[cabfpub] Highlight repeated non-acceptable practices, clarify requirements and discuss about DTPs

Thu Jan 11 16:53:26 UTC 2024

For the sake of discussion, here's a concrete proposal for how to easily
clarify that use of a public (third-party) DNS resolver is forbidden:

Add to Section 3.2.2.4, immediately after the two numbered sentences:
"All DNS queries conducted in the course of validation MUST be made from
the CA to authoritative nameservers, i.e. without the use of recursive
resolvers operated by third parties."

This proposal does not address the possibility that we could establish a
lightweight audit scheme that third-party recursive resolvers could satisfy
to be allowed. It also does not address the possibility that CAs are
unknowingly using delegated third parties for other aspects of domain
validation, such as Mailchimp / Sendgrid for sending emails. But it's a
starting point to kick off discussion.

Thanks,
Aaron

On Wed, Dec 27, 2023 at 11:09 PM Dimitris Zacharopoulos (HARICA) via Public
<public at cabforum.org> wrote:

>
> Dear Members,
>
> While monitoring a specific recent bugzilla incident, I realized that it
> is very easy to unintentionally misinterpret some parts within the Forum
> Guidelines that can lead to compliance problems. I think it is our
> obligation as a Forum to monitor compliance issues reported by CAs or
> independent researchers and in case of repeated incidents, suggest
> clarification language in the Forum's Guidelines. Nobody wants more
> incidents, but a repeated pattern doesn't necessarily mean negligence on
> the CA's part. It could very well be that the Guidelines are not well
> written in some areas.
>
> In that regard, I would strongly encourage our Certificate Consumer
> Members, that continuously review and monitor incidents, to search for
> common patterns and try to locate the language in the Forum Guidelines
> that might be somewhat unclear, and work on improving those parts. Even
> if the language seems "clear enough", for cases that have caused
> multiple incidents by multiple CAs, it might be worth to add NOTES or
> NOTICES to highlight non-acceptable practices that have been
> misunderstood my multiple CAs.
>
> The Delegated Third Party concept is understandably very open and not
> very well defined. I recommend all WGs to try and clarify how DTPs could
> be used in the certificate lifecycle process, including
> Domain/Identity/Email Validation but also in the supporting
> infrastructure services like compute, storage, network, backup, WHOIS,
> DNS, Email, regular post, SMS, and more. Perhaps this is a task for the
> Network Security Working Group but some elements are specific to other WGs.
>
> My recommendation to all WGs is that when we see repeated patterns of
> practices that, by consensus, are not acceptable and do not meet the
> spirit and language of the Guidelines, try to highlight them in a type
> of "practices clarification" ballot series.
>
> Best wishes for a Happy New Year to all!
>
>
> Dimitris.
> CA/B Forum Chair
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20240111/7648351d/attachment.html>