[cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document
Bruce.Morton at entrustdatacard.com
Tue Jan 23 15:00:13 MST 2018
Please note that BR 3.2.5 needs to be performed for all OV certificates regardless of the domain validation method. I am not sure that your attack is Method 1 specific as it could be used against Methods 2 through 10 as well.
I am open to improving BR 3.2.5, but we have found that using the verified phone number for the Applicant is a Reliable Method of Communication.
From: geoffk at apple.com [mailto:geoffk at apple.com]
Sent: January 23, 2018 4:44 PM
To: Jonathan Rudenberg <jonathan at titanous.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Bruce Morton <Bruce.Morton at entrustdatacard.com>
Subject: Re: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document
> On Jan 23, 2018, at 12:50 PM, Jonathan Rudenberg via Public <public at cabforum.org> wrote:
>> On Jan 23, 2018, at 14:36, Bruce Morton <Bruce.Morton at entrustdatacard.com> wrote:
>> Hi Jonathan,
>> Please note that the domain validation methods under BR 188.8.131.52 are introduced as follows: "This section defines the permitted processes and procedures for validating the Applicant's ownership *or* control of the domain." There is no requirement of proving both domain ownership and control, and proving only domain control has its own security vulnerabilities.
> The method you’ve described does not establish domain ownership either. All it establishes it that you asked for an attacker-controlled name at a phone number from a potentially attacker-controlled third-party database record that matches some fields in the WHOIS data.
>> Finally we do 3.2.5, the authorization to issue check. We do not use the information from WHOIS to perform this check. The reason is most information is provided by the Registrant, so using it would be considered allowing self-validation. This information may be OK to use to show domain control, but should not be used for authorization to issue. As such, we call the Applicant, which also owns the domain to confirm authorization to issue. You say that the Applicant Authorization Contact does not control the domain and you are probably right. Actually, we think that the Applicant Technical Contact controls the domain. We don't want to contact the Applicant Technical Contact as again, this would be self-verification. Also, in many cases, the Applicant Technical Contact is a contractor or hoster and should not verify authorization to issue. We use a phone number found in a QIIS to contact the Applicant. This verifies that the Applicant Authorization Contact is employed by the Applicant and the CA relies on their authority.
> There are a lot of assumptions being made here that don’t fit the adversarial threat model of the WebPKI. Just because someone is routable via an arbitrary phone number does not indicate that they are the domain owner or even employed by the entity that you believe is associated with the phone number.
Yes. Many companies have publicly accessible phones which can be reached from their central switchboard—emergency phones, publicly accessible conference room phones, that kind of thing. So all you have to do is get to one of them, call up the switchboard, and say “I’m expecting a call from XXX, and I’m here in this conference room, can you put it through?”.
More information about the Public