[cabfpub] Domain validation

Tim Hollebeek THollebeek at trustwave.com
Thu Apr 16 15:22:13 UTC 2015

All of the domain validation methods are weak and can generally be subverted by someone who has or can get administrative or technical control of a crucial part of the domain or infrastructure (the hostmaster@ controversy with CERT is the same issue).  Improving the validation of Domain Validated certificates is not the goal of this ballot.

If this bothers you, use EV certificates, which use stronger authentication methods and prove actual identity, not just domain control.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg
Sent: Thursday, April 16, 2015 11:08 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Domain validation

On 04/16/2015 05:48 PM, Anoosh Saboori wrote:
Sorry for late chime in, since I was out for few weeks and thanks Jeremy for sending this out. I have two questions:

1.      Regarding #5 below, it is not clear to me what constitutes as "Domain Authorization Document"? Can a lawyer send this document?

2.      #6 does not seems to be at par with the rest of items which require checking CName record, DNS record changes, control over IP, ...  Anybody with a temporary control a web site can pass this test. Can we make this requirement stronger, maybe by combing it with one of the other bullets?

I'm not sure, but number #9 seems to be a bit risky too - why should somebody controlling an IP address to which I point a host name of mine get a certificate for said domain? Example, if I point some host name to a service provider (Cloud, Akamai) they shouldn't be able to obtain certificates for that.


Eddy Nigg, COO/CTO

StartCom Ltd.<http://scanmail.trustwave.com/?c=4062&d=-tCv1V8b8Tc2Tr0WPF2RGuS9IhF9uI8s7bup7uir3w&s=5&u=http%3a%2f%2fwww%2estartcom%2eorg>


startcom at startcom.org<xmpp:startcom at startcom.org>


Join the Revolution!<http://scanmail.trustwave.com/?c=4062&d=-tCv1V8b8Tc2Tr0WPF2RGuS9IhF9uI8s7en767-r2Q&s=5&u=http%3a%2f%2fblog%2estartcom%2eorg>


Follow Me<http://scanmail.trustwave.com/?c=4062&d=-tCv1V8b8Tc2Tr0WPF2RGuS9IhF9uI8s7b2g6b2o3w&s=5&u=http%3a%2f%2ftwitter%2ecom%2feddy%5fnigg>


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150416/bbb6a6b6/attachment-0003.html>

More information about the Public mailing list