<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Ryan,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Can you explain why you do not believe it is more secure?
<o:p></o:p></p>
<p class="MsoNormal">A: I am not stating its more secure, but .1 Option #3 is on par with other deemed secure options. It is secure because only the domain owner is the authorized user to a registrars account, and only they can order a cert for a specific domain.
If more transparency is a concern, let’s discuss what would be acceptable. <o:p>
</o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: I don't believe this is universally the case. Consider the situation of registrars and registries that allow signing in without a 2FA, but require changes to use a 2FA. I realize a response might be "Well, the registrar could just require
2FA for issuing a cert" - and while that would be in theory possible, there's absolutely zero assurance for relying parties and browsers as to the registrars (and CAs) practices. I hope you can see why this remains a fundamentally problematic proposal.<o:p></o:p></p>
<p class="MsoNormal">A: I agree, everyone should be using 2FA. Unpacking this a bit further, as your statement is close to the crux of my argument. If the registrar account is compromised, everything about the domain is in question. If registrar account compromise
is a concern for .1 option #3 then it also a question for .4 Domain Contact, .7 DNS Change and .8 IP Address validation. All of these require the registrar account to be secure. I believe .4, .7, and .8 are secure practices.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: I think it's important to be precise here when talking about .1. Is it correct to say you are only concerned with retaining some notion of .1 Option 3? When we say "don't eliminate .1", I think that carries with it the significant (and
insecure) suggestion of retaining .1 Option 1 and .1 Option 2.<o:p></o:p></p>
<p class="MsoNormal">A: Agreed, and sorry for not being precise. You are correct I am only concerned with Option #3, as I believe it is a secure practice on par with .7 and .8. I agree with your position on option #1 & #2.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks for your time discussing this,<o:p></o:p></p>
<p class="MsoNormal">Daymion<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>From:</b> Ryan Sleevi [mailto:sleevi@google.com] <br>
<b>Sent:</b> Wednesday, January 10, 2018 1:50 PM<br>
<b>To:</b> Daymion T. Reynolds <dreynolds@godaddy.com><br>
<b>Cc:</b> CA/Browser Forum Public Discussion List <public@cabforum.org>; Kirk Hall <Kirk.Hall@entrustdatacard.com>; Tim Hollebeek <tim.hollebeek@digicert.com><br>
<b>Subject:</b> Re: [cabfpub] Ballot 218: Remove validation methods #1 and #5<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Jan 10, 2018 at 2:37 PM, Daymion T. Reynolds <<a href="mailto:dreynolds@godaddy.com" target="_blank">dreynolds@godaddy.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Ryan,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> Thank you for replying as this is a good discussion to have. “Direct contact” is great method when you don’t have a clean, reliable data source to validate ownership.
For Registrar / CA combos, whereby the same account ordered the domain and the cert, knowledge of ownership is robust. Requiring a second contact doesn’t seem more secure, but rather seems more cumbersome for an already complex process.
<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Can you explain why you do not believe it is more secure?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">If you are concerned about the possibility of a customer account being compromised, it doesn’t change the risk. If there was a compromise they would have control over DNS and could
then domain validate a cert order from anyone.<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I don't believe this is universally the case. Consider the situation of registrars and registries that allow signing in without a 2FA, but require changes to use a 2FA. I realize a response might be "Well, the registrar could just require
2FA for issuing a cert" - and while that would be in theory possible, there's absolutely zero assurance for relying parties and browsers as to the registrars (and CAs) practices. I hope you can see why this remains a fundamentally problematic proposal.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> Rather than eliminate .1, I believe a better course of action would be to add transparency and lock down when you can and cannot use the registrar validation method.<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I think it's important to be precise here when talking about .1. Is it correct to say you are only concerned with retaining some notion of .1 Option 3? When we say "don't eliminate .1", I think that carries with it the significant (and
insecure) suggestion of retaining .1 Option 1 and .1 Option 2.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>