[cabfpub] Proposed motion to modify EV domain verification section

Tue May 14 08:32:32 MST 2013

I agree that the phrase "exclusive right" is confusing and overstates the
practical standard used when validating the proper/allowed use of an FQDN
(again raising the FQDN vs. Domain Name semantics issue that we still need
to fix).  By way of background -- "exclusive right" came out of an ICANN
domain registration policy document and it does not need to be used in the
context of the CA/B Forum's certificate issuance guidelines.   In other
words, we should not strain to preserve a legal concept that is used to
govern the assignment of domain name space in the ICANN framework when it
doesn't work for us and only confuses the vetting and certificate approval
process.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Mads Egil Henriksveen
Sent: Tuesday, May 14, 2013 3:40 AM
To: jeremy.rowley at digicert.com; 'Geoff Keating'; 'Eddy Nigg (StartCom Ltd.)'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification
section

If the requirements does not actually require a true verification of
"exclusive right", we should consider to change the wording. This is
confusing.

I agree with Jeremy in that the awareness requirement and verification of
knowledge (ref {2]) does not add any assurance to the certificate. If an
applicant request for a SSL certificate for a given domain, this indicates
that the applicant has some knowledge of its relation to the domain. And if
this is a common understanding, we should consider remove this from the EV
requirements as well. 

I do appreciate the initiative of simplifying the EV domain verification
requirements, as long as it does not lower the assurance level of the EV
certificates. The domain verification section of EV (11.6) is quite complex,
one example is 11.6.2 (2) A. In this case, the "exclusive right to use" the
domain requires a confirmation from the registered domain holder AND in
addition some kind of contractual provision (Jeremys wording). I do not
understand the necessity of this last part. 

Geoff has summarized the most important differences between domain
verification requirements in EV Guidelines and BR in a good way. One
additional topic I have noticed is that BR (Section 11.1.1) explicit
requires that the domain verification shall be confirmed at the date of the
certificate issuance, while EV (Section 11.6) do not mention this at all. 

Regards
Mads

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Jeremy Rowley
Sent: 8. mai 2013 23:01
To: 'Geoff Keating'; 'Eddy Nigg (StartCom Ltd.)'
Cc: public at cabforum.org
Subject: Re: [cabfpub] Proposed motion to modify EV domain verification
section

1. We are reducing the requirement of "exclusive right to use" the domain to
"has control".  That is, we are replacing a check for legitimacy ("right")
with simple possession ("has").

[JR] I do not think the requirements require a true verification of an
exclusive right since Section 11.6.2(A) permits a representation from WHOIS
combined with a contractual provision and Section 11.6.2(B) permits
verification of exclusivity using a practical demonstration of control
combined with an accountant letter.

2. We are removing the requirement that "the Applicant is aware of its
registration or exclusive control of the Domain Name".

[JR] Considering verification of awareness is permitted by a contract
representation (see 11.6.2(3)(B)), I don't there is a much of a change.  We
can certainly retain this representation requirement in the EVs. 

3. We are removing the requirement that the WHOIS information is neither
"misleading nor inconsistent" when compared to the Subject's information.

[JR] I believe we should keep this as a minimum requirement before moving
onto other methods of verification.  There should always be a requirement to
check the WHOIS before proceeding with other types of verification.

With regard to (1), I think it's the key difference between EV and DV/OV.
The aim is to prevent two kinds of attacks:

- Someone hijacks a domain of a defunct or oblivious company (by, for
example, taking over the address space used for its DNS servers, or for that
matter physically acquiring the servers) and can prove they have effective
control of it, but they aren't the owner.  They still shouldn't get an EV
certificate.

[JR] They can if they have an accountant letter that says they have a right
to use the domain.

- An insider has the ability, but not the right, to change a web site or
domain (this is very common in large corporations).  They set up their own
company with a similar-looking name and "prove" domain control.

[JR] Still possible provided you have an accountant letter on file.

So, I don't support removing (1) from EV.

I think that (2) should be put in the BRs, perhaps with weakened
verification methods for non-EV certificates.  Most CA processes should
achieve it automatically; the cases where it needs care are those where a
large corporation is involved and there's some kind of automated certificate
issuance mechanism.

[JR] I disagree.  I don't think verification of knowledge does anything
other than add a step in an already complicated process.  I do not think it
adds any assurances to the certificate.

For (3), I don't think we should be the WHOIS police (ICANN is doing that)
but I do think that CAs should check that the WHOIS results don't raise any
red flags.  So I don't think this provision should be removed, and if
someone can think of appropriate language, I'd support putting a weakened
version of it in the BRs.

[JR] I agree.  I think a WHOIS check should always be a first step in
validating EV certs.

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public