<div dir="ltr">Hi Bruce,<div><br></div><div>Can you share any further details about how you validate? I appreciate you believe it can be secure - I don't see anything in your message to actually show how that can be, and how that can be done in a way that can be independently assessed.</div><div><br></div><div>Absent a workflow that can demonstrate how it can be secure, I have trouble accepting the claim, much like the trouble we expressed during the Berlin F2F for how CAs were validating using 3.2.2.4.5, effectively using RAs to perform domain validation without calling them as such.</div><div><br></div><div>I have difficulty seeing how 3.2.2.4.1 meets the bar of sufficient and equivalent security.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 15, 2018 at 11:19 AM, Bruce Morton via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="m_-4197778401007863624WordSection1">
<p class="MsoNormal"><span style="color:#1f497d">I’m following up on the original message to remove validation methods 3.2.2.4.1 and 3.2.2.4.5.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">We validate a large percentage of certificate requests using 3.2.2.4.1. It is highly used with our enterprise clients and works great if you know your customer. We would like to continue using this practice
and are open to updating the BRs to help ensure that the three step methodology using 3.2.2.1, 3.2.2.4.1 and 3.2.5 is sound.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">As background method 3.2.2.4.1 is probably the oldest domain validation method used. Until December 2017, I am not aware of any reported incidents. DigiCert appears to be the first to report an incident. After
rereading the message below and reviewing the other messages, I cannot determine if any certificates were mississued. It would be great to get more details or review an incident report. This is important as we would like to correct the issues rather than eliminating
3.2.2.4.1 items 1 an 2.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">So here is a question for DigiCert: were you reporting certificate misissuance using 3.2.2.4.1? If yes, will DigiCert be posting an Incident Report on the Mozilla Dev Security Policy list using Mozilla’s standard
report form, as is customary when reporting certificate misissuance?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">We really need to understand the problem statement and review some real use cases. We need to see how 3.2.2.4.1 was combined with 3.2.2.1 and 3.2.5. How was the registrant verified? What Reliable Method of Communication
was used?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">We believe that:<u></u><u></u></span></p>
<p class="m_-4197778401007863624MsoListParagraph"><u></u><span style="color:#1f497d"><span>-<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="color:#1f497d">3.2.2.1 can be used to securely identify the applicant<u></u><u></u></span></p>
<p class="m_-4197778401007863624MsoListParagraph"><u></u><span style="color:#1f497d"><span>-<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="color:#1f497d">3.2.2.4.1 can be used to verify that the registrant is the applicant or an affiliate of the applicant<u></u><u></u></span></p>
<p class="m_-4197778401007863624MsoListParagraph"><u></u><span style="color:#1f497d"><span>-<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="color:#1f497d">3.2.5 can be securely used to verify that an employee of the applicant has authorized the issuance of the certificate<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">We would like to continue to work with the Validation Working Group to find new text to improve these processes.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d">Thanks, Bruce.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b>From:</b> Public [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@<wbr>cabforum.org</a>] <b>
On Behalf Of </b>Jeremy Rowley via Public<br>
<b>Sent:</b> December 19, 2017 4:30 PM<br>
<b>To:</b> CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>><br>
<b>Subject:</b> [EXTERNAL][cabfpub] Verification of Domain Contact and Domain Authorization Document<u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Hi all, <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">When reviewing the Symantec validation methods and the customers using each method, I found an alarming number of customers verified under 3.2.2.4.1 (Verification of a Domain Contact) or 3.2.2.4.5 (Domain Authorization Document) where the
domain is not technically associated with the entity. These two methods need improvement or removal as the way they are currently lacks sufficient controls to associate the domain verification with the actual certificate approver. I’ve had too many calls with
customers explaining re-verification where the domain holder didn’t understand that a cert issued for the domain. Although the organization verification was successfully complete, the only tie between the domain and organization is a call to the organization
that happened within the last years to approve the account for issuance. I wanted to bring it up here because I’ve always thought these methods were less desirable than others. I think other large CAs use this method quite a bit so I’m hoping to get clarity
on why these methods are permitted when the domain verification seems more “hand-wavy” than other methods.
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Method 3.2.2.4.1 permits a CA to issue a certificate if the certificate is an EV or OV cert. With EV certificates, there is a call to a verified telephone number that confirms the requester’s affiliation with the organization. I can see
this method working for EV. For OV certificates, there is a reliable method of communication that confirms the account holder as affiliated with the organization. Unlike EV, for OV certs there is no tie between the requester and their authority to request
a certificate. Once the organization is verified, the BRs permit auto-issuance for any domain that reflects an affiliation with the verified entity for up to 825 days. There’s no notice to the domain contact that the certificate was requested or approved.
Perhaps this is sufficient as the account has been affiliated with the organization through the reliable method of communication and because CT will soon become mandatory.
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Method 3.2.2.4.5 permits a CA to issue a certificate using a legal opinion letter for the domain. Unfortunately the BRs lack clear requirements about how the legal opinion letter is verified. If I want a cert for Google.com and the CA is
following the bare minimum, all I need to do is copy their letterhead and sign the document. Magically, a certificate can issue. This method lacks a lot of controls of method 1 because there is no requirement around verification of the company. I can list
as many domains in the letter as I’d like provided the entity listed in the corresponding WHOIS’s letterhead is used.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I’m looking to remove/fix both of these methods as both these methods lack the necessary controls to ensure that the verification ties to the domain holder. These methods probably should have been removed back when we passed 169/182. Would
anyone being willing to endorse a ballot killing these or making some necessary improvements?
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Jeremy<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<br>______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br></blockquote></div><br></div>