Tim - I will add a reference to TLS-SNI-02 as you suggested. I think an > explanation of the new method 12 is too much detail for this message, and > it can be found in the ballot that I've referenced. > > In order to move ahead with this communication to CAs while our timeline > for the deprecation of BR 3.2.2.4 methods 1 and 5 is still being discussed, > I'd like to propose modifying item #2 as follows: > > 2. On 19-December, significant concerns were raised about the reliability > of the domain validation methods specified in BR 3.2.2.4.1 and 3.2.2.4.5. > [3] Since then, discussions on the CA/Browser Forum Public list have > resulted in a proposed ballot to prohibit the use of these methods after > 1-August 2018. [4] Rather than accept the risk of continued use of these > methods, Mozilla may decide to set an earlier deadline such as 1-March > 2018. If your CA uses either of these methods, please evaluate your > implementation for vulnerabilities, follow the discussion closely, and be > prepared to quickly discontinue your use of these methods of domain > validation. > > Please comment on this change.
This is a great improvement. I think we should also ask that any CAs using these methods immediate disclose that they are and the procedures they are using, as well as the date they expect to complete a review of their implementation, and then provide the review when it is complete. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
