[cabfpub] Non-whitelisted email addresses used for DV issuing

Tue Mar 31 09:32:26 MST 2015

On Tue, Mar 31, 2015 at 9:10 AM, Rick Andrews <Rick_Andrews at symantec.com>
wrote:

> Posted with permission from Will from CERT:
>
> Hi folks,
>
> We've been investigating best practices for proof of domain ownership, and
> it seems that we are not alone in thinking that a predefined set
> of email aliases is not good enough.   For example:
>
> <https://support.google.com/a/answer/60216?hl=en>
> <
> https://support.office.com/en-ie/article/Verify-your-domain-and-change-name-servers-at-any-domain-registrar-a8b487a9-2a45-4581-9dc4-5d28a47010a2
> >
> <
> https://aws.amazon.com/blogs/aws/domain-verification-for-the-amazon-simple-email-service/
> >
> <https://www.zoho.com/mail/help/adminconsole/domain-verification.html>
> <
> http://www-10.lotus.com/ldd/bhwiki.nsf/xpDocViewer.xsp?lookupName=Administering+SmartCloud+Notes%3A+Service-only+Environment#action=openDocument&res_title=Verifying_ownership_of_a_domain_SO&content=pdcontent
> >
>
> We suspect that Google, IBM, Microsoft, Amazon, and Zoho have thought
> about the security impacts of accepting insufficient proof of domain
> ownership.  We recommend that the CA/Browser Baseline Requirements be
> updated to remove the "whitelist" of predefined email aliases.  The fact
> that the current model requires organizations to opt in (block the ability
> to create certain addresses) to be protected should in and of itself be an
> indication that it's not ideal.
>
>
> Thank you,
>    Will Dormann
>

While I appreciate CERT raising this issue, it does seem like we're at a
bit of an impasse, doesn't it?

That is, CERT feels that email is unacceptable for validation.

What I'm surprised by is not a more general reaction from CERT, on these
principals, of being opposed to DV in principle (as we know that some CAs
are, and vocally so). That is, we all are aware of the issues with 11.1.1
p6 at this point, but that doesn't seem to have warranted a similar alert
or a notice that some CAs are "affected".  Nor do we see an obvious
discussion about the WHOIS ramifications, including private domain
registrations, also affecting validation.

Even the proposed Validation WG changes (
https://cabforum.org/pipermail/validation/2015-March/000009.html ), which
refines this, still makes use of a limited whitelist of URLs (in this case,
it's now a /.well-known/ file, a vast improvement over "any suitable file,
potentially at the customer's discretion")

Requiring email providers protect certain addresses is, in my mind, no
different than the existing requirements that arbitrary web hosting need to
do to protect their users. For example, don't allow control over the
response at all if you host at a sub-path. If you host at a subdomain,
enter your domain in the public suffix list to prevent arbitrary users from
mounting cookie attacks. Prevent access to some headers that might be used
maliciously (HSTS and HPKP come to mind, although even CSP directives can
be used and abused).

While I'm certainly not at all strongly attached to the use of email
addresses for validation, and see no inherent problems in eliminating them
as a validation method (other than potential ease of use issues), I suppose
I do take issue with an inconsistent evaluation of the evidence.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150331/0671c194/attachment.html 