[cabfpub] Draft CAA motion (2)
Bruce Morton
Bruce.Morton at entrustdatacard.com
Thu Nov 17 15:56:41 UTC 2016
Comment below.
Bruce.
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham via Public
Sent: Thursday, November 17, 2016 6:31 AM
To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; Peter Bowen <pzb at amzn.com>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Draft CAA motion (2)
Also, what if the contract is executed not with the domain holder, but with an attacker? How can a domain holder prevent that happening?
[BM] To avoid a relationship with an attacker the CA could have an "enterprise" relationship with the Subscriber. This enterprise relationship results in Enterprise RAs being verified by contacting the domain holder using a Reliable Method of Communication. The verification method is auditable. The communication method would mitigate or detect an attacker which is trying to set up an enterprise relationship. The certificates are also issued only if the Enterprise RA has authorized issuance for the enterprise. CAs could consider mitigating an attack on an Enterprise RA by requiring multi-factor authentication.
More information about the Public
mailing list