[cabfpub] Ballot 92 reviewed

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Mon Oct 29 10:08:39 MST 2012


Under the proposal, only one domain in the SANs cert would be OV vetted.  Then other DV domains owned by others can be inserted as well.  So a relying party would be tricked into thinking that all domains in the SANs cert were OV vetted to that one owner (whose identity would appear for all the DV domains).  That's misleading.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Steve Roylance
Sent: Monday, October 29, 2012 10:37 AM
To: Gervase Markham
Cc: public at cabforum.org
Subject: Re: [cabfpub] Ballot 92 reviewed

Hi Gerv.


On 29/10/2012 13:33, "Gervase Markham" <gerv at mozilla.org> wrote:

>On 29/10/12 12:15, Steve Roylance wrote:
>> The intention behind the wording in the proposed revision of 9.2.1 
>>that  Jeremy was referring to was to constrain the issuance of 
>>certificates with  non verifiable domain names/IP addresses/host names 
>>etc (deemed  dangerous/toxic by many CABForum and non CABForum members 
>>including  yourself).  Merely having one FQDN present does not 
>>identify the owner.
>
>It identifies them just as much as the owner of a single-FQDN DV cert 
>is identified.

We are not debating the use of DV here.  We are saying that a non-unique component added to a DV based certificate or one used alone makes it a different animal with different rules.

>
>> It
>> identifies that the CA has performed some level of challenge response 
>>on  an FQDN only and not necessarily validated identity.  It's the 
>>identity  that becomes useful in any forensic examination of data 
>>packets following  a successful attack.
>
>This seems to be "OV vs DV" in disguise. :-)

Nope :-)...I believe that DV is great for SSL when the owner does not need to be authenticated.  There are lots of uses and clearly SSL is better than no SSL, but where non uniqueness creeps in it's different.


>
>If a DV cert for www.foo.com is OK in a certain scenario, why is a DV 
>cert for www.foo.com, foo.mail and foopymachine not OK? Both certs 
>contain exactly the same amount of information regarding who 'owns' 
>them
>- it's the person who owns www.foo.com.

See Melih's post and my reply and you'll see these are different cases.
Currently anyone can have access to foopymachine or foo.mail so make sure the person/organisation requesting this is identified.

>
>> We've all discussed the suitability of DV in the past in various 
>> scenarios and there's clearly a definite need for DV in the market 
>> where owners of domains simply want a credential to prove ownership, 
>> but what we are saying here is that we should not rely on the DV only 
>> mechanisms to highlight the "owner" of non-verifiable items because 
>> it doesn't.
>
>This is begging the question of whether you need to know the 'owner' in 
>this sense in the first place. Or, to put it another way: why is this 
>argument not an argument against all DV certs?

It's the non-unique element that makes them different and dangerous if given out freely.  You can't use a DV cert to attack another FQDN, but you can use a non unique to attack another same name non unique.
 
This trying to do the right thing is hard workŠ :-(

>
>Gerv


_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>



More information about the Public mailing list