[cabfpub] Non-whitelisted email addresses used for DV issuing

Tim Hollebeek THollebeek at trustwave.com
Mon Mar 30 15:28:21 UTC 2015

CERT may certainly opine on the whether email validation is a good idea.  That’s their right.  Even better would have been working with the appropriate standards bodies to get their concerns addressed.

However, CERT defines a “vulnerability” as “defects that allow an attacker to violate an explicit (or implicit) security policy to achieve some impact (or consequence)” [https://www.us-cert.gov/report].
By definition, a CA that is operating in accordance with relevant standards and its publicly stated Certificate Policy Statement has no “defect” that allows an attacker to violate their policy.  They’re doing exactly what they said they should do.

When CERT issues vulnerability reports that don’t even meet CERT’s own definition of what a vulnerability is, that’s not helpful.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Monday, March 30, 2015 11:04 AM
To: Adriano Santoni - Actalis S.p.A.
Cc: CERT.org; CABFPub
Subject: Re: [cabfpub] Non-whitelisted email addresses used for DV issuing

OK. So we can conclude CERT has reached a different conclusion than browsers and CAs.

I don't believe CERT's reply is at all consistent with other validation methods - that is, it would seem they have decided to take issue with DV in general, as compared to other validation methods. That is certainly their prerogative, but not a conclusion I share at all.

At least it would be more helpful for them to list their perceived vulnerability as accepting email validation at all, rather than conflating the issue with non-whitelisted addresses.


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150330/32be3b99/attachment-0003.html>

More information about the Public mailing list