[cabfpub] Non-whitelisted email addresses used for DV issuing

Doug Beattie doug.beattie at globalsign.com
Mon Mar 30 14:35:39 MST 2015


If the reseller happens to be a domain registrar, it’s possible they can/do include one of these email addresses as a Who-is contact and also set up that email account for the user, which is completely acceptable.  The domain owner has “approved” this email for their who-is which is then used for domain control.

I’m just guessing, but that is one way to advertise a different list of approver emails and then actually use them in a compliant way.

Doug

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Monday, March 30, 2015 10:52 AM
To: Adriano Santoni - Actalis S.p.A.
Cc: CABFPub
Subject: Re: [cabfpub] Non-whitelisted email addresses used for DV issuing


I had also contacted CERT for more evidence of the CAs affected. Several CAs listed as affected, when reviewing their CPS, clearly indicated otherwise.

It's unclear what evidence exists, other than that reseller page. That said, I have noted numerous resellers making claims of acceptable email addresses that are not in line with the issuing CA's CPS. I can assume this is caused by out of date information by the reseller, and not an accurate statement of reality, for as Gerv notes, the whitelist of acceptable emails is abundantly clear.

This may be a good opportunity for CAs to reach out to their resellers and ensure correct and current documentation. Obviously, it can reflect poorly on the CA when the reseller is making inaccurate claims - and reflects even poorer if the claims are accurate.
On Mar 30, 2015 5:37 AM, "Adriano Santoni - Actalis S.p.A." <adriano.santoni at staff.aruba.it<mailto:adriano.santoni at staff.aruba.it>> wrote:
That list cought me by surprise, as I am not aware that we allow non-white listed email addresses. Besides, to date we have not even started checking domain control by email....

I contacted CERT to try and find out how they figured out which CAs are "affected" and which not (apart from reading CPS's).

Adriano

Il 30/03/2015 12:07, Gervase Markham ha scritto:

Hi everyone,



On 30/03/15 10:47, Sigbjørn Vik wrote:

According to http://www.kb.cert.org/vuls/id/591120, some issuers use

non-whitelisted email addresses to verify domain ownership.

Thanks for bringing this up. This came to Mozilla's attention over the

weekend as well. Could all CAs please check that they and their RAs are

conforming to the BRs on this issue?



BRs 11.1.1.4 say:



"11.1.1 Authorization by Domain Name Registrant<mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)>

 <mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)>

For each Fully-Qualified Domain Name listed in a Certificate, the CA<mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)>

SHALL confirm that, as of the date the Certificate  was  issued,  the<mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)>

Applicant ... either is the Domain Name Registrant or has control over<mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)>

the FQDN by:<mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)>

 <mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)>

...<mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)>

 <mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)>

4. Communicating with the Domain’s administrator using an email address<mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)>

created by pre-pending ‘admin’, ‘administrator’, ‘webmaster’,<mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)>

‘hostmaster’, or ‘postmaster’ in the local part, followed by the at-sign<mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)>

(“@”)<mailto:%2211.1.1%20Authorization%20by%20Domain%20Name%20Registrant%0d%0dFor%20each%20Fully-Qualified%20Domain%20Name%20listed%20in%20a%20Certificate,%20the%20CA%0dSHALL%20confirm%20that,%20as%20of%20the%20date%20the%20Certificate%20%20was%20%20issued,%20%20the%0dApplicant%20...%20either%20is%20the%20Domain%20Name%20Registrant%20or%20has%20control%20over%0dthe%20FQDN%20by:%0d%0d...%0d%0d4.%20Communicating%20with%20the%20Domain's%20administrator%20using%20an%20email%20address%0dcreated%20by%20pre-pending%20'admin',%20'administrator',%20'webmaster',%0d'hostmaster',%20or%20'postmaster'%20in%20the%20local%20part,%20followed%20by%20the%20at-sign%0d(“@”)>, followed by the Domain Name, which may be formed by pruning zero

or more components from therequested FQDN"



Mozilla believes the BRs are clear here: it is not acceptable to issue

certs using email confirmation where the email address is not either in

the relevant parts of WHOIS or has a localpart which exactly matches one

of those five options.



Gerv

_______________________________________________

Public mailing list

Public at cabforum.org<mailto:Public at cabforum.org>

https://cabforum.org/mailman/listinfo/public

--
Adriano Santoni

_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150330/8ced5563/attachment-0001.html 


More information about the Public mailing list