[cabfpub] Proposed motion to modify EV domain verification section

Mads Egil Henriksveen Mads.Henriksveen at buypass.no
Tue May 14 02:39:42 MST 2013


If the requirements does not actually require a true verification of "exclusive right", we should consider to change the wording. This is confusing.

I agree with Jeremy in that the awareness requirement and verification of knowledge (ref {2]) does not add any assurance to the certificate. If an applicant request for a SSL certificate for a given domain, this indicates that the applicant has some knowledge of its relation to the domain. And if this is a common understanding, we should consider remove this from the EV requirements as well. 

I do appreciate the initiative of simplifying the EV domain verification requirements, as long as it does not lower the assurance level of the EV certificates. The domain verification section of EV (11.6) is quite complex, one example is 11.6.2 (2) A. In this case, the "exclusive right to use" the domain requires a confirmation from the registered domain holder AND in addition some kind of contractual provision (Jeremys wording). I do not understand the necessity of this last part. 

Geoff has summarized the most important differences between domain verification requirements in EV Guidelines and BR in a good way. One additional topic I have noticed is that BR (Section 11.1.1) explicit requires that the domain verification shall be confirmed at the date of the certificate issuance, while EV (Section 11.6) do not mention this at all. 

Regards
Mads



-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: 8. mai 2013 23:01
To: 'Geoff Keating'; 'Eddy Nigg (StartCom Ltd.)'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification section

1. We are reducing the requirement of "exclusive right to use" the domain to "has control".  That is, we are replacing a check for legitimacy ("right") with simple possession ("has").

[JR] I do not think the requirements require a true verification of an exclusive right since Section 11.6.2(A) permits a representation from WHOIS combined with a contractual provision and Section 11.6.2(B) permits verification of exclusivity using a practical demonstration of control combined with an accountant letter.

2. We are removing the requirement that "the Applicant is aware of its registration or exclusive control of the Domain Name".

[JR] Considering verification of awareness is permitted by a contract representation (see 11.6.2(3)(B)), I don't there is a much of a change.  We can certainly retain this representation requirement in the EVs. 

3. We are removing the requirement that the WHOIS information is neither "misleading nor inconsistent" when compared to the Subject's information.

[JR] I believe we should keep this as a minimum requirement before moving onto other methods of verification.  There should always be a requirement to check the WHOIS before proceeding with other types of verification.

With regard to (1), I think it's the key difference between EV and DV/OV.
The aim is to prevent two kinds of attacks:

- Someone hijacks a domain of a defunct or oblivious company (by, for example, taking over the address space used for its DNS servers, or for that matter physically acquiring the servers) and can prove they have effective control of it, but they aren't the owner.  They still shouldn't get an EV certificate.

[JR] They can if they have an accountant letter that says they have a right to use the domain.

- An insider has the ability, but not the right, to change a web site or domain (this is very common in large corporations).  They set up their own company with a similar-looking name and "prove" domain control.

[JR] Still possible provided you have an accountant letter on file.

So, I don't support removing (1) from EV.

I think that (2) should be put in the BRs, perhaps with weakened verification methods for non-EV certificates.  Most CA processes should achieve it automatically; the cases where it needs care are those where a large corporation is involved and there's some kind of automated certificate issuance mechanism.

[JR] I disagree.  I don't think verification of knowledge does anything other than add a step in an already complicated process.  I do not think it adds any assurances to the certificate.

For (3), I don't think we should be the WHOIS police (ICANN is doing that) but I do think that CAs should check that the WHOIS results don't raise any red flags.  So I don't think this provision should be removed, and if someone can think of appropriate language, I'd support putting a weakened version of it in the BRs.

[JR] I agree.  I think a WHOIS check should always be a first step in validating EV certs.

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public


More information about the Public mailing list