<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><font face="Calibri">👍</font><br>
</p>
<br>
<div class="moz-cite-prefix">Il 04/01/2018 15:59, Tim Hollebeek via
Public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:DM5PR14MB1289499DE099A11662094523831F0@DM5PR14MB1289.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.m-1878068654978953830apple-converted-space
{mso-style-name:m_-1878068654978953830apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:885142923;
mso-list-template-ids:-912075486;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">This characterization of CAs in general is
simply not true and I wish you would stop making it. It’s a
bunch of overly broad statements and mischaracterizations.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There are some bad actors out there, and
some bad practices out there that need to be eliminated, but
using that to tar the entire industry with a broad brush is
misleading in the extreme.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-Tim<o:p></o:p></p>
<p class="MsoNormal"><a name="_MailEndCompose"
moz-do-not-send="true"><o:p> </o:p></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Public
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ryan
Sleevi via Public<br>
<b>Sent:</b> Wednesday, January 3, 2018 10:03 PM<br>
<b>To:</b> Bruce Morton
<a class="moz-txt-link-rfc2396E" href="mailto:Bruce.Morton@entrustdatacard.com"><Bruce.Morton@entrustdatacard.com></a>; CA/Browser
Forum Public Discussion List <a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a><br>
<b>Subject:</b> Re: [cabfpub] [EXTERNAL]Re: Verification
of Domain Contact and Domain Authorization Document<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Given that CAs have competing interests
- namely, to sell certificates first and foremost, while
at the same time not doing anything too egregious to get
noticed and thus distrusted - I don't think it's
reasonable, particularly given the economic incentives and
industrial behaviour, to suggest that CAs would find this
as something to reject.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Most CAs, at the end of the day, mint
certs for money. CAs particularly concerned about
appearances such as market share are further
incentivized to make minting certs easier. It is thus
unsurprising that this sort of incentive structure
results in what we might term 'exploitative' (in a
security mindset), while the CA might call it
'innovative' or 'customer friendly'.<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Jan 3, 2018 at 5:41 PM, Bruce
Morton via Public <<a
href="mailto:public@cabforum.org" target="_blank"
moz-do-not-send="true">public@cabforum.org</a>>
wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC
1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:#1F497D">The requirement may mean a
LOT of things, but it is also qualified by
language such as “This method may only be used
if: 1. The CA authenticates the Applicant's
identity under BR Section 3.2.2.1 and the
authority of the Applicant Representative under
BR Section 3.2.5.”</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:#1F497D">I assume it will be stated
that the language in 3.2.2.1 and 3.2.5 also mean
a LOT of things, but this is the job of the CA
to create a policy which is effective. Per BR 5,
the CA should also do risk assessments and
security plans. Using this methodology will help
the CA close the loopholes in its processes. Of
course, if the CA still finds the risk too high,
then they can stop using the method.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:#1F497D">Bruce.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>From:</b>
Public [mailto:<a
href="mailto:public-bounces@cabforum.org"
target="_blank" moz-do-not-send="true">public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Jeremy Rowley via Public<br>
<b>Sent:</b> January 3, 2018 5:25 PM<br>
<b>To:</b> <a href="mailto:geoffk@apple.com"
target="_blank" moz-do-not-send="true">geoffk@apple.com</a><br>
<b>Cc:</b> CA/Browser Forum Public Discussion
List <<a href="mailto:public@cabforum.org"
target="_blank" moz-do-not-send="true">public@cabforum.org</a>><br>
<b>Subject:</b> [EXTERNAL]Re: [cabfpub]
Verification of Domain Contact and Domain
Authorization Document<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The
ambiguity is exactly why we need to remove method
1. I’ve seen all of the following:<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">1)<span
style="font-size:7.0pt;font-family:"Times
New Roman",serif"> </span>Approval
based on a name match<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">2)<span
style="font-size:7.0pt;font-family:"Times
New Roman",serif"> </span>Approval
based on an email match (same email as requester
or the email is a corporate email) – note that
this is a Domain Contact match<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">3)<span
style="font-size:7.0pt;font-family:"Times
New Roman",serif"> </span>Approval
based on address and name match<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">4)<span
style="font-size:7.0pt;font-family:"Times
New Roman",serif"> </span>Approval
based on a letter from the registrar<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">5)<span
style="font-size:7.0pt;font-family:"Times
New Roman",serif"> </span>Approval
based on a call to the registrar<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in">6)<span
style="font-size:7.0pt;font-family:"Times
New Roman",serif"> </span>Approval
based on a validation email to the registrar<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">All
of these are equally permitted by the
language, IMO, because “by validating the
Applicant has the same name as the Domain
Contact directly with the Domain
Name Registrar” can mean a LOT of things.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a
name="m_-1878068654978953830__MailEndCompose" moz-do-not-send="true"> </a><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>From:</b>
<a href="mailto:geoffk@apple.com"
target="_blank" moz-do-not-send="true">geoffk@apple.com</a>
[<a href="mailto:geoffk@apple.com"
target="_blank" moz-do-not-send="true">mailto:geoffk@apple.com</a>]
<br>
<b>Sent:</b> Wednesday, January 3, 2018
