<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML 预设格式 Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLChar
{mso-style-name:"HTML 预设格式 Char";
mso-style-priority:99;
mso-style-link:"HTML 预设格式";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><b><span style='font-family:"Calibri",sans-serif'>WoSign</span></b><span style='font-family:"Calibri",sans-serif'> also <b>do not</b> agree with our company being listed as "affected", as our CPS and our online application system does not allow non-whitelist email addresses for domain control validation.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif'>I send email to Cert, but don’t get any response. </span><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Best Regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Richard<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Adriano Santoni - Actalis S.p.A.<br><b>Sent:</b> Monday, March 30, 2015 10:55 PM<br><b>To:</b> public@cabforum.org<br><b>Cc:</b> CERT.org<br><b>Subject:</b> Re: [cabfpub] Non-whitelisted email addresses used for DV issuing<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif'>Hello, <br><br>I am quoting below, with the author's permission, the reply I got from Will Dormann after I enquired CERT about why we (and several other CAs as well) are listed as "affected" by that problem. <br><br>I do not agree with our company being listed as "affected", as our CPS does not allow non-whitelist email addresses. However, Will's rationale is that - regardless of the BRs - domain validation by email is a security problem in itself, even when only whitelisted email addresses are used:<br><br>-----BEGIN QUOTE-----</span><br><br><o:p></o:p></p><pre>Hi Adriano,<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Thanks for the feedback. We've been debating the concept of how to<o:p></o:p></pre><pre>list the varios root CAs. One stance is that email alone is<o:p></o:p></pre><pre>insufficient to verify domain ownership. Consider the many sites that<o:p></o:p></pre><pre>offer email services to end users. If a single host fails to block<o:p></o:p></pre><pre>creation of a single "special" alias that can be used to register an<o:p></o:p></pre><pre>SSL certificate, then their site can be impersonated. This perhaps<o:p></o:p></pre><pre>isn't widely known as recent articles indicate:<o:p></o:p></pre><pre><a href="https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html"><https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html></a><o:p></o:p></pre><pre><a href="http://arstechnica.com/security/2015/03/bogus-ssl-certificate-for-windows-live-could-allow-man-in-the-middle-hacks/"><http://arstechnica.com/security/2015/03/bogus-ssl-certificate-for-windows-live-could-allow-man-in-the-middle-hacks/></a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>One of the purposes of the vulnerability note is to raise awareness of<o:p></o:p></pre><pre>the situation (the existence of these special email addresses).<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Alternatively, the vulnerability note could be scoped to only list CAs<o:p></o:p></pre><pre>that accept email aliases outside of those 5 addresses. Here are some<o:p></o:p></pre><pre>examples or root CAs and resellers that allow email addresses outside<o:p></o:p></pre><pre>of the 5 listed in the BR:<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><a href="http://certum.eu/certum/cert,offer_Commercial_SSL.dxml?MEDIA=pdf"><http://certum.eu/certum/cert,offer_Commercial_SSL.dxml?MEDIA=pdf></a><o:p></o:p></pre><pre><a href="http://evssl.com.ua/docs/thawte/enroll_ssl123_eng.pdf"><http://evssl.com.ua/docs/thawte/enroll_ssl123_eng.pdf></a><o:p></o:p></pre><pre><<a href="https://www.thawte.com/assets/documents/guides/simplify-ssl-certificate-managem">https://www.thawte.com/assets/documents/guides/simplify-ssl-certificate-managem</a><o:p></o:p></pre><pre>ent-enterprise.pdf><o:p></o:p></pre><pre><a href="http://host.dynamicwebhost.net/features/approvedemail.htm"><http://host.dynamicwebhost.net/features/approvedemail.htm></a><o:p></o:p></pre><pre><a href="https://www.geocerts.com/api_spec.pdf"><https://www.geocerts.com/api_spec.pdf></a><o:p></o:p></pre><pre><<a href="http://account.buyhttp.com/knowledgebase/753/Which-email-address-can-approve-SS">http://account.buyhttp.com/knowledgebase/753/Which-email-address-can-approve-SS</a><o:p></o:p></pre><pre>L-certificate-order.html><o:p></o:p></pre><pre><a href="https://www.onestepssl.com/onestepssl_validation_process.php"><https://www.onestepssl.com/onestepssl_validation_process.php></a><o:p></o:p></pre><pre><a href="http://www.domainpurpose.com/ssl-faqs.htm"><http://www.domainpurpose.com/ssl-faqs.htm></a><o:p></o:p></pre><pre><a href="http://kb.canvashost.com/?p=935"><http://kb.canvashost.com/?p=935></a><o:p></o:p></pre><pre><o:p> </o:p></pre><pre>snip<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Or see variants of:<o:p></o:p></pre><pre><<a href="http://www.google.com/search?q=">http://www.google.com/search?q=</a>"ssladmin%40yourdomain.com"><o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>Where this gets tricky is determining which CAs to list as affected.<o:p></o:p></pre><pre>If a root CA currently accepts an email outside of the list of 5, then<o:p></o:p></pre><pre>that's straightforward. But what about when an SSL reseller lists<o:p></o:p></pre><pre>such an address? How can a reseller have the authority to say what is<o:p></o:p></pre><pre>valid proof of domain ownership, as it would seem that the upstream<o:p></o:p></pre><pre>root CA would be the one that performs the validation? What about<o:p></o:p></pre><pre>cases where a root CA has accepted a non-standard email address in the<o:p></o:p></pre><pre>past, but no longer does now? If I purchased a certificate in the<o:p></o:p></pre><pre>past where the CA was more lax, then that still leaves me with a valid<o:p></o:p></pre><pre>cert that can be used for impersonation / interception of traffic.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>Currently, the note is scoped as the acceptance of email as proof of<o:p></o:p></pre><pre>domain ownership in general. Yes, we are aware that the Baseline<o:p></o:p></pre><pre>Requirements document<o:p></o:p></pre><pre><a href="https://cabforum.org/baseline-requirements-documents/"><https://cabforum.org/baseline-requirements-documents/></a> lists email<o:p></o:p></pre><pre>addresses that can be used for this purpose. Our stance currently is<o:p></o:p></pre><pre>that this BR document should perhaps be updated, and that email<o:p></o:p></pre><pre>addresses should not be used as proof. If ownership of a domain is<o:p></o:p></pre><pre>the question, then the proof should be something domain-related, such<o:p></o:p></pre><pre>as WHOIS or the creation of a DNS entry, in our opinion. Not email.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre><o:p> </o:p></pre><pre>Thank you,<o:p></o:p></pre><pre> Will Dormann<o:p></o:p></pre><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Calibri",sans-serif'>-----END QUOTE-----<br><br>Adriano<br><br><br></span><o:p></o:p></p><div><p class=MsoNormal>Il 30/03/2015 11:47, Sigbjørn Vik ha scritto:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><pre>Hi,<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>According to <a href="http://www.kb.cert.org/vuls/id/591120">http://www.kb.cert.org/vuls/id/591120</a>, some issuers use<o:p></o:p></pre><pre>non-whitelisted email addresses to verify domain ownership.<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>The only link to such is<o:p></o:p></pre><pre><a href="http://account.buyhttp.com/knowledgebase/753/Which-email-address-can-approve-SSL-certificate-order.html">http://account.buyhttp.com/knowledgebase/753/Which-email-address-can-approve-SSL-certificate-order.html</a><o:p></o:p></pre><pre>(sic), it is unclear how many issuers this affects.<o:p></o:p></pre><pre><o:p> </o:p></pre></blockquote><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>-- <br><i>Adriano Santoni</i> <o:p></o:p></p></div></div></body></html>