<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:908463025;
mso-list-type:hybrid;
mso-list-template-ids:-1727904260 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">All of the domain validation methods are weak and can generally be subverted by someone who has or can get administrative or technical control of a crucial
part of the domain or infrastructure (the hostmaster@ controversy with CERT is the same issue). Improving the validation of Domain Validated certificates is not the goal of this ballot.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If this bothers you, use EV certificates, which use stronger authentication methods and prove actual identity, not just domain control.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Eddy Nigg<br>
<b>Sent:</b> Thursday, April 16, 2015 11:08 AM<br>
<b>To:</b> public@cabforum.org<br>
<b>Subject:</b> Re: [cabfpub] Domain validation<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 04/16/2015 05:48 PM, Anoosh Saboori wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Sorry for late chime in, since I was out for few weeks and thanks Jeremy for sending this out. I have two questions:
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Regarding #5 below, it is not clear to me what constitutes as “Domain Authorization Document”? Can a lawyer send this document?
</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">#6 does not seems to be at par with the rest of items which require checking CName record, DNS record changes, control over IP, … Anybody with a temporary control a web
site can pass this test. Can we make this requirement stronger, maybe by combing it with one of the other bullets?</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
I'm not sure, but number #9 seems to be a bit risky too - why should somebody controlling an IP address to which I point a host name of mine get a certificate for said domain? Example, if I point some host name to a service provider (Cloud, Akamai) they shouldn't
be able to obtain certificates for that.<o:p></o:p></p>
<div>
<p class="MsoNormal">-- <o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Regards <o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> <o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Signer: <o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Eddy Nigg, COO/CTO<o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> <o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="http://scanmail.trustwave.com/?c=4062&d=-tCv1V8b8Tc2Tr0WPF2RGuS9IhF9uI8s7bup7uir3w&s=5&u=http%3a%2f%2fwww%2estartcom%2eorg">StartCom Ltd.</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">XMPP: <o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Blog: <o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="http://scanmail.trustwave.com/?c=4062&d=-tCv1V8b8Tc2Tr0WPF2RGuS9IhF9uI8s7en767-r2Q&s=5&u=http%3a%2f%2fblog%2estartcom%2eorg">Join the Revolution!</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Twitter: <o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="http://scanmail.trustwave.com/?c=4062&d=-tCv1V8b8Tc2Tr0WPF2RGuS9IhF9uI8s7b2g6b2o3w&s=5&u=http%3a%2f%2ftwitter%2ecom%2feddy%5fnigg">Follow Me</a><o:p></o:p></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"> <o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="color:windowtext"><o:p> </o:p></span></p>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information
contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.<br>
</font>
</body>
</html>