Ballot 190 – Revised Validation Requirements

Ballot overview

• Ballot 190, Revised Validation Requirements, is a Final Maintenance Guideline ballot from the Server Certificate Working Group.
• Its purpose is to re-introduce validation methods removed in ballots 180-181 because of IPR concerns, clarify aspects of the revised validation methods, and clarify the general rule in BR 4.2.1 on reuse of information and validations when validation methods change.

Voting result

• The ballot page states that the voting period ended and the ballot passed.
• CA voting: 19 yes, 0 no, 0 abstain.
• Browser voting: 2 yes, 0 no, 0 abstain.
• Quorum was met with 21 votes cast, and the required approval thresholds were met for both CAs and browsers.
• The ballot also states that at least one CA Member and one browser Member voted in favor.

Validation requirements added or revised

• The ballot amends BR 3.2.2.4 to define permitted domain validation methods and requires the CA to confirm each FQDN listed in the certificate before issuance.
• It adds or revises definitions for Authorized Ports, Test Certificate, and Wildcard Domain Name.
• It includes validation methods such as:
  • validating the applicant as a domain contact,
  • email, fax, SMS, or postal mail to domain contact,
  • phone contact with domain contact,
  • constructed email to domain contact,
  • domain authorization document,
  • agreed-upon change to website,
  • DNS change,
  • test certificate,
  • TLS using a random number.
• The ballot states that completed validations may be reused for multiple certificates over time, subject to the relevant time period in the requirements.
• It requires CAs to maintain a record of which domain validation method, including relevant BR version number, was used for every domain.

Reuse and high-risk request handling

• BR 4.2.1 is amended to allow reuse of prior validations or documents if the timing requirements are met.
• For subscriber certificates, the ballot states:
  • prior to March 1, 2018, the CA must have obtained the data or completed the validation no more than 39 months before issuance;
  • on or after March 1, 2018, the CA must have obtained the data or completed the validation no more than 825 days before issuance.
• The ballot requires CAs to develop, maintain, and implement documented procedures for additional verification activity for High Risk Certificate Requests.
• If a Delegated Third Party performs these obligations, the CA must verify that the delegated process provides at least the same level of assurance as the CA’s own processes.

Effective date and phasing

• The ballot text says that if the vote approves the ballot, a Review Period follows, and if no Exclusion Notices are filed, the ballot becomes effective at the end of the Review Period.
• The ballot procedure table gives the review period as 30 days after filing of the Review Notice by the Chair.
• The ballot page does not provide a single calendar effective date in the supplied evidence.
• The ballot also states that voting on Ballot 190 will begin tomorrow, and the voting period is shown as Sept 12, 2017 to Sept 19, 2017.