[cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Jeremy Rowley jeremy.rowley at digicert.com
Fri Apr 28 19:59:36 UTC 2017


I think removing DTPs completely would have some unforeseen consequences.  We talked about the need for DTPs when passing the guidelines and the various reasons were given:
1) Org validation - some entities have DTPs that validate organizational validation in the country where they operate. 
2) Domain validation - some entities used to outsource domain validation (this is what the ballot is trying to prohibit and what everyone agreed to at the F2F)
3) OCSP/CRL signing - some entities give third parties control over OCSP/CRL signing
4) Subscriber agreement signing - some entities delegate the subscriber agreement collection requirements to third parties
5) Repository hosting - some entities have a third party host/provide their repository

I don't recall anyone mentioning outsourcing of training, archiving, or background checks, but I could see some of this happening. I also don't have examples of all of these situations, but these were some of the reasons cited previously for using DTPs. Refining the permitted delegation of functionality might be better than removing the concept completely. 

Jeremy

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen via Public
Sent: Friday, April 28, 2017 8:57 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Peter Bowen <pzb at amzn.com>
Subject: Re: [cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft


> On Apr 28, 2017, at 7:06 AM, Gervase Markham via Public <public at cabforum.org> wrote:
> 
> On 27/04/17 19:52, Kirk Hall wrote:
>> Please humor me (and the rest of the members, and the public 
>> following this list).  In one or two paragraphs, can you summarize 
>> your reasons?
> 
> I think that has been effectively done elsewhere in this thread. 
> Fixing audits to reliably include DTPs is very difficult. Taking the 
> most security-critical part and forbidding it from being done by third 
> parties solves the problem for that security-critical part. And no CA 
> has claimed (enterprise RAs aside) that they use this capability. So 
> eliminating it should be uncontroversial.

Gerv,

I would suggest a simpler approach — simply remove Delegated Third Party from the BRs altogether.  That removes the carve-out allowing the CA to shift blame.

My concern over being super-specific on defining who can do certain this by employer is that it heavily constrains companies.  A few example:

- Amazon has security guards at our buildings, both offices and data centers.  Our core business competence is not training security guards.  So our physical security team contracts with a company who does have that as their core competence to provide the guard force.  The BRs section 5 says “the Certificate Management Process MUST include physical security and environmental controls”, so we have a third party involved in our BR compliance.

- Even if we limit this to just domain validation, third parties still come in to play.  Sending and receiving email is rather complicated on today’s Internet.  You have to understand SPF, DKIM, DMARC, FBLs, and lots of other stuff.  Many organizations use third party email platforms to help with sending and receiving.  For example, I note that Mozilla uses Google’s mail service and I know we use Amazon Simple Email Service to send emails.  There is no question that email is part of the domain validation process for many CAs.  So these again are third parties involved in domain validation.

- Even if we limit the discussion further, it is very common that employers do not span borders.  For example, the independent auditors’ report on Mozilla Foundation notes that the Foundation has a subsidiary, Mozilla Corporation, which in turn has its own subsidiaries in Canada, Europe, and China.  Each of these is a different legal entity.  Some organizations have multiple legal entities per country.  So I’m very hesitant to put in rules about one’s employer.  I’ve already run into this when considering whether I could use a Verified Legal Opinion to validate the existence of my own company. The EVGs say "in-house legal practitioner employed by the Applicant” — it turns out none of the lawyers I work with are employed by _my_ employer.  They are employed by companies that are Affiliates of my employer.  The same problem would come up if there was a requirement that employees of the trust store owner review audit reports — you would presumably be off the list Gerv, as you don’t work for MoFo or MoCo, but rather a different Affiliated company.

Given all this, I recommend we just remove DTP from the BRs and leave it to the CAs and auditors to ensure that they can make the appropriate management assertion and opinion that covers all the operations.

I do think we need to leave a carve out for a constrained RA who can be authorized to perform the actions required in the first two paragraphs in BR section 3.2.5.  As was pointed out on the last validation working group call, we don’t need or want CAs calling the customer every time they request a certificate to confirm that they really did request it.  If the customer has established a reliable authentication mechanism with the CA, then it seems reasonable to allow the CA to rely upon that to confirm the request authenticity.  Under the BRs, this means the become an constrained RA.

Do you think that the path of simply removing DTP is a viable path?

Thanks,
Peter


_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170428/d1067e51/attachment-0001.p7s>


More information about the Public mailing list