[cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document

Mads Egil Henriksveen Mads.Henriksveen at buypass.no
Sat Jan 20 12:48:33 UTC 2018


Hi Geoff

Just to clarify, we have a defined Applicant which has to verified according to the current requirements for OV/EV. Our proposal do not change anything here.

Then we have information about the Registrant from WHOIS, like your example:
Registrant Name: Domain Administrator
Registrant Organization: Go Daddy Operating Company, LLC
Registrant Street: 14455 N Hayden Rd Suite 219
Registrant City: Scottsdale
Registrant State/Province: Arizona
Registrant Postal Code: 85260
Registrant Country: US
Registrant Phone: +1.4805058800
Registrant Phone Ext:
Registrant Fax: +1.4805058844
Registrant Fax Ext:
Registrant Email: companynames at godaddy.com<mailto:companynames at godaddy.com>

The proposal specifies how to verify that the Applicant organization is the same organization as the Registrant by matching name and address, or name and registration number.

In your example, only Go Daddy as an Applicant would be authorized to use cabforum.org by this method, but only if the name and address information in WHOIS matches similar information for Go Daddy in Q*IS.

In addition the CA must verify Go Daddy’s identity and address, and the authenticity of the certificate request from Go Daddy according to the current requirements.

Regards
Mads


From: geoffk at apple.com [mailto:geoffk at apple.com]
Sent: lørdag 20. januar 2018 00:55
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>; Mads Egil Henriksveen <Mads.Henriksveen at buypass.no>
Subject: Re: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document




On Jan 19, 2018, at 12:16 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>> wrote:

Sorry for the misquotation – I left off “*** directly with the Domain Name Registrar,” which is generally what we have been discussing – a WhoIs lookup to see who owns the domain.

That wasn’t my objection—it was to the words “by verifying that”.


But do you see my point that “validating the Applicant as the Domain Contact” (current language) could simply be confirming a hacker in both roles, but would not be validating the Registrant information as to the organization that owns the domain?

Which would not be sufficient to include the Registrant Organization name in the O field of an OV or EV cert.   That’s why we made the change, which makes Method 1 more secure in our opinion.

Are some CAs validating by saying that, for example, someone has control of cabforum.org<http://cabforum.org> and so based only on that and the whois information they can be issued a certificate with O=Go Daddy?  That would be unfortunate.

As a side note, do you think it would be helpful to put something in the BRs to basically say “you still have to validate everything in a certificate; if these BRs appear to allow a process which is not an effective validation, or some choices in your implementation of the process makes it ineffective, you must do whatever additional process is necessary to ensure an effective validation”?  An overall “don’t be stupid” rule.


Again, Method 1 was the original validation method starting in the 1990s, and I think it’s proven its worth over the years.

Processes often work great until someone works out how to abuse them, and then they don’t, sadly.



From: geoffk at apple.com<mailto:geoffk at apple.com> [mailto:geoffk at apple.com]
Sent: Friday, January 19, 2018 11:52 AM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>; Mads Egil Henriksveen <Mads.Henriksveen at buypass.no<mailto:Mads.Henriksveen at buypass.no>>
Subject: Re: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document





On Jan 19, 2018, at 11:23 AM, Kirk Hall <Kirk.Hall at entrustdatacard.com<mailto:Kirk.Hall at entrustdatacard.com>> wrote:

First, I think everyone knows what CAs are supposed to do under Method 1

I’m fairly sure this is not the case…



, and the lack of misissuance reports means CAs are doing it right.  Here’s how Method 1 starts now:

“Conforming the Applicant's control over the FQDN by validating the Applicant as the Domain Contact by verifying that: ***”

You can see why I think CAs might not know what they’re supposed to do, because the above quote is not the actual words from the the Baseline Requirements!  Right now, in BR 1.5.4, Method 1 starts with these words:

Confirming the Applicant's control over the FQDN by validating the Applicant is the Domain Contact directly with the Domain Name Registrar. This method may only be used if:

Your version prescribes a method.  The actual current requirements specify an objective and don’t specify a method.

Now, I’m not against prescribing a method, but the method prescribed does need to achieve the original objective, and I think the proposed method is inadequate to do that…

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180120/d3c9a563/attachment-0003.html>


More information about the Public mailing list