<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Sprechblasentext Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.E-MailFormatvorlage19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.E-MailFormatvorlage20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.E-MailFormatvorlage21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.E-MailFormatvorlage22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.E-MailFormatvorlage23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.E-MailFormatvorlage24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.E-MailFormatvorlage25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.E-MailFormatvorlage26
{mso-style-type:personal-reply;
font-family:"Verdana","sans-serif";
color:#1F497D;}
span.SprechblasentextZchn
{mso-style-name:"Sprechblasentext Zchn";
mso-style-priority:99;
mso-style-link:Sprechblasentext;
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1F497D">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1F497D">D-TRUST fully supports the ongoing discussion on improving BR section 3.2.2.4.1 and 3.2.2.4.5. In our opinion all options on improving the methods
need to be taken into account. Only if there is no way of optimizing the procedure in order to prohibit potential misissuance scenarios based on this procedure it should be entirely removed.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1F497D">Both methods are extensively used by CA/B-Forum members. A removal of the validation methods would cause serious consequences for CA operations
and also impact existing customers. These impact needs to be evaluated first.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1F497D">To get a good and secure solution, we suggest to assess the results of the Validation WG during the next face to face meeting and prepare a (probably
modified) ballot afterwards.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1F497D">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#1F497D">Enrico<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Von:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Public [mailto:public-bounces@cabforum.org]
<b>Im Auftrag von </b>Mads Egil Henriksveen via Public<br>
<b>Gesendet:</b> Freitag, 19. Januar 2018 07:52<br>
<b>An:</b> Tim Hollebeek; CA/Browser Forum Public Discussion List; Bruce Morton; Jeremy Rowley<br>
<b>Betreff:</b> Re: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">Hi
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">Buypass, Entrust Datacard and GlobalSign have been working on some text to strengthen 3.2.2.4.1 instead of removing it - find the draft text below. The draft was discussed
in the Validation Working Group meeting yesterday. We would like to offer this as an amendment to Ballot 218.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">We (and some other CAs as well) are concerned about the short transition period in Ballot 218. In order to change systems, validation procedures etc. we believe any transition
period should be at least 10 weeks (as long as the security risk exposed is low).
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US">Mads
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormalCxSpMiddle" style="margin-bottom:8.0pt;mso-add-space:auto;line-height:105%">
<b><span lang="EN-GB">3.2.2.4.1 Validating the Applicant as a Domain Name Registrant</span></b><b><span lang="EN-GB" style="font-size:12.0pt;line-height:105%;font-family:"Times New Roman","serif""><o:p></o:p></span></b></p>
<p class="MsoNormal"><span lang="EN-GB">Conforming the Applicant's control over the FQDN by validating the Applicant as the Domain Name Registrant by verifying that:
<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpFirst" style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:8.0pt;margin-left:54.0pt;mso-add-space:auto;text-indent:-18.0pt;line-height:105%">
<span lang="EN-GB">1.</span><span lang="EN-GB" style="font-size:7.0pt;line-height:105%;font-family:"Times New Roman","serif"">
</span><span lang="EN-GB">The name of the Domain Name Registrant matches the Applicant’s name AND<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle" style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:8.0pt;margin-left:54.0pt;mso-add-space:auto;text-indent:-18.0pt;line-height:105%">
<span lang="EN-GB">2.</span><span lang="EN-GB" style="font-size:7.0pt;line-height:105%;font-family:"Times New Roman","serif"">
</span><span lang="EN-GB">Additional information about the Domain Name Registrant in the WHOIS meet the following requirements:<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpMiddle" style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:8.0pt;margin-left:69.6pt;mso-add-space:auto;text-indent:-18.0pt;line-height:105%">
<span lang="EN-GB" style="font-size:7.0pt;line-height:105%;font-family:"Times New Roman","serif"">
</span><span lang="EN-GB">i.</span><span lang="EN-GB" style="font-size:7.0pt;line-height:105%;font-family:"Times New Roman","serif"">
</span><span lang="EN-GB">The Registrant’s postal address in the WHOIS belongs to the Applicant. CAs MUST verify this by matching it with one of the Applicant's addresses in: (a) a QGIS, QTIS, or QIIS; or (b) a Verified Professional Letter.
