[cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document

[Gervase Markham]

On 22/01/18 18:37, Jonathan Rudenberg via Public wrote:
h> The phone number in a D&B record that matches the Registrant
> Organization and address from the WHOIS does not indicate domain
> control, all it indicates is that someone put a record into the D&B
> database. There are >25 results matching ‘Apple’ with an address in
> California in the D&B database, so clearly they don’t do any
> duplicate prevention, which makes sense because business entity names
> are not unique. This means that anyone who can either a) create a new
> D&B entry that would match your search or b) edit an existing D&B
> entry matching your search has the ability to receive certificates
> using this method. Obviously neither a) or b) indicate domain
> control, so this method is completely inadequate.

This isn't a killer if Step 5 becomes:

Step 5: Vetting team calls the Applicant Authorization Contact, Curt
Spann, using the phone number shown in the WHOIS record for Apple, Inc.
found in Step 3 – 408-996-1010.

Then there is a link between domain control and the phone number called
to reach the Authorization Contact.

> Additionally, even without any changes to the D&B database, there is
> no link between the Applicant Authorization Contact and domain
> control. This means that anyone accessible via the phone number in
> D&B can authorize the issuance of a certificate. So if the phone
> number is a corporate switchboard, anyone in the phone directory,
> including janitorial staff, interns, and temporary contractors would
> be capable of authorizing certificate issuance if their name was
> specified as the Applicant Authorization Contact.

Yes, I noticed this one too. WHOIS does not provide the name of a real
person to talk to, so one might argue you have to email the address
given in WHOIS - and then, of course, you are using a different method.

Gerv