2:54 PM<br>
<b>To:</b> Jeremy Rowley <<a
href="mailto:jeremy.rowley@digicert.com"
target="_blank" moz-do-not-send="true">jeremy.rowley@digicert.com</a>><br>
<b>Cc:</b> CA/Browser Forum Public
Discussion List <<a
href="mailto:public@cabforum.org"
target="_blank" moz-do-not-send="true">public@cabforum.org</a>>;
Ryan Sleevi <<a
href="mailto:sleevi@google.com"
target="_blank" moz-do-not-send="true">sleevi@google.com</a>>;
Adriano Santoni <<a
href="mailto:adriano.santoni@staff.aruba.it"
target="_blank" moz-do-not-send="true">adriano.santoni@staff.aruba.it</a>><br>
<b>Subject:</b> Re: [cabfpub] Verification
of Domain Contact and Domain Authorization
Document<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">It
looks like we’re going to be removing
3.2.2.4.1, so this will be moot, but just to
explain the interpretation, 3.2.2.4.1 says
that what you are doing (this sentence is
the entire description of the method, the
rest of the section just limits its
application) is "Confirming the Applicant's
control over the FQDN by validating the
Applicant is the Domain Contact
directly with the Domain Name Registrar.”<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">This
is not a name match. If the BRs wanted to
say “by validating the Applicant has the
same name as the Domain Contact”, they would
say so. This is a one-and-the-same match,
it uses the word “is”. In the example
below, the CA must ensure that “Google Inc.,
the Utah corporation” is the same one as
shown in the WHOIS information, and all the
WHOIS information is relevant in confirming
this.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Another
important clarification is that if you use
3.2.2.1, it doesn’t just verify “the name of
the applicant”; it says that "the CA SHALL
verify the identity and address of the
organization”, not just the name. (Um…
actually, if you read it closely, you might
not verify the name at all, if you identify
the organization in another way, maybe with
some kind of ID number. That’s probably a
bug.)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On
2 Jan 2018, at 8:47 pm, Jeremy Rowley
<<a
href="mailto:jeremy.rowley@digicert.com"
target="_blank" moz-do-not-send="true">jeremy.rowley@digicert.com</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I
disagree. The requirements do not
specify that. All that is required is
the name of the applicant was verified
under 3.2.2.1 and that the register
specify the domain contact is the
applicant. If Google, Inc. is
specified as the domain contact, no
address matching is required.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<div style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0in 0in
0in">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>From:</b><span
class="m-1878068654978953830apple-converted-space"> </span><a
href="mailto:geoffk@apple.com"
target="_blank"
moz-do-not-send="true">geoffk@apple.com</a>
[<a href="mailto:geoffk@apple.com"
target="_blank"
moz-do-not-send="true">mailto:geoffk@apple.com</a>]<span
class="m-1878068654978953830apple-converted-space"> </span><br>
<b>Sent:</b><span
class="m-1878068654978953830apple-converted-space"> </span>Tuesday,
January 2, 2018 4:34 PM<br>
<b>To:</b><span
class="m-1878068654978953830apple-converted-space"> </span>Jeremy
Rowley <<a
href="mailto:jeremy.rowley@digicert.com"
target="_blank"
moz-do-not-send="true">jeremy.rowley@digicert.com</a>>;
CA/Browser Forum Public Discussion
List <<a
href="mailto:public@cabforum.org"
target="_blank"
moz-do-not-send="true">public@cabforum.org</a>><br>
<b>Cc:</b><span
class="m-1878068654978953830apple-converted-space"> </span>Ryan
Sleevi <<a
href="mailto:sleevi@google.com"
target="_blank"
moz-do-not-send="true">sleevi@google.com</a>>;
Adriano Santoni <<a
href="mailto:adriano.santoni@staff.aruba.it"
target="_blank"
moz-do-not-send="true">adriano.santoni@staff.aruba.it</a>><br>
<b>Subject:</b><span
class="m-1878068654978953830apple-converted-space"> </span>Re:
[cabfpub] Verification of Domain
Contact and Domain Authorization
Document<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><o:p> </o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On
Dec 22, 2017, at 12:09 PM,
Jeremy Rowley via Public <<a
href="mailto:public@cabforum.org" target="_blank" moz-do-not-send="true"><span
style="color:purple">public@cabforum.org</span></a>>
wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The
attack vector is easier than
that.<span
class="m-1878068654978953830apple-converted-space"> </span><o:p></o:p></p>
</div>
</div>
<ol start="1" type="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">I use very
stringent processes to verify
that Google, Inc. is a legit
company in Utah.<o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">I verify that
Jeremy did indeed incorporate
Google, Inc.<span
class="m-1878068654978953830apple-converted-space"> </span><o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">I call Jeremy at
the phone listed for Google,
Inc., the Utah corporation<o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">The domain
information shows Google, Inc.
as owning<span
class="m-1878068654978953830apple-converted-space"> </span><a
href="http://google.com/"
target="_blank"
moz-do-not-send="true"><span
style="color:purple">google.com</span></a><o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">Certificate issues.<o:p></o:p></li>
</ol>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Obviously
this would be caught in every
CA’s high risk checks, but the
point remains valid.
Regardless of the expertise
and thoroughness of the org
check, the specs lack any time
between the verified org and
the actual domain because orgs
are not unique on a global
basis.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">For
item 4, you have to verify that “the
Applicant is the Domain Contact”.
Obviously it’s insufficient to just
compare names—you must verify every
element of the WHOIS contact matches
the Applicant, that’s typically
name, postal address, phone number,
and e-mail.<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org"
moz-do-not-send="true">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public"
target="_blank" moz-do-not-send="true">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>