<br>
Note: Address details in the WHOIS are required to use this option. Address details must include at a minimum the Country and either Locality, State or Province. OR
<o:p></o:p></span></p>
<p class="MsoListParagraphCxSpLast" style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:8.0pt;margin-left:69.6pt;mso-add-space:auto;text-indent:-18.0pt;line-height:105%">
<span lang="EN-GB" style="font-size:7.0pt;line-height:105%;font-family:"Times New Roman","serif"">
</span><span lang="EN-GB">ii.</span><span lang="EN-GB" style="font-size:7.0pt;line-height:105%;font-family:"Times New Roman","serif"">
</span><span lang="EN-GB">The WHOIS contains the Registration (or similar) Number assigned to the Applicant by the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration as appropriate. CAs MUST verify this by matching the
Registration Number in the WHOIS with the Applicant’s Registration Number in a QGIS or a QTIS.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Additionally, this method may only be used if:
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">1. The CA authenticates the Applicant's identity under BR Section 3.2.2.1 and the authority of the Applicant Representative under BR Section 3.2.5, OR<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">2. The CA authenticates the Applicant's identity under EV Guidelines Section 11.2 and the agency of the Certificate Approver under EV Guidelines Section 11.8; OR
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">3. The CA is also the Domain Name Registrar, or an Affiliate of the Registrar, of the Base Domain Name.
<span style="color:#5B9BD5"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">This revised version of BR 3.2.2.4.1 shall apply to domain validations occurring on or after June 1, 2018.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Public [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Tim Hollebeek via Public<br>
<b>Sent:</b> onsdag 17. januar 2018 00:13<br>
<b>To:</b> Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>>; Bruce Morton <<a href="mailto:Bruce.Morton@entrustdatacard.com">Bruce.Morton@entrustdatacard.com</a>>;
Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>><br>
<b>Subject:</b> Re: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="NO-BOK"><o:p> </o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span lang="EN-US">Also, whatever improvements you propose to 3.2.5 (which we might support), our incident report covered a case of non-compliance with the current rules, so it does not in any way demonstrate
a weakness in the current rules.<o:p></o:p></span></a></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">It would be best not to confuse unrelated issues.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Public [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Tim Hollebeek via Public<br>
<b>Sent:</b> Tuesday, January 16, 2018 3:55 PM<br>
<b>To:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrustdatacard.com">Bruce.Morton@entrustdatacard.com</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>>; Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>><br>
<b>Subject:</b> Re: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Ok, thanks for the update.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Bruce Morton [<a href="mailto:Bruce.Morton@entrustdatacard.com">mailto:Bruce.Morton@entrustdatacard.com</a>]
<br>
<b>Sent:</b> Tuesday, January 16, 2018 3:43 PM<br>
<b>To:</b> Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>>; Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>><br>
<b>Subject:</b> RE: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Hi Tim,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">A few CAs are working on some text to improve 3.2.2.4.1. We also think that 3.2.5 needs to be improved which may also be an improvement to support your incident report which discusses 3.2.5.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Hopefully text will be available for review in the next day or so.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Thanks, Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Tim Hollebeek [<a href="mailto:tim.hollebeek@digicert.com">mailto:tim.hollebeek@digicert.com</a>]
<br>
<b>Sent:</b> January 16, 2018 10:41 AM<br>
<b>To:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrustdatacard.com">Bruce.Morton@entrustdatacard.com</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>>; Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>><br>
<b>Subject:</b> RE: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I was told you guys were going to be providing text that improved method 1. It now sounds like you think method 1 was good for the last 20 years, and will continue to be good for … how long? Has your position changed?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Public [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Bruce Morton via Public<br>
<b>Sent:</b> Monday, January 15, 2018 9:20 AM<br>
<b>To:</b> Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>>; CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Subject:</b> Re: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">I’m following up on the original message to remove validation methods 3.2.2.4.1 and 3.2.2.4.5.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">We validate a large percentage of certificate requests using 3.2.2.4.1. It is highly used with our enterprise clients and works great if you know your customer. We would like to continue using this
practice and are open to updating the BRs to help ensure that the three step methodology using 3.2.2.1, 3.2.2.4.1 and 3.2.5 is sound.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">As background method 3.2.2.4.1 is probably the oldest domain validation method used. Until December 2017, I am not aware of any reported incidents. DigiCert appears to be the first to report an incident.
