[cabfpub] Pre-ballot for Ballot SC5: Improve Phone Validation Methods

Doug Beattie doug.beattie at globalsign.com
Fri Aug 17 06:00:51 MST 2018


Since this is dependent on the CAA and TXT approach defined in ballot SC4
which is in process, this isn't yet a complete ballot, but we wanted to get
input on the basic set of changes being proposed in parallel with SC4
discussions

 

Redlined version attached.

 

Ballot SC5: Improve Phone Validation Methods

 

Purpose of Ballot: As discussed during the Validation Summit, Method 3 of
the Baseline Requirements could use some improvements to close off some
potential bad practices that might lead to security risks. This ballot
builds on "Ballot SC4 - email and CAA CONTACT" to introduce 2 new validation
methods for Phone number validation with the source of the phone number
being a CAA record and a DNS TXT record.

 

This Ballot tightens up the rules around phone validation in order to make
sure domain authorization or control is verified with a person who is
authorized to do so. This ballot changes Method 3, but if we need to create
a new method and sunset Method 3, we can do that.

The following motion has been proposed by Tim Hollebeek of DigiCert and
endorsed by Bruce Morton of Entrust and Doug Beattie of GlobalSign.

--- MOTION BEGINS ---

This ballot modifies the "Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates" as follows, based on Version
1.X.X:

 

Modify 3.2.2.4.3 Phone Contact with Domain Contact to read as follows: 

 

Confirm the Applicant's control over the FQDN by calling the Domain
Contact's phone number and receive a confirming response to validate the
ADN.

Each phone call MAY confirm control of multiple ADNs provided that the same
Domain Contact phone number is listed for each ADN being verified and they
provide a confirming response for each ADN.

In the event that someone other than a Domain Contact is reached, the CA MAY
request to be transferred to the Domain Contact. 

 

In the event of reaching voicemail, the CA may leave the Random Value and
the ADN(s) being validated.  The Domain Contact may return the Random Number
to the CA via Phone, Email, Fax, or SMS to approve the request within 30
days of the voicemail.

 

 

Add Section 3.2.2.4.15: Domain Contact Phone published in a DNS CAA Record

 

Confirm the Applicant's control over the FQDN by calling the phone number
identified as a CAA Contact property record as defined in Appendix B and
receive a confirming response to validate the ADN. 

Each phone call MAY confirm control of multiple ADNs, provided that the same
phone number is listed for each ADN being verified and they provide a
confirming response for each ADN.

The CA may not be transferred or request to be transferred as this phone
number has been specifically listed for the purposes of Domain Validation. 

 

In the event of reaching voicemail, the CA may leave the Random Value and
the ADN(s) being validated.  The CAA Contact may return the Random Number to
the CA via Phone, Email, Fax, or SMS to approve the request within 30 days
of the voicemail.

 

 

Add Section 3.2.2.4.16 Domain Contact Phone published in a DNS TXT record

 

Confirm the Applicant's control over the FQDN by calling the phone number
identified as a  DNS domain-authorization-phone TXT phone number as defined
in Appendix B and receive a confirming response to validate the ADN. 

Each phone call MAY confirm control of multiple ADNs, provided that the same
phone number is listed for each ADN being verified and they provide a
confirming response for each ADN.

The CA may not be transferred or request to be transferred as this phone
number has been specifically listed for the purposes of Domain Validation. 

In the event of reaching voicemail, the CA may leave the Random Value and
the ADN(s) being validated.  The CAA Contact may return the Random Number to
the CA via Phone, Email, Fax, or SMS to approve the request within 30 days
of the voicemail.

Modify Appendix B: DNS Contact Types

When Ballot SC4 is finalized, this ballot will add Phone number to the
permitted CAA and DNS TXT record Contact types.

 

--- MOTION ENDS ---

A comparison of the changes can be found at: TBD

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: TBD

End Time: TBD

Vote for approval (7 days)

Start Time: TBD

End Time: TBD

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180817/3bb14c4f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Domain Name Validation via Phone rev 2.pdf
Type: application/pdf
Size: 253719 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20180817/3bb14c4f/attachment-0001.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5736 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20180817/3bb14c4f/attachment-0001.p7s>


More information about the Public mailing list