[cabf_validation] Highlight repeated non-acceptable practices, clarify requirements and discuss about DTPs

[Mads Egil Henriksveen]

(Moving this discussion to the validation subcommittee mailing list)

Hi Aaron

I find your proposal for clarifying that the use of a third-party DNS Resolver is forbidden in Section 3.2.2.4 to address what I have been missing in the BRs.

I would also like to follow up your statement related to that CAs might unknowingly use DTPs for domain validations, by using third-party email providers (e.g. Mailchimp and Sendgrid). I suggest we discuss whether using cloud-based email services for domain validation in general is problematic. And if that is problematic, if only on-premises SMTP servers should be accepted.

Another topic I would like to address is the use of WHOIS-lookups for domain validations.

In the BR, I find the following definitions:
Domain Contact: The Domain Name Registrant, technical contact, or administrative contact (or the equivalent under a ccTLD) as listed in the WHOIS record of the Base Domain Name or in a DNS SOA record, or as obtained through direct contact with the Domain Name Registrar.
WHOIS: Information retrieved directly from the Domain Name Registrar or registry operator via the protocol defined in RFC 3912, the Registry Data Access Protocol defined in RFC 7482, or an HTTPS website.

The registry operator is the authoritative source and therefore acceptable. I assume that the Domain Name Registrar must be the registrar responsible for registering the actual domain, but this is not very clear. CAs may use the WHOIS protocol and the RDAP protocol for such lookups directly against those actors, but is using an HTTPS website unproblematic? Some examples for .com domains would be nice.

In BR 3.2.2.4.2 we find ‘The Random Value MUST be sent to an email address identified as a Domain Contact’. In addition, we find ‘The CA may send the email to more than one recipient provided that every recipient is identified by the Domain Name Registrar as representing the Domain Name Registrant’. Does this mean that this is only allowed if the Domain Contacts are provided by the Domain Name Registrar, and is this intentional?

Regards
Mads

From: Public <public-bounces at cabforum.org> On Behalf Of Aaron Gable via Public
Sent: Thursday, January 11, 2024 5:54 PM
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Highlight repeated non-acceptable practices, clarify requirements and discuss about DTPs

For the sake of discussion, here's a concrete proposal for how to easily clarify that use of a public (third-party) DNS resolver is forbidden:

Add to Section 3.2.2.4, immediately after the two numbered sentences:
"All DNS queries conducted in the course of validation MUST be made from the CA to authoritative nameservers, i.e. without the use of recursive resolvers operated by third parties."

This proposal does not address the possibility that we could establish a lightweight audit scheme that third-party recursive resolvers could satisfy to be allowed. It also does not address the possibility that CAs are unknowingly using delegated third parties for other aspects of domain validation, such as Mailchimp / Sendgrid for sending emails. But it's a starting point to kick off discussion.

Thanks,
Aaron

On Wed, Dec 27, 2023 at 11:09 PM Dimitris Zacharopoulos (HARICA) via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

Dear Members,

While monitoring a specific recent bugzilla incident, I realized that it
is very easy to unintentionally misinterpret some parts within the Forum
Guidelines that can lead to compliance problems. I think it is our
obligation as a Forum to monitor compliance issues reported by CAs or
independent researchers and in case of repeated incidents, suggest
clarification language in the Forum's Guidelines. Nobody wants more
incidents, but a repeated pattern doesn't necessarily mean negligence on
the CA's part. It could very well be that the Guidelines are not well
written in some areas.

In that regard, I would strongly encourage our Certificate Consumer
Members, that continuously review and monitor incidents, to search for
common patterns and try to locate the language in the Forum Guidelines
that might be somewhat unclear, and work on improving those parts. Even
if the language seems "clear enough", for cases that have caused
multiple incidents by multiple CAs, it might be worth to add NOTES or
NOTICES to highlight non-acceptable practices that have been
misunderstood my multiple CAs.

The Delegated Third Party concept is understandably very open and not
very well defined. I recommend all WGs to try and clarify how DTPs could
be used in the certificate lifecycle process, including
Domain/Identity/Email Validation but also in the supporting
infrastructure services like compute, storage, network, backup, WHOIS,
DNS, Email, regular post, SMS, and more. Perhaps this is a task for the
Network Security Working Group but some elements are specific to other WGs.

My recommendation to all WGs is that when we see repeated patterns of
practices that, by consensus, are not acceptable and do not meet the
spirit and language of the Guidelines, try to highlight them in a type
of "practices clarification" ballot series.

Best wishes for a Happy New Year to all!


Dimitris.
CA/B Forum Chair
_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240116/948f7f14/attachment.html>