[cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document

Mon Jan 22 11:37:31 MST 2018

> On Jan 22, 2018, at 13:05, Bruce Morton via Public <public at cabforum.org> wrote:
> 
> Geoff,
>  
> We put together an example of using method 1. Please see attached.

Thanks for posting this. I was initially unclear on how 3.2.2.4.1 worked in practice, and this walkthrough made the pieces fit together for me.

Unfortunately, the implementation described does nothing to verify domain control, and so should obviously be removed from the BRs immediately. Additionally, given the level of weakness I think it would make a lot of sense to revalidate or revoke all certificates that are currently valid and have been issued using this method.

The phone number in a D&B record that matches the Registrant Organization and address from the WHOIS does not indicate domain control, all it indicates is that someone put a record into the D&B database. There are >25 results matching ‘Apple’ with an address in California in the D&B database, so clearly they don’t do any duplicate prevention, which makes sense because business entity names are not unique. This means that anyone who can either a) create a new D&B entry that would match your search or b) edit an existing D&B entry matching your search has the ability to receive certificates using this method. Obviously neither a) or b) indicate domain control, so this method is completely inadequate.

Additionally, even without any changes to the D&B database, there is no link between the Applicant Authorization Contact and domain control. This means that anyone accessible via the phone number in D&B can authorize the issuance of a certificate. So if the phone number is a corporate switchboard, anyone in the phone directory, including janitorial staff, interns, and temporary contractors would be capable of authorizing certificate issuance if their name was specified as the Applicant Authorization Contact.

There are a bunch of other potential issues that come to mind, but this method is already so hopelessly broken that I don’t think it makes sense to continue.

Jonathan