[cabfpub] Non-whitelisted email addresses used for DV issuing

Jeremy Rowley jeremy.rowley at digicert.com
Mon Mar 30 23:30:35 UTC 2015

The risk associated with the lack of actual control is the basis for all the historic arguments of OV v. DV. Really, this is just saying domain validation without another confirmation is a security risk, IMO. With both EV and OV, you get confirmation of authorization from the org, meaning there is at least an additional tie to the applicant.  With Live.fi, there would have been another check to ensure Microsoft actually authorized the certificate, not just the controller of the email address.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg
Sent: Monday, March 30, 2015 4:06 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Non-whitelisted email addresses used for DV issuing

On 03/30/2015 05:55 PM, Adriano Santoni - Actalis S.p.A. wrote:
I do not agree with our company being listed as "affected", as our CPS does not allow non-whitelist email addresses. However, Will's rationale is that - regardless of the BRs - domain validation by email is a security problem in itself, even when only whitelisted email addresses are used:

But for this we have EV (and even IV/OV validations to some extend). It's obviously and clearly known that domain control validations have their limits, on the other hand are also very useful for the right purpose (where the right purpose is probably an open question depending on the CA, browser, subscriber and relying party).


Eddy Nigg, COO/CTO

StartCom Ltd.<http://www.startcom.org>


startcom at startcom.org<xmpp:startcom at startcom.org>


Join the Revolution!<http://blog.startcom.org>


Follow Me<http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150330/d2c9f6b2/attachment-0003.html>

More information about the Public mailing list