On Mon, Mar 19, 2018 at 6:32 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Section 2.2(3) defines very specific requirements for use of the BR 3.2.2.4 > domain validation methods. Now that 3.2.2.4.11 (“any other method”) has > been removed from the BRs and ballot 218 [1] has passed, the Mozilla policy > is out-of-date. I propose the following changes: > > * Remove the reference to BR version 1.4.1 and instead require compliance > with the current version. With the adoption of ballot 190 [2], the > reference to version 1.4.1 is no longer needed. > * Remove the reference to "10" methods, since the number is likely to > change. > * Add a new bullet on IP Address validation that forbids the use of BR > 3.2.2.5(4) (“any other method”) and requires disclosure of IP Address > validation processes in the CA’s CP/CPS. > * Add the following language: > > > Validation methods are occasionally found to contain security flaws. If > > this happens, Mozilla will communicate to CAs any disclosures or > > modifications it requires, up to and including discontinuing use of a > > method immediately. > > > > I have intentionally not proposed a ban on methods 3.2.2.4.9 and 3.2.2.4.10 > at this time. Work is underway in the IETF to fix method 10 [3], and I > suspect that the fix will be permitted under the existing 3.2.2.4.10 > language. I’m proposing that we not make the use of any improved versions > of method 9 or 10 contingent on an update to our policy or on a BR change > that creates a new method number. > > This is: > https://github.com/mozilla/pkipolicy/issues/121 > https://github.com/mozilla/pkipolicy/issues/116 > https://github.com/mozilla/pkipolicy/issues/115 > > [1] https://cabforum.org/2018/02/05/ballot-218-remove- > validation-methods-1-5/ > [2] https://cabforum.org/2017/09/19/ballot-190-revised- > validation-requirements/ > [3] https://datatracker.ietf.org/doc/draft-ietf-acme-tls-alpn/ > ------- I think this all sounds reasonable.The only question is where can CAs (particularly, new CAs) find whether or not Mozilla has communicated regarding existing methods? I presume CAs are expected to read and review CA communications? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy