[cabfpub] Proposed motion to modify EV domain verification section

Jeremy Rowley jeremy.rowley at digicert.com
Wed May 8 11:49:28 MST 2013

Although, I’m not Mozilla, their best practices document indicate that an email challenge is at least as good as WHOIS:

WHOIS is used by some CAs as a source of information for checking ownership/control of the domain name for SSL certificate applications. WHOIS information may be subject to compromise. CAs are responsible for implementing appropriate methods to reduce the risk of compromise. For example, direct command line, HTTPS to the original registrar, or correlating multiple sources. The CA should include information in their CP/CPS about the method that they use to validate the integrity of the data. 

It is not sufficient for the CP/CPS to just state that WHOIS is checked. The CP/CPS needs to have a high level description of how the WHOIS information is used. What information must match with that provided by the certificate subscriber? Is a phone call made or email sent to the technical or administrative contact field of the domain's WHOIS record? If an email is sent, does it include non-predictable information that the technical or administrative contact must use to respond? 

Many CAs use an email challenge-response mechanism to verify that the SSL certificate subscriber owns/controls the domain to be included in the certificate. Some CAs allow applicants to select an address from a predetermined list to be used for this verification. See Mozilla's restrictions on the set of verification addresses that may be used. <https://wiki.mozilla.org/CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs>  





From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Wednesday, May 08, 2013 12:26 PM
To: public at cabforum.org >> "public at cabforum.org"
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification section


On 05/08/2013 07:00 PM, From Rich Smith: 

My core argument is simply that, with the exception of #7 which, as Jeremy has pointed out, is probably too vague to allow for EV, the other acceptable methods described in the BR are AT LEAST as reliable as looking at WHOIS info (I consider most of them superior) so they should be allowed for EV.

Before we continue to argue between ourselves I'm very much interested to hear the opinions of the browsers vendors first. Tom, Gerv and of course any others...what do you think?




Eddy Nigg, COO/CTO


StartCom Ltd. <http://www.startcom.org> 


startcom at startcom.org


Join the Revolution! <http://blog.startcom.org> 


Follow Me <http://twitter.com/eddy_nigg> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130508/d8fd1b36/attachment.html 

More information about the Public mailing list