Closing the discussion period and opening up the voting period.
Ballot SC-082 is proposed by Michael Slaughter (Amazon Trust Services) and endorsed by Martijn Katerbarg (Sectigo) and Wayne Thayer (Fastly).
— Purpose of Ballot SC-082 —
The purpose of this ballot is to clarify the practice of CA Assisted DNS Validation and add constraints under Method 7 (3.2.4.4.7 DNS Change). Modification of other domain validation methods and the introduction of new domain validation methods are not in scope of this ballot but may be addressed in a future ballot.
Background:
CA Assisted DNS Validation is the practice where Certification Authorities (CAs) instruct Applicants to create Canonical Name (CNAME) records specifically for the purpose of assisting the Applicant with Domain Control Verification (DCV) of their domain.
At F2F 59 (July 23’), the Validation Subcommittee of the Server Certificate WG presented the following conclusions on the practice of CA Assisted DNS Validation:
A tiger team was formed to threat model CA Assisted DNS Validation and propose modifications to the BRs to add clarity and constraints around the practice under section 3.2.2.4.7. The results of the threat model exercise [1] were presented and discussed at F2F 60 [2] and F2F 61 [3].
Overview of Changes:
References:
[1] Validation SC Threat Modeling Doc: https://docs.google.com/document/d/1G2GYb0eg0rqE23f844J8qs7RYGU1jFVDsU5Pf7UYg3g/edit
[2] F2F-60 Presentation: https://docs.google.com/presentation/d/1M80h1N7MpBuqvZS0FdtJ_zj-AsaFxu7BNBSUJ6Ia5jU/edit?usp=sharing
[3] F2F-61 Presentation: https://docs.google.com/presentation/d/1rKW7I5jOYh37jQFtd1S-fKIs0j-dCAyUUU-fq_C8UKw/edit?usp=sharing
[4] https://github.com/cabforum/servercert/pull/501
The following motion has been proposed by Michael Slaughter (Amazon Trust Services) and endorsed by Martijn Katerbarg (Sectigo) and Wayne Thayer (Fastly)
GitHub pull request for this ballot: https://github.com/cabforum/servercert/pull/501
— Motion Begins —
MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.9 as specified in the following redline:
— Motion Ends —
This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:
Discussion (7 days)
- Start: 2024-11-12 17:30:00 UTC
- End no earlier than: 2024-11-19 17:30:00 UTC
Vote for approval (7 days)
- Start: 2024-11-20 18:30:00 UTC
- End: 2024-11-27 18:30:00 UTC
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/591A7733-9F52-4049-9B88-9B9274F3C78E%40amazon.com.
Hi Clint,
Given that the voting period for this ballot has opened, I will specifically address the questions, suggestions and claims related to the language in this ballot. I apologize if I missed something.
As stated in the purpose section of the ballot, the intent of this ballot is to clarify and constrain an existing capability of CAs under method 3.2.4.4.7 rather than introduce or confer CAs new capabilities.
Question: Is [Canonical Authorization Domain Name] intended to convey any other intrinsic property, separate from a “basic” ADN?
Suggestion: Include a future effective date to allow for any required changes to systems.
Suggestion: Consider adding this as a new validation method (3.2.2.4.21) instead of as an extension to 3.2.2.4.7.
Claim: “By delegating an Authorization Domain Name to the CA, the CA arguably (as written today) becomes an Applicant Representative.”
Claim: “[this ballot] introduces an explicitly approved channel through which a CA could request and issue certificates to themselves (or another party)”
Claim: The risks associated with [the one-time creation of a DNS record which does not naturally expire or require interaction to maintain] are strongly — but not solely — tied to (shorter) certificate lifetimes and validation data reuse period.“
Thanks,
M. Slaughter
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/8C4354F9-61D5-4FB8-BBD3-0C7F1B24B7B4%40apple.com.
I need to correct/clarify my answer to the Canonical Authorization Domain Name question I provided below.
Question: Is [Canonical Authorization Domain Name] intended to convey any other intrinsic property, separate from a “basic” ADN?
Thanks,
M. Slaughter
On Nov 21, 2024, at 7:21 AM, 'Slaughter, Michael' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org> wrote:
Hi Clint,
Given that the voting period for this ballot has opened, I will specifically address the questions, suggestions and claims related to the language in this ballot. I apologize if I missed something.
As stated in the purpose section of the ballot, the intent of this ballot is to clarify and constrain an existing capability of CAs under method 3.2.4.4.7 rather than introduce or confer CAs new capabilities.
Question: Is [Canonical Authorization Domain Name] intended to convey any other intrinsic property, separate from a “basic” ADN?
