SC-093: Include Validation Methods in Certificates #554
Conversation
Introduce two new extensions in Section 7 of the TBRs * Add extensions to 7.1.2.7.6 * Add new section 7.1.2.12 with subsections for the Domain Validation Methods Extension and the IP Address Validation Methods Extension
* Updated how the profile extension definitions refer to the new sections (i.e. removed the notes, added the pointer in the "presence" column) * Removed allowance of putting in multiple validation methods for a single SAN entry * Added extensibility indicator to the namedbitlist and (hopefully) fixed the formatting to follow X.680 07/2002 style
Removing text that is not clear in its interaction with certificate encoding and duplicative of what the ASN.1 encoding describes
The methods that are no longer supported have been removed from the list in 7.1.2.12.1 Method 20 was erroneously missed and has been added to the list in 7.1.2.12.1
|
as I said on issue, onion validation methods in appendix B needs care: I won't tell which way because I'm kinda shy from being a 'intrested party': I feels I'm not worth such name, but not want to create IP problem. |
Add extension supporting use of the validation method for Onion Domain Names in Appendix B, subsection 2.b Onion Domain Names validated according to Appendix B, subsection 2.a use the Domain Name Validation Method Extension.
Added SHOULD for 2025, with the MUST for 2026
Add methods 21 and 22 Include Onion Domain Names more comprehensively
clintwilson
changed the title
clintwilson
changed the title
| This extension has the following format: | ||
|
|
||
| ``` ASN.1 | ||
| cabf OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) } |
There was a problem hiding this comment.
Consider creating an arc under joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-extensions(3) for the TLS BR and assigning the three extension OIDs under that.
This will ensure that there will be no conflict if other CABF documents adopt similar extensions.
Co-authored-by: Corey Bonnell <[email protected]>
Co-authored-by: Corey Bonnell <[email protected]>
Co-authored-by: Corey Bonnell <[email protected]>
| IPAddressValidationMethods IDENTIFIED BY id-cabf-IPAddressValidationMethods } | ||
| ``` | ||
|
|
||
| #### 7.1.2.12.3 Onion Domain Name Validation Method Extension |
There was a problem hiding this comment.
The complexity of this section, combined with the readable simplicity of the new table proposed by #627, makes me ask: why is Onion validation still in an appendix?
We should remove Appendix B and pull the "provide a CSR signed by the onion key" method directly into a new subsection of 3.2.2.4. Then the entirety of this new 7.1.2.12.3 can become just a single bullet point in 7.1.2.12.1.
|
Google Trust Services does not see meaningful utility or value add by including validation method information in certificates. Others have already commented on some of these issues before but we'll highlight some of them regardless:
While more ecosystem data is nice, there are other ways to get better data on validation methods without adding bits to every certificate. One possible way would be for CAs to self-report this data via the CCADB self-assessment and having the CCADB steering committee publish an annual report. This is just one way and there are likely others. GTS would be in favor of pursuing those alternate methods instead of adding this data to certificates directly. |
As discussed in #459 and previously in Ballot 226 (circa 2018), there is value in having data available within Certificates indicating what domain and/or IP Address Validation Methods have been used by a CA to verify Subscriber control or ownership of the SAN values included in the Certificate.
Building on the discussion and approach determined in 2018 as most appropriate for conveying this information, this Ballot introduces two new extensions which house the Validation Methods used to issue a Certificate.