[cabfpub] Non-whitelisted email addresses used for DV issuing

Richard Wang richard at wosign.com
Mon Mar 30 17:55:57 MST 2015


WoSign also do not agree with our company being listed as "affected", as our CPS and our online application system does not allow non-whitelist email addresses for domain control validation.

I send email to Cert, but don’t get any response. 

 

 

Best Regards,

 

Richard

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Adriano Santoni - Actalis S.p.A.
Sent: Monday, March 30, 2015 10:55 PM
To: public at cabforum.org
Cc: CERT.org
Subject: Re: [cabfpub] Non-whitelisted email addresses used for DV issuing

 

Hello, 

I am quoting below, with the author's permission, the reply I got from Will Dormann after I enquired CERT about why we (and several other CAs as well) are listed as "affected" by that problem. 

I do not agree with our company being listed as "affected", as our CPS does not allow non-whitelist email addresses. However, Will's rationale is that - regardless of the BRs - domain validation by email is a security problem in itself, even when only whitelisted email addresses are used:

-----BEGIN QUOTE-----



Hi Adriano,
 
Thanks for the feedback.  We've been debating the concept of how to
list the varios root CAs.  One stance is that email alone is
insufficient to verify domain ownership.  Consider the many sites that
offer email services to end users.  If a single host fails to block
creation of a single "special" alias that can be used to register an
SSL certificate, then their site can be impersonated.  This perhaps
isn't widely known as recent articles indicate:
 <https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html> <https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html>
 <http://arstechnica.com/security/2015/03/bogus-ssl-certificate-for-windows-live-could-allow-man-in-the-middle-hacks/> <http://arstechnica.com/security/2015/03/bogus-ssl-certificate-for-windows-live-could-allow-man-in-the-middle-hacks/>
 
One of the purposes of the vulnerability note is to raise awareness of
the situation (the existence of these special email addresses).
 
Alternatively, the vulnerability note could be scoped to only list CAs
that accept email aliases outside of those 5 addresses.  Here are some
examples or root CAs and resellers that allow email addresses outside
of the 5 listed in the BR:
 
 <http://certum.eu/certum/cert,offer_Commercial_SSL.dxml?MEDIA=pdf> <http://certum.eu/certum/cert,offer_Commercial_SSL.dxml?MEDIA=pdf>
 <http://evssl.com.ua/docs/thawte/enroll_ssl123_eng.pdf> <http://evssl.com.ua/docs/thawte/enroll_ssl123_eng.pdf>
<https://www.thawte.com/assets/documents/guides/simplify-ssl-certificate-managem
ent-enterprise.pdf>
 <http://host.dynamicwebhost.net/features/approvedemail.htm> <http://host.dynamicwebhost.net/features/approvedemail.htm>
 <https://www.geocerts.com/api_spec.pdf> <https://www.geocerts.com/api_spec.pdf>
<http://account.buyhttp.com/knowledgebase/753/Which-email-address-can-approve-SS
L-certificate-order.html>
 <https://www.onestepssl.com/onestepssl_validation_process.php> <https://www.onestepssl.com/onestepssl_validation_process.php>
 <http://www.domainpurpose.com/ssl-faqs.htm> <http://www.domainpurpose.com/ssl-faqs.htm>
 <http://kb.canvashost.com/?p=935> <http://kb.canvashost.com/?p=935>
 
snip
 
Or see variants of:
<http://www.google.com/search?q="ssladmin%40yourdomain.com">
 
 
Where this gets tricky is determining which CAs to list as affected.
If a root CA currently accepts an email outside of the list of 5, then
that's straightforward.  But what about when an SSL reseller lists
such an address?  How can a reseller have the authority to say what is
valid proof of domain ownership, as it would seem that the upstream
root CA would be the one that performs the validation?  What about
cases where a root CA has accepted a non-standard email address in the
past, but no longer does now?  If I purchased a certificate in the
past where the CA was more lax, then that still leaves me with a valid
cert that can be used for impersonation / interception of traffic.
 
Currently, the note is scoped as the acceptance of email as proof of
domain ownership in general.  Yes, we are aware that the Baseline
Requirements document
 <https://cabforum.org/baseline-requirements-documents/> <https://cabforum.org/baseline-requirements-documents/> lists email
addresses that can be used for this purpose.  Our stance currently is
that this BR document should perhaps be updated, and that email
addresses should not be used as proof.  If ownership of a domain is
the question, then the proof should be something domain-related, such
as WHOIS or the creation of a DNS entry, in our opinion.  Not email.
 
 
Thank you,
   Will Dormann

-----END QUOTE-----

Adriano




Il 30/03/2015 11:47, Sigbjørn Vik ha scritto:

Hi,
 
According to http://www.kb.cert.org/vuls/id/591120, some issuers use
non-whitelisted email addresses to verify domain ownership.
 
The only link to such is
http://account.buyhttp.com/knowledgebase/753/Which-email-address-can-approve-SSL-certificate-order.html
(sic), it is unclear how many issuers this affects.
 

 

-- 
Adriano Santoni 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150331/df8ea295/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5075 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20150331/df8ea295/attachment-0001.bin 


More information about the Public mailing list