[cabfpub] [cabfman] Improving the security of EV Certificates

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Dec 19 04:01:20 UTC 2013

Gerv -- on your last point, how would the issuing CA know that an inquiry was coming from its "own customer"?  An inquiry could come from someone pretending to be with a customer, or a member of the public, or someone who is with the customer but not contact we have dealt with.  Today, CAs have to provide a means for anyone in the world to complain about a cert they have encountered.

I think that as a practical matter any CA who gets a CT log inquiry / complaint is going to have to treat it seriously and investigate, whether or not it comes from a known and verified customer contact person.  So the response load on CAs from inquiries / complaints (most of which have no basis) from all sources probably will be significant.

-----Original Message-----
From: management-bounces at cabforum.org [mailto:management-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Wednesday, December 18, 2013 1:03 PM
To: Eddy Nigg (StartCom Ltd.); 'management at cabforum.org'
Subject: Re: [cabfman] Improving the security of EV Certificates

> Now just imagine just a few tens of people per day thinking that have 
> detected something which mustn't be even their own domain name. Just 
> because they think and because it be very easy to know all issued 
> certificates the inquiries will just come in. And we'll have to read, 
> understand, investigate and answer each case, probably resulting in 
> multiple emails back and forth.

Any false enquiries must by definition come from your own customers (as the certs they are talking about were issued by you otherwise they wouldn't be asking you, and if the enquiry is false, the cert must have been validly issued). Therefore, you will know who they all are and can easily tell them what certs you've issued for them. You could even give them a dashboard to check for themselves, and ask them to recontact you if the cert concerned is not listed, or if there's a cert on the list they didn't request.

Management mailing list
Management at cabforum.org
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

More information about the Public mailing list