[cabfpub] Allocating Time for Review of All Domain Validation Methods at F2F Meeting

James Burton james at sirburton.com
Fri Feb 2 19:38:44 UTC 2018 

That's an excellent idea.

I would like to spend some time in discussing extended validation vetting.
I feel that extended validated is not vetted to enough to acceptable
standards.

James


On Fri, Feb 2, 2018 at 7:21 PM, Wayne Thayer via Public <public at cabforum.org
> wrote:

> Gerv and I, with support from Tim as chair of the Validation Working
> Group, would like to dedicate the entire first day (Tuesday) of the
> upcoming meeting hosted by Amazon to a “Validation Summit” where security
> experts help us to review all of the existing domain validation methods.
> Doing this would push other WG meetings in to time slots on Wednesday or
> Thursday. I believe there would still be adequate time available for these
> WG meetings.
>
> Given the recent issues discovered with BR 3.2.2.4 methods 1, 5, 9, and
> 10, a more comprehensive, proactive review of all the BR methods of domain
> validation is urgently needed. It has been pointed out that this has never
> been done - the methods as they currently exist are just documentation of
> existing practices. These methods should be analyzed by experts under an
> adversarial threat model to identify and address risks and deficiencies.
>
> Our proposed agenda for the day is:
> 1. Discuss the intent of 3.2.2.4. Is proving ownership enough, or is
> domain control and/or owner consent required?
> 2. For each of the 10 current methods:
>     a. Introduce the method and discuss what it is intended to validate
>     b. Describe in detail how CAs typically implement the method
>     c. Model and analyze threats to the method
>     d. Discuss improvements to the method
>     e. Decide if the method needs to be improved or discarded, or is
> acceptable as-is.
> 3. Time permitting, perform the same analysis on IP address validation
> methods described in section 3.2.2.5
> 4. Wrap-up - summarize conclusions and action items
>
> We plan to extend an invitation to deeply technical and security minded
> folks who are familiar with the CA industry and typical CA processes to
> sign the IPR agreement, become Interested Parties, and attend this portion
> of the meeting. Given that the meeting is one month from now, we need to
> move quickly to recruit these experts.
>
> Are there any objections to this proposal? I will interpret silence as
> consent. (And if you think this is a great idea, feel free to tell us!)
>
> If you know someone who has the expertise to contribute to this exercise,
> please consider recruiting him or her to become an Interested Party and
> attend this meeting.
>
> Finally, please consider if your company would sponsor a researcher to
> attend the meeting in person. My assumption is that at least some of the
> folks we’d benefit from having in the room will be deterred from attending
> because they’ll have to cover their own travel expenses.
>
> Thanks,
>
> Wayne
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180202/ea91d7ab/attachment-0003.html>

More information about the Public mailing list