<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
Forwarding to the Server Certificate WG list to continue the
discussion for the TLS BRs.<br>
<br>
Thanks Aaron,<br>
Dimitris.<br>
<div class="moz-forward-container"><br>
<br>
-------- Forwarded Message --------
<table class="moz-email-headers-table" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Subject:
</th>
<td>Re: [cabfpub] Highlight repeated non-acceptable
practices, clarify requirements and discuss about DTPs</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Date: </th>
<td>Thu, 11 Jan 2024 08:53:26 -0800</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">From: </th>
<td>Aaron Gable <a class="moz-txt-link-rfc2396E" href="mailto:aaron@letsencrypt.org"><aaron@letsencrypt.org></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">To: </th>
<td>Dimitris Zacharopoulos (HARICA)
<a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a>, CA/Browser Forum Public
Discussion List <a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<div dir="ltr">For the sake of discussion, here's a concrete
proposal for how to easily clarify that use of a public
(third-party) DNS resolver is forbidden:
<div><br>
</div>
<div>Add to Section 3.2.2.4, immediately after the two numbered
sentences:</div>
<div>"All DNS queries conducted in the course of validation MUST
be made from the CA to authoritative nameservers, i.e. without
the use of recursive resolvers operated by third parties."</div>
<div><br>
</div>
<div>This proposal does not address the possibility that we
could establish a lightweight audit scheme that third-party
recursive resolvers could satisfy to be allowed. It also does
not address the possibility that CAs are unknowingly using
delegated third parties for other aspects of domain
validation, such as Mailchimp / Sendgrid for sending emails.
But it's a starting point to kick off discussion.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Aaron</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Dec 27, 2023 at
11:09 PM Dimitris Zacharopoulos (HARICA) via Public <<a
href="mailto:public@cabforum.org" moz-do-not-send="true"
class="moz-txt-link-freetext">public@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
Dear Members,<br>
<br>
While monitoring a specific recent bugzilla incident, I
realized that it <br>
is very easy to unintentionally misinterpret some parts within
the Forum <br>
Guidelines that can lead to compliance problems. I think it is
our <br>
obligation as a Forum to monitor compliance issues reported by
CAs or <br>
independent researchers and in case of repeated incidents,
suggest <br>
clarification language in the Forum's Guidelines. Nobody wants
more <br>
incidents, but a repeated pattern doesn't necessarily mean
negligence on <br>
the CA's part. It could very well be that the Guidelines are
not well <br>
written in some areas.<br>
<br>
In that regard, I would strongly encourage our Certificate
Consumer <br>
Members, that continuously review and monitor incidents, to
search for <br>
common patterns and try to locate the language in the Forum
Guidelines <br>
that might be somewhat unclear, and work on improving those
parts. Even <br>
if the language seems "clear enough", for cases that have
caused <br>
multiple incidents by multiple CAs, it might be worth to add
NOTES or <br>
NOTICES to highlight non-acceptable practices that have been <br>
misunderstood my multiple CAs.<br>
<br>
The Delegated Third Party concept is understandably very open
and not <br>
very well defined. I recommend all WGs to try and clarify how
DTPs could <br>
be used in the certificate lifecycle process, including <br>
Domain/Identity/Email Validation but also in the supporting <br>
infrastructure services like compute, storage, network,
backup, WHOIS, <br>
DNS, Email, regular post, SMS, and more. Perhaps this is a
task for the <br>
Network Security Working Group but some elements are specific
to other WGs.<br>
<br>
My recommendation to all WGs is that when we see repeated
patterns of <br>
practices that, by consensus, are not acceptable and do not
meet the <br>
spirit and language of the Guidelines, try to highlight them
in a type <br>
of "practices clarification" ballot series.<br>
<br>
Best wishes for a Happy New Year to all!<br>
<br>
<br>
Dimitris.<br>
CA/B Forum Chair<br>
_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" moz-do-not-send="true"
class="moz-txt-link-freetext">Public@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/public"
rel="noreferrer" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/public</a><br>
</blockquote>
</div>
</div>
</body>
</html>