[cabfpub] Verification of Domain Contact and Domain Authorization Document

Jeremy Rowley jeremy.rowley at digicert.com
Tue Jan 2 21:47:21 MST 2018 

I disagree. The requirements do not specify that.  All that is required is the name of the applicant was verified under 3.2.2.1 and that the register specify the domain contact is the applicant. If Google, Inc. is specified as the domain contact, no address matching is required.

 

From: geoffk at apple.com [mailto:geoffk at apple.com] 
Sent: Tuesday, January 2, 2018 4:34 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Ryan Sleevi <sleevi at google.com>; Adriano Santoni <adriano.santoni at staff.aruba.it>
Subject: Re: [cabfpub] Verification of Domain Contact and Domain Authorization Document

 

 





On Dec 22, 2017, at 12:09 PM, Jeremy Rowley via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:

 

The attack vector is easier than that. 

1.	I use very stringent processes to verify that Google, Inc. is a legit company in Utah.
2.	I verify that Jeremy did indeed incorporate Google, Inc. 
3.	I call Jeremy at the phone listed for Google, Inc., the Utah corporation
4.	The domain information shows Google, Inc. as owning  <http://google.com/> google.com
5.	Certificate issues.

 

Obviously this would be caught in every CA’s high risk checks, but the point remains valid. Regardless of the expertise and thoroughness of the org check, the specs lack any time between the verified org and the actual domain because orgs are not unique on a global basis.

 

 

For item 4, you have to verify that “the Applicant is the Domain Contact”.  Obviously it’s insufficient to just compare names—you must verify every element of the WHOIS contact matches the Applicant, that’s typically name, postal address, phone number, and e-mail.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180103/e5fec836/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20180103/e5fec836/attachment-0001.p7s>

More information about the Public mailing list