[cabfpub] Proposed motion to modify EV domain verification section

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Wed May 8 15:03:05 MST 2013 

I have still other questions about our existing domain vetting language in both the BRs and EVGL.

Perhaps we should create a Domain Vetting Working Group to come up with some proposals and alternatives, with explanations?  Ben, could you put on the next Forum agenda (which I must miss due to travel)?  

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, May 09, 2013 6:01 AM
To: 'Geoff Keating'; 'Eddy Nigg (StartCom Ltd.)'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification section

1. We are reducing the requirement of "exclusive right to use" the domain to "has control".  That is, we are replacing a check for legitimacy ("right") with simple possession ("has").

[JR] I do not think the requirements require a true verification of an exclusive right since Section 11.6.2(A) permits a representation from WHOIS combined with a contractual provision and Section 11.6.2(B) permits verification of exclusivity using a practical demonstration of control combined with an accountant letter.

2. We are removing the requirement that "the Applicant is aware of its registration or exclusive control of the Domain Name".

[JR] Considering verification of awareness is permitted by a contract representation (see 11.6.2(3)(B)), I don't there is a much of a change.  We can certainly retain this representation requirement in the EVs. 

3. We are removing the requirement that the WHOIS information is neither "misleading nor inconsistent" when compared to the Subject's information.

[JR] I believe we should keep this as a minimum requirement before moving onto other methods of verification.  There should always be a requirement to check the WHOIS before proceeding with other types of verification.

With regard to (1), I think it's the key difference between EV and DV/OV.
The aim is to prevent two kinds of attacks:

- Someone hijacks a domain of a defunct or oblivious company (by, for example, taking over the address space used for its DNS servers, or for that matter physically acquiring the servers) and can prove they have effective control of it, but they aren't the owner.  They still shouldn't get an EV certificate.

[JR] They can if they have an accountant letter that says they have a right to use the domain.

- An insider has the ability, but not the right, to change a web site or domain (this is very common in large corporations).  They set up their own company with a similar-looking name and "prove" domain control.

[JR] Still possible provided you have an accountant letter on file.

So, I don't support removing (1) from EV.

I think that (2) should be put in the BRs, perhaps with weakened verification methods for non-EV certificates.  Most CA processes should achieve it automatically; the cases where it needs care are those where a large corporation is involved and there's some kind of automated certificate issuance mechanism.

[JR] I disagree.  I don't think verification of knowledge does anything other than add a step in an already complicated process.  I do not think it adds any assurances to the certificate.

For (3), I don't think we should be the WHOIS police (ICANN is doing that) but I do think that CAs should check that the WHOIS results don't raise any red flags.  So I don't think this provision should be removed, and if someone can think of appropriate language, I'd support putting a weakened version of it in the BRs.

[JR] I agree.  I think a WHOIS check should always be a first step in validating EV certs.

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>

More information about the Public mailing list