- Response: The purpose of the CADN definition is to 1) enhance the readability of the ballot language and 2) convey the structure of the CNAME used for this purpose. It specifies that the CNAME “Name” is an underscore prefixed subdomain of the domain being validated and that the CNAME “RDATA” is where the CADN is located. In your example, the CADN would be “applicant-account-binding-id.otherdomain.com” rather than “otherdomain.com”.
Suggestion: Include a future effective date to allow for any required changes to systems.
- Response: I have not received feedback regarding an effective date or the need for one which is why it was not included. I would appreciate feedback from CAs on 1) if an effective date is required at all for the changes included in this ballot and 2) and if so, what a reasonable effective date might be.
Suggestion: Consider adding this as a new validation method (3.2.2.4.21) instead of as an extension to 3.2.2.4.7.
- Response: The purpose of this ballot is to clarify and constrain the practice of CA assisted DNS validation in the context of method 7. This course of action was decided based off of the conclusions presented at F2F59 made by the validation subcommittee after years of discussion and that there are reasonable interpretations of the BRs that this practice is already allowed today. As you may recall, we decided the first step was to clarify the practice under method 7. Creating a new validation method with additional constraints as you suggested is a fruitful idea that has always been considered the logical next step following this 3.2.2.4.7 clarification ballot.
Claim: “By delegating an Authorization Domain Name to the CA, the CA arguably (as written today) becomes an Applicant Representative.”
- Response: I do not believe there is anything in the current proposed ballot language that could reasonably be interpreted as changing the status of a “CA” to a natural person or human sponsor who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant: Existence of a CADN does make the CA an authorized agent who:
- signs and submits, or approves a certificate request on behalf of the Applicant, and/or
- signs and submits a Subscriber Agreement on behalf of the Applicant, and/or
- acknowledges the Terms of Use on behalf of the Applicant when the Applicant is an Affiliate of the CA or is the CA.
Claim: “[this ballot] introduces an explicitly approved channel through which a CA could request and issue certificates to themselves (or another party)”
- Response: This ballot does not include language that grants CAs the ability to request and issue certificates to themselves (or another party).
Claim: The risks associated with [the one-time creation of a DNS record which does not naturally expire or require interaction to maintain] are strongly — but not solely — tied to (shorter) certificate lifetimes and validation data reuse period.“
- Response: This ballot does not address (nor is it intended to address) concerns related to certificate validity and domain validation reuse periods. As you identified, those are rightfully being discussed and considered for all domain validation methods in SC-81.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/24BD68A9-87C7-4A21-9279-A91C62096EDB%40amazon.com.
To confirm, within the scope of the BRs today, would “applicant-account-binding-id.otherdomain.com” be considered a valid ADN today? That is, this structure of forming an ADN from CNAME records exists today and a CADN solely as defined in the ballot can exist today?
From this, it sounds like the ballot did take into consideration the past disagreements (and associated recommendations/proposals) with the conclusion that the process described therein is currently allowed; am I understanding that correctly?
In the current ballot it states: “…. Applicants to add a CNAME record containing a Canonical Authorization Domain Name controlled by the CA.” If the CA controls the Canonical Authorization Domain Name, the CA is now operating infrastructure which is representing the Applicant, expressly granted by the Applicant. This seems well in line with interpretations we’ve seen on numerous occasions in the Web PKI.
From the F2F 60 presentation, it appears that at one point the intent was to enforce a rule which ensured a unique account binding, however this doesn’t appear present in the ballot and (in part) leads to the concern highlighted here
Is an Applicant Representative able to request Certificates on behalf of an Applicant?
Is there language in the TBRs which provides clear, unequivocal restrictions which prevent a CA from qualifying and acting as an Applicant Representative?
Does this ballot introduce language that establishes a relationship between an Applicant and a CA wherein the CA represents the Applicant to the CA for the purpose and within the process of validating control of an Applicant’s Domain?
My understanding here is that there are known risks associated with the changes included in this ballot that the ballot intentionally does not address. To be clear, I’m not trying to indicate that it should, but I am trying to understand the intent.
That is correct. The intent of this definition is not to create a new concept but rather constrain the usage of existing concepts in a specific context. An Applicant today has the ability to configure a CNAME from an underscore-prefixed subdomain they control to a DNS location where the TXT token resides the Applicant may or may not control.
To confirm, within the scope of the BRs today, would “applicant-account-binding-id.otherdomain.com” be considered a valid ADN today? That is, this structure of forming an ADN from CNAME records exists today and a CADN solely as defined in the ballot can exist today?From this, it sounds like the ballot did take into consideration the past disagreements (and associated recommendations/proposals) with the conclusion that the process described therein is currently allowed; am I understanding that correctly?
