[cabfpub] Random value reuse

Jeremy Rowley jeremy.rowley at digicert.com
Wed Aug 9 14:50:21 MST 2017


Here's the ways I think random value is either contemplated or being provided:
1) Email to WHOIS/Constructed emails
2) Phone call to applicant
3) Email to applicant
4) Display on website (in the user's account)
5) Through integration tools 
6) Through an API
7) Through a partner/reseller 
8) By making the change to the DNS/website itself
9) As part of a private certificate


These are all okay? A few seem sketchy. 


-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley via Public
Sent: Wednesday, August 9, 2017 3:46 PM
To: Ben Wilson <ben.wilson at digicert.com>; geoffk at apple.com
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Random value reuse

It raises a lot of questions though.  Can I email the Random Value to a reseller who forwards it on to the end entity?  Can I display it on a website without them logging in?  Right now, no security or controls is built on delivery of Random Value. 

-----Original Message-----
From: Ben Wilson 
Sent: Wednesday, August 9, 2017 3:33 PM
To: geoffk at apple.com
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>; Gervase Markham <gerv at mozilla.org>; Jeremy Rowley <jeremy.rowley at digicert.com>; Rich Smith <richard.smith at comodo.com>; Peter Bowen <pzb at amzn.com>
Subject: RE: [cabfpub] Random value reuse

I suppose you're right, since the definition of "Random Value" is "A value specified by a CA to the Applicant that exhibits at least 112 bits of entropy."


-----Original Message-----
From: geoffk at apple.com [mailto:geoffk at apple.com] 
Sent: Wednesday, August 9, 2017 3:30 PM
To: Ben Wilson <ben.wilson at digicert.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>; Gervase Markham <gerv at mozilla.org>; Jeremy Rowley <jeremy.rowley at digicert.com>; Rich Smith <richard.smith at comodo.com>; Peter Bowen <pzb at amzn.com>
Subject: Re: [cabfpub] Random value reuse


> On 9 Aug 2017, at 2:24 pm, Ben Wilson <ben.wilson at digicert.com> wrote:
> 
> Agreed.  And each method should stand on its own without cross-referencing among methods (otherwise tracking the particular method used will be too complicated).  So I'm OK without cross-referencing methods.
> 
> But are we clear enough?  For example, the currently proposed method 10 could probably benefit from better language on how the applicant obtains the random value.  Currently it only says, "Confirming the Applicant's control over the FQDN by confirming the presence of a Random Value within a Certificate on the Authorization Domain Name which is accessible by the CA via TLS over an Authorized Port."  The other methods seem to specify the process more thoroughly.

I think it doesn’t matter, in this case, how the Random Value gets to the Applicant—we don’t want to overspecify things like this, because that limits the ability of CAs to innovate.

> 
> -----Original Message-----
> From: geoffk at apple.com [mailto:geoffk at apple.com] 
> Sent: Wednesday, August 9, 2017 3:11 PM
> To: Ben Wilson <ben.wilson at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
> Cc: Gervase Markham <gerv at mozilla.org>; Jeremy Rowley <jeremy.rowley at digicert.com>; Rich Smith <richard.smith at comodo.com>; Peter Bowen <pzb at amzn.com>
> Subject: Re: [cabfpub] Random value reuse
> 
> I think that’s where the ‘single communication’ rule really helps.  Then this is taken care of by the descriptions of the methods: if you have to send the random value to a particular place, then obviously that can’t be combined with a random value sent some other way; if you have to put it in a particular place, then it doesn’t matter how it was sent…
> 
>> On 9 Aug 2017, at 1:54 pm, Ben Wilson via Public <public at cabforum.org> wrote:
>> 
>> Putting the  issue of "reuse" aside, do we need to clarify this issue of which random value methods can be used in combination with others?  It seems that a random value could be provided to the domain contact / admin under methods 2, 3 (if you wanted) or 4 and then used within 30 days for methods 2, 4, 6, 7 and 10,  but not vice versa.
>> 
>> -----Original Message-----
>> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham via Public
>> Sent: Monday, July 31, 2017 9:02 AM
>> To: Jeremy Rowley <jeremy.rowley at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>; Rich Smith <richard.smith at comodo.com>; 'Peter Bowen' <pzb at amzn.com>
>> Subject: Re: [cabfpub] Random value reuse
>> 
>> On 28/07/17 14:53, Jeremy Rowley via Public wrote:
>>> I think the random value should be tied to a single communication 
>>> without reuse.  For example, a single email sent to the constructed 
>>> emails, a single API call, a single phone call, etc.  The random value 
>>> shouldn’t be tied to a method, but should be tied to a specific 
>>> communication from the CA that is tied to a request. By getting rid of 
>>> the reuse language, we can simplify the process and eliminate the risk 
>>> associated with reuse.
>> 
>> Right. New random values are cheap :-)
>> 
>> Gerv
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170809/442521fb/attachment.p7s>


More information about the Public mailing list