After rereading the message below and reviewing the other messages, I cannot determine if any certificates were mississued. It would be great to get more details or review an incident report. This is important as we would like to correct the issues rather
than eliminating 3.2.2.4.1 items 1 an 2.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">So here is a question for DigiCert: were you reporting certificate misissuance using 3.2.2.4.1? If yes, will DigiCert be posting an Incident Report on the Mozilla Dev Security Policy list using Mozilla’s
standard report form, as is customary when reporting certificate misissuance?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">We really need to understand the problem statement and review some real use cases. We need to see how 3.2.2.4.1 was combined with 3.2.2.1 and 3.2.5. How was the registrant verified? What Reliable
Method of Communication was used?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">We believe that:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-US" style="color:#1F497D">-</span><span lang="EN-US" style="font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D">
</span><span lang="EN-US" style="color:#1F497D">3.2.2.1 can be used to securely identify the applicant<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-US" style="color:#1F497D">-</span><span lang="EN-US" style="font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D">
</span><span lang="EN-US" style="color:#1F497D">3.2.2.4.1 can be used to verify that the registrant is the applicant or an affiliate of the applicant<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-US" style="color:#1F497D">-</span><span lang="EN-US" style="font-size:7.0pt;font-family:"Times New Roman","serif";color:#1F497D">
</span><span lang="EN-US" style="color:#1F497D">3.2.5 can be securely used to verify that an employee of the applicant has authorized the issuance of the certificate<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">We would like to continue to work with the Validation Working Group to find new text to improve these processes.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Thanks, Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Public [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Jeremy Rowley via Public<br>
<b>Sent:</b> December 19, 2017 4:30 PM<br>
<b>To:</b> CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Subject:</b> [EXTERNAL][cabfpub] Verification of Domain Contact and Domain Authorization Document<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Hi all, <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">When reviewing the Symantec validation methods and the customers using each method, I found an alarming number of customers verified under 3.2.2.4.1 (Verification of a Domain Contact) or 3.2.2.4.5 (Domain Authorization
Document) where the domain is not technically associated with the entity. These two methods need improvement or removal as the way they are currently lacks sufficient controls to associate the domain verification with the actual certificate approver. I’ve
had too many calls with customers explaining re-verification where the domain holder didn’t understand that a cert issued for the domain. Although the organization verification was successfully complete, the only tie between the domain and organization is
a call to the organization that happened within the last years to approve the account for issuance. I wanted to bring it up here because I’ve always thought these methods were less desirable than others. I think other large CAs use this method quite a bit
so I’m hoping to get clarity on why these methods are permitted when the domain verification seems more “hand-wavy” than other methods.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Method 3.2.2.4.1 permits a CA to issue a certificate if the certificate is an EV or OV cert. With EV certificates, there is a call to a verified telephone number that confirms the requester’s affiliation with the organization.
I can see this method working for EV. For OV certificates, there is a reliable method of communication that confirms the account holder as affiliated with the organization. Unlike EV, for OV certs there is no tie between the requester and their authority
to request a certificate. Once the organization is verified, the BRs permit auto-issuance for any domain that reflects an affiliation with the verified entity for up to 825 days. There’s no notice to the domain contact that the certificate was requested or
approved. Perhaps this is sufficient as the account has been affiliated with the organization through the reliable method of communication and because CT will soon become mandatory.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Method 3.2.2.4.5 permits a CA to issue a certificate using a legal opinion letter for the domain. Unfortunately the BRs lack clear requirements about how the legal opinion letter is verified. If I want a cert for Google.com
and the CA is following the bare minimum, all I need to do is copy their letterhead and sign the document. Magically, a certificate can issue. This method lacks a lot of controls of method 1 because there is no requirement around verification of the company.
I can list as many domains in the letter as I’d like provided the entity listed in the corresponding WHOIS’s letterhead is used.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I’m looking to remove/fix both of these methods as both these methods lack the necessary controls to ensure that the verification ties to the domain holder. These methods probably should have been removed back when we
passed 169/182. Would anyone being willing to endorse a ballot killing these or making some necessary improvements?
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Jeremy<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
</body>
</html>