That is correct. The validation subcommittee conclusions, the threat modeling exercise, F2F presentations directly led to the ballot language presented here. That context was referenced in the Threat model, the presentations, the ballot text and the ballot preamble.
In the current ballot it states: “…. Applicants to add a CNAME record containing a Canonical Authorization Domain Name controlled by the CA.” If the CA controls the Canonical Authorization Domain Name, the CA is now operating infrastructure which is representing the Applicant, expressly granted by the Applicant. This seems well in line with interpretations we’ve seen on numerous occasions in the Web PKI.From the F2F 60 presentation, it appears that at one point the intent was to enforce a rule which ensured a unique account binding, however this doesn’t appear present in the ballot and (in part) leads to the concern highlighted here
The ballot includes the following language: “the CA MUST ensure that each Canonical Authorization Domain Name is used for a unique Applicant, and not shared across multiple Applicants”. The ballot does not intend to define how a CA models applicants into accounts.
Is an Applicant Representative able to request Certificates on behalf of an Applicant?Is there language in the TBRs which provides clear, unequivocal restrictions which prevent a CA from qualifying and acting as an Applicant Representative?Does this ballot introduce language that establishes a relationship between an Applicant and a CA wherein the CA represents the Applicant to the CA for the purpose and within the process of validating control of an Applicant’s Domain?
While these are interesting questions, I think definitively answering them is out of scope for this ballot. The reason is that the answers apply not just to a modified Method 7 but also to any existing domain validation method, including Method 7 as it stands today.
My understanding here is that there are known risks associated with the changes included in this ballot that the ballot intentionally does not address. To be clear, I’m not trying to indicate that it should, but I am trying to understand the intent.
As we discussed during the Threat Modeling meetings, the perspective of this ballot is that there are numerous threats that exist today under Method 7. The intent of the exercise and this ballot was to identify a set of mitigations for those threats that work to ensure that CAs that currently (or plan to) assist Applicants with automation do so under a reasonable set of constraints.
Amazon Trust Services votes yes.
From: 'Slaughter, Michael' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, November 20, 2024 10:28
To: server...@groups.cabforum.org
Subject: [EXTERNAL] [Servercert-wg] Voting Period Begins - Ballot SC-082: "Clarify CA Assisted DNS Validation under 3.2.2.4.7"
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. |
--
GlobalSign votes Yes on Ballot SC-082.
Doug
From: 'Slaughter, Michael' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
--
Entrust votes Yes to ballot SC-082.
Bruce.
From: 'Slaughter, Michael' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, November 20, 2024 1:28 PM
To: server...@groups.cabforum.org
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
servercert-w...@groups.cabforum.org.
To view this discussion visit
https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/591A7733-9F52-4049-9B88-9B9274F3C78E%40amazon.com.
Kind regards,
Kateryna Aleksieieva
--
--
DigiCert votes YES on SC-082.
-Tim
From: 'Slaughter, Michael' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, November 20, 2024 1:28 PM
To: server...@groups.cabforum.org
Subject: [Servercert-wg] Voting Period Begins - Ballot SC-082: "Clarify CA Assisted DNS Validation under 3.2.2.4.7"
Closing the discussion period and opening up the voting period.
--
Visa votes Yes to Ballot SC-082.
Marcelo
From: 'Slaughter, Michael' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, November 20, 2024 1:28 PM
To: server...@groups.cabforum.org
Subject: [Servercert-wg] Voting Period Begins - Ballot SC-082: "Clarify CA Assisted DNS Validation under 3.2.2.4.7"
Closing the discussion period and opening up the voting period.
--
CAUTION: This email is originated from outside of the organization. Do not open the links or the attachments unless you recognize the sender and know the content
is safe.
|
Chunghwa Telecom votes YES on Ballot SC-082
Regards,
Tsung-Min Kuo
--
You received this message because you are subscribed to the Google
Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to servercert-w...@groups.cabforum.org.
To view this discussion visit
https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/591A7733-9F52-4049-9B88-9B9274F3C78E%40amazon.com.
CFCA votes Yes to Ballot SC-082.
qiudawei
-----原始邮件-----
发件人: "'Slaughter, Michael' via Server Certificate WG (CA/B Forum)" <server...@groups.cabforum.org>
发送时间: 2024-11-21 02:28:18 (星期四)
收件人: "server...@groups.cabforum.org" <server...@groups.cabforum.org>
主题: [Servercert-wg] Voting Period Begins - Ballot SC-082: "Clarify CA Assisted DNS Validation under 3.2.2.4.7"
TWCA votes "yes" on ballot SC-082.
