[cabfpub] Definition of Random Value on draft ballot re new domain validation methods

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Tue May 5 18:08:18 UTC 2015


How is security enhanced by the CA telling the Applicant to post [128 bit Random Value] instead of a one-time use phrase “Rosebud/Ryan Sleevi” on the website?  In each case, it is a shared secret created by the CA.  Using a “Random Value” does not enhance security in and of itself in this case.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Tuesday, May 05, 2015 10:30 AM
To: Kirk Hall (RD-US)
Cc: CABFPub; Gervase Markham
Subject: Re: [cabfpub] Definition of Random Value on draft ballot re new domain validation methods


On May 5, 2015 9:44 AM, "kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>" <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:
>
> Here's a more fundamental question -- why do we need to introduce the concept of a "Random Value" for use in practical demonstrations?  It's not a requirement today.  Here's what current 11.1.1 (6) requires today:
>

While I should hope it was obvious, it is because today's method is not sufficiently or practically secure, nor objectively evaluatable as such.

Having reviewed several CA's practices in this area, it is clear security is not at the forefront of implementers minds, not even their area of experience or expertise, and that is unacceptable for organizations tasked with operating in the public trust for the core of online security.

That's why we are refining all of these methods. To have clear and objective security controls in place that meet a minimum bar for security.

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150505/4e61bd90/attachment-0003.html>


More information about the Public mailing list