[cabfpub] Non-whitelisted email addresses used for DV issuing

[Jeremy Rowley]

The risk associated with the lack of actual control is the basis for all the historic arguments of OV v. DV. Really, this is just saying domain validation without another confirmation is a security risk, IMO. With both EV and OV, you get confirmation of authorization from the org, meaning there is at least an additional tie to the applicant.  With Live.fi, there would have been another check to ensure Microsoft actually authorized the certificate, not just the controller of the email address.

Jeremy

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg
Sent: Monday, March 30, 2015 4:06 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Non-whitelisted email addresses used for DV issuing


On 03/30/2015 05:55 PM, Adriano Santoni - Actalis S.p.A. wrote:
I do not agree with our company being listed as "affected", as our CPS does not allow non-whitelist email addresses. However, Will's rationale is that - regardless of the BRs - domain validation by email is a security problem in itself, even when only whitelisted email addresses are used:

But for this we have EV (and even IV/OV validations to some extend). It's obviously and clearly known that domain control validations have their limits, on the other hand are also very useful for the right purpose (where the right purpose is probably an open question depending on the CA, browser, subscriber and relying party).
--
Regards



Signer:

Eddy Nigg, COO/CTO



StartCom Ltd.<http://www.startcom.org>

XMPP:

startcom at startcom.org<xmpp:startcom at startcom.org>

Blog:

Join the Revolution!<http://blog.startcom.org>

Twitter:

Follow Me<http://twitter.com/eddy_nigg>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150330/d2c9f6b2/attachment-0003.html>