[cabfpub] Non-whitelisted email addresses used for DV issuing

Rick Andrews Rick_Andrews at symantec.com
Tue Mar 31 16:10:28 UTC 2015 

Posted with permission from Will from CERT:

Hi folks,

We've been investigating best practices for proof of domain ownership, and it seems that we are not alone in thinking that a predefined set
of email aliases is not good enough.   For example:

<https://support.google.com/a/answer/60216?hl=en>
<https://support.office.com/en-ie/article/Verify-your-domain-and-change-name-servers-at-any-domain-registrar-a8b487a9-2a45-4581-9dc4-5d28a47010a2>
<https://aws.amazon.com/blogs/aws/domain-verification-for-the-amazon-simple-email-service/>
<https://www.zoho.com/mail/help/adminconsole/domain-verification.html>
<http://www-10.lotus.com/ldd/bhwiki.nsf/xpDocViewer.xsp?lookupName=Administering+SmartCloud+Notes%3A+Service-only+Environment#action=openDocument&res_title=Verifying_ownership_of_a_domain_SO&content=pdcontent>

We suspect that Google, IBM, Microsoft, Amazon, and Zoho have thought about the security impacts of accepting insufficient proof of domain ownership.  We recommend that the CA/Browser Baseline Requirements be updated to remove the "whitelist" of predefined email aliases.  The fact that the current model requires organizations to opt in (block the ability to create certain addresses) to be protected should in and of itself be an indication that it's not ideal.


Thank you,
   Will Dormann

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Sigbjørn Vik
Sent: Tuesday, March 31, 2015 12:12 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Non-whitelisted email addresses used for DV issuing

Hi,

Even if we don't think using email addresses for validation is a vulnerability, let us not forget the other issue here. A number of resellers (see quote below) list non-whitelisted emails as valid. If these email addresses are usable (with any CA), we have a vulnerability.
Even if they aren't usable, we still have a PR problem, this looks bad for the industry as a whole.

Could we please have clarification of the following:
1. Can resellers do their own domain verification, does the CA do this, or does it depend?
2. What is the audit status of resellers as above?
3. Do CAs do any kind of check on resellers, e.g. have a look at their web pages, and what they promise their customers?



On 30-Mar-15 16:55, Adriano Santoni - Actalis S.p.A. wrote:
>
> the reply I got from Will Dormann
> -----BEGIN QUOTE-----
> 
> <http://certum.eu/certum/cert,offer_Commercial_SSL.dxml?MEDIA=pdf>
> <http://evssl.com.ua/docs/thawte/enroll_ssl123_eng.pdf>
> <https://www.thawte.com/assets/documents/guides/simplify-ssl-certifica
> te-managem
> ent-enterprise.pdf>
> <http://host.dynamicwebhost.net/features/approvedemail.htm>
> <https://www.geocerts.com/api_spec.pdf>
> <http://account.buyhttp.com/knowledgebase/753/Which-email-address-can-
> approve-SS
> L-certificate-order.html>
> <https://www.onestepssl.com/onestepssl_validation_process.php>
> <http://www.domainpurpose.com/ssl-faqs.htm>
> <http://kb.canvashost.com/?p=935>
> 
> snip
> 
> Or see variants of:
> <http://www.google.com/search?q="ssladmin%40yourdomain.com">


--
Sigbjørn Vik
Opera Software
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list