Best Regards
蔡家宏 Chya-Hung Tsai
Director
Identification & Certificate Research
Tel: +886-2-2370-8886 ext. 722
Fax: +886-2-2388-6720
Email: cht...@twca.com.tw
10F., No. 85, Yanping South Road,
Taipei 100002, Taiwan(R.O.C.)
https://www.twca.com.tw
From: 'Slaughter, Michael' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Thursday, November 21, 2024 2:28 AM
To: server...@groups.cabforum.org
--
SECOM Trust Systems votes ABSTAINS on Ballot SC-082.
We believe more discussion is preferable.
Best Regards,
ONO, Fumiaki
SECOM Trust Systems Co., Ltd.
From: 'Slaughter, Michael' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Thursday, November 21, 2024 3:28 AM
To: server...@groups.cabforum.org
Subject: [Servercert-wg] Voting Period Begins - Ballot SC-082: "Clarify CA Assisted DNS Validation under 3.2.2.4.7"
Closing the discussion period and opening up the voting period.
--
Telia votes ’Yes’ on Ballot SC-82.
//Antti
From: 'Slaughter, Michael' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Date: Wednesday, 20. November 2024 at 20.29
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins - Ballot SC-082: "Clarify CA Assisted DNS Validation under 3.2.2.4.7"
--
SwissSign votes 'yes' on SC-082
Mike
From: 'Slaughter, Michael' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, November 20, 2024 7:28 PM
To: server...@groups.cabforum.org
Subject: [Servercert-wg] Voting Period Begins - Ballot SC-082: "Clarify CA Assisted DNS Validation under 3.2.2.4.7"
Closing the discussion period and opening up the voting period.
--
Buypass ABSTAINS from voting on ballot SC-082. We agree with Dimitris that more discussion is required.
Regards
Mads
From: 'Slaughter, Michael' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: onsdag 20. november 2024 19:28
To: server...@groups.cabforum.org
Subject: [Servercert-wg] Voting Period Begins - Ballot SC-082: "Clarify CA Assisted DNS Validation under 3.2.2.4.7"
Closing the discussion period and opening up the voting period.
--
IdenTrust votes “Yes” on Ballot SC-082
Marco S.
TrustID Program Manager
Sectigo votes YES to ballot SC-82.
While we agree with some of the comments made by Clint / Apple, we remain supportive of the ballot in its current state.
In our opinion, CA Assisted DNS Validation is an enhancement and specific allowance for a practice within the scope of an existing validation method. While we can see why it might be beneficial to scope this into a completely new defined validation method, we would raise that the same should in that case go for DNS TXT vs DNS CNAME, as well as DNS validation using Random Value vs DNS validation using Request Tokens.
Such a separation specification would however (in our opinion) be reasonable to perform through a subsequent ballot, rather than the current SC-82.
Should SC-82 ultimately fail, we would be supportive of a ballot making further changes to the DCV methods within the BRs, including the proposed options of ballot SC-82.
VikingCloud votes Yes on SC-082.
Regards,
Andrea Holland
--
You received this message because you are subscribed to the Google Groups "Server Certificate WG (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
servercert-w...@groups.cabforum.org.
Company Registration Details
VikingCloud is the registered business name of Sysxnet Limited. Sysxnet Limited is registered in Ireland under company registration number 147176 and its registered office is at 1st Floor, Block 71a, The Plaza, Park West Business Park, Dublin 12, Ireland.
Email Disclaimer
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended
recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us
immediately by responding to this email and then delete it from your system. Sysxnet Limited is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt..
GoDaddy votes YES to Ballot SC-082
Cheers,
Steven
From:
'Slaughter, Michael' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Date: Wednesday, November 20, 2024 at 12:28 PM
To: server...@groups.cabforum.org <server...@groups.cabforum.org>
Subject: [Servercert-wg] Voting Period Begins - Ballot SC-082: "Clarify CA Assisted DNS Validation under 3.2.2.4.7"
Closing the discussion period and opening up the voting period. Ballot SC-082 is proposed by Michael Slaughter (Amazon Trust Services) and endorsed by Martijn Katerbarg (Sectigo) and Wayne Thayer (Fastly). — Purpose of Ballot SC-082 — The purpose
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/591A7733-9F52-4049-9B88-9B9274F3C78E%40amazon.com.
From: 'Slaughter, Michael' via Server Certificate WG (CA/B Forum) <server...@groups.cabforum.org>
Sent: Wednesday, November 20, 2024 12:28 PM
To: server...@groups.cabforum.org
Subject: [Servercert-wg] Voting Period Begins - Ballot SC-082: "Clarify CA Assisted DNS Validation under 3.2.2.4.7"
Closing the discussion period and opening up the voting period.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/servercert-wg/591A7733-9F52-4049-9B88-9B9274F3C78E%40amazon.com.