[cabfpub] [cabfman] Improving the security of EV Certificates
Jeremy Rowley
jeremy.rowley at digicert.com
Thu Dec 19 11:08:16 MST 2013
That's no different from what happens today.
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of kirk_hall at trendmicro.com
Sent: Thursday, December 19, 2013 10:57 AM
To: Gervase Markham; Eddy Nigg (StartCom Ltd.); CABFPub
(public at cabforum.org)
Subject: Re: [cabfpub] [cabfman] Improving the security of EV Certificates
> Today, CAs have to provide a means for anyone in the world to complain
> about a cert they have encountered.
So what is changing?
Gerv
Among other things, I think there will be lots of new business plans that
will constantly scan and scrape all the CT logs in the world and then send
out spammy emails saying "Your domain's issued certificates have changed!
You might be the target of fraud! Get a free checkup here" like all the
spammy "Your credit report has changed!" emails, and I imagine a fair number
of those folks may get surprised or alarmed and open the messages. Some
enterprising folks may even include a link in these messages that say "If
this is not your cert, or for more information, click here" and include a
URL to the issuing CA's help/support desk (where certs complaints are
supposed to go).
Or some new companies might say "Pay us $29 per year and we will guard your
domains against new certs" and automatically submit queries to any CA that
issues a new cert.
Like you, I am only brainstorming, but I'm sure entrepreneurs will try to
productize the great, easy to copy CT logs and make a new business from the
data, so I would expect a number of pointless inquiries based on this new
data source. If CT is that good, maybe this is an (additional) burden that
CAs should be willing to take up.
-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Thursday, December 19, 2013 10:57 AM
To: Kirk Hall (RD-US); Eddy Nigg (StartCom Ltd.); CABFPub
(public at cabforum.org)
Subject: Re: [cabfman] Improving the security of EV Certificates
On 19/12/13 04:01, kirk_hall at trendmicro.com wrote:
> Gerv -- on your last point, how would the issuing CA know that an
> inquiry was coming from its "own customer"? An inquiry could come
> from someone pretending to be with a customer, or a member of the
> public, or someone who is with the customer but not contact we have
> dealt with.
Yes, you are right.
Do we need to think now about how to reduce the incidence of false
complaints, or shall we wait and see if it's a problem in practice?
One could imagine, for example, if false complaints tended to be 3rd parties
complaining about certs for topsites, we could establish a registry of
"valid complainants" for topsites, such that a complaint about
something.foo.com could only come from the contact in the registry, and all
others could be discarded.
Just brainstorming...
> Today, CAs have to provide a means for anyone in the world to complain
> about a cert they have encountered.
So what is changing?
Gerv
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or telephone and delete the original message from your mail system.
</pre></td></tr></table>
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list