<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1132091234;
mso-list-template-ids:1020300042;}
@list l0:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:1437209353;
mso-list-template-ids:25753316;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="NO-BOK" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">Then I think we should change the requirements.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">As a representative for a CA with a background in strong identity validation (both for natural and legal persons) I find these examples from Ryan and Jeremy to represent
a very bad practice. If this really reflects the current practice in the industry, we need to tighten up the requirements and make them much more specific.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">From my point of view (and with my background) I find method 3.2.2.4.1 useful. We must remember that the domain validation methods also are used for EV (and not only OV)
and when we have a strongly validated and verified organization (e.g. based on the EV requirements) it makes sense to allow for the organization to apply for certificates including domain names owned by the organization itself.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">I understand that there are doubts about how to ensure that the organization really owns the domain (like in Jeremy’s example), but it should not be too hard to “strengthen”
the link between the applicant and the domain owner in terms of rewriting section 3.2.2.4.1. A match in the organization name only should of course not be allowed.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">In Norway every organization is given a unique organization number by a national authority and in the registry for the TLD=.no domains (see
<a href="http://www.norid.no">www.norid.no</a>) we find this organization number as a part of the domain name registrant information. In such cases, we allow for issuance based on 3.2.2.4.1 if the domain name registrant information exactly match organization
information (i.e. by country, organization name and organization number). I think this is a reasonable use case for method 3.2.2.4.1.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">Personally I am more concerned about the possibility we give to any stakeholder in the ecosystem who takes a role in controlling a domain to get an OV (and EV) certificate
based on domain control only. This was discussed also in the F2F meeting in Bilbao last year – see
<a href="https://cabforum.org/2016/05/25/2016-05/#The-Role-of-Identity-in-TLS-Certificates">
https://cabforum.org/2016/05/25/2016-05/#The-Role-of-Identity-in-TLS-Certificates</a>.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">Therefore, I am supportive for a ballot which removes 3.2.2.4.5 and keep 3.2.2.4.1 but strengthen this up to allow for use cases like the one described above.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">Mads </span><span style="color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Public [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Jeremy Rowley via Public<br>
<b>Sent:</b> onsdag 3. januar 2018 05:47<br>
<b>To:</b> geoffk@apple.com; CA/Browser Forum Public Discussion List <public@cabforum.org><br>
<b>Subject:</b> Re: [cabfpub] Verification of Domain Contact and Domain Authorization Document<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">I disagree. The requirements do not specify that. All that is required is the name of the applicant was verified under 3.2.2.1 and that the register specify the domain contact is the applicant. If Google, Inc. is specified
as the domain contact, no address matching is required.<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span lang="EN-US"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> <a href="mailto:geoffk@apple.com">
geoffk@apple.com</a> [<a href="mailto:geoffk@apple.com">mailto:geoffk@apple.com</a>]
<br>
<b>Sent:</b> Tuesday, January 2, 2018 4:34 PM<br>
<b>To:</b> Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Cc:</b> Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>>; Adriano Santoni <<a href="mailto:adriano.santoni@staff.aruba.it">adriano.santoni@staff.aruba.it</a>><br>
<b>Subject:</b> Re: [cabfpub] Verification of Domain Contact and Domain Authorization Document<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-US"><o:p> </o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-US">On Dec 22, 2017, at 12:09 PM, Jeremy Rowley via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">The attack vector is easier than that.<span class="apple-converted-space"> </span><o:p></o:p></span></p>
</div>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoNormal" style="mso-list:l0 level1 lfo3"><span lang="EN-US">I use very stringent processes to verify that Google, Inc. is a legit company in Utah.<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l0 level1 lfo3"><span lang="EN-US">I verify that Jeremy did indeed incorporate Google, Inc.<span class="apple-converted-space"> </span><o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l0 level1 lfo3"><span lang="EN-US">I call Jeremy at the phone listed for Google, Inc., the Utah corporation<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l0 level1 lfo3"><span lang="EN-US">The domain information shows Google, Inc. as owning<span class="apple-converted-space"> </span><a href="http://google.com/"><span style="color:purple">google.com</span></a><o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l0 level1 lfo3"><span lang="EN-US">Certificate issues.<o:p></o:p></span></li></ol>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">Obviously this would be caught in every CA’s high risk checks, but the point remains valid. Regardless of the expertise and thoroughness of the org check, the specs lack any time between the verified org and the actual
domain because orgs are not unique on a global basis.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">For item 4, you have to verify that “the Applicant is the Domain Contact”. Obviously it’s insufficient to just compare names—you must verify every element of the WHOIS contact matches the Applicant, that’s typically
name, postal address, phone number, and e-mail.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</body>
</html>