[cabfpub] Allocating Time for Review of All Domain Validation Methods at F2F Meeting

Fri Feb 2 19:21:08 UTC 2018

Gerv and I, with support from Tim as chair of the Validation Working Group,
would like to dedicate the entire first day (Tuesday) of the upcoming
meeting hosted by Amazon to a “Validation Summit” where security experts
help us to review all of the existing domain validation methods. Doing this
would push other WG meetings in to time slots on Wednesday or Thursday. I
believe there would still be adequate time available for these WG meetings.

Given the recent issues discovered with BR 3.2.2.4 methods 1, 5, 9, and 10,
a more comprehensive, proactive review of all the BR methods of domain
validation is urgently needed. It has been pointed out that this has never
been done - the methods as they currently exist are just documentation of
existing practices. These methods should be analyzed by experts under an
adversarial threat model to identify and address risks and deficiencies.

Our proposed agenda for the day is:
1. Discuss the intent of 3.2.2.4. Is proving ownership enough, or is domain
control and/or owner consent required?
2. For each of the 10 current methods:
    a. Introduce the method and discuss what it is intended to validate
    b. Describe in detail how CAs typically implement the method
    c. Model and analyze threats to the method
    d. Discuss improvements to the method
    e. Decide if the method needs to be improved or discarded, or is
acceptable as-is.
3. Time permitting, perform the same analysis on IP address validation
methods described in section 3.2.2.5
4. Wrap-up - summarize conclusions and action items

We plan to extend an invitation to deeply technical and security minded
folks who are familiar with the CA industry and typical CA processes to
sign the IPR agreement, become Interested Parties, and attend this portion
of the meeting. Given that the meeting is one month from now, we need to
move quickly to recruit these experts.

Are there any objections to this proposal? I will interpret silence as
consent. (And if you think this is a great idea, feel free to tell us!)

If you know someone who has the expertise to contribute to this exercise,
please consider recruiting him or her to become an Interested Party and
attend this meeting.

Finally, please consider if your company would sponsor a researcher to
attend the meeting in person. My assumption is that at least some of the
folks we’d benefit from having in the room will be deterred from attending
because they’ll have to cover their own travel expenses.

Thanks,

Wayne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180202/59669c4a/attachment.html>