[cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document
Rich Smith
richard.smith at comodo.com
Mon Jan 22 16:17:39 UTC 2018
My position is that you can't verify domain ownership because the registrars
by and large do absolutely nothing to verify the information input by the
registrants. What are you actually verifying? As such technical
demonstration of domain control is the best we've got. I liken it to the
old sysadmin adage, if I've got physical access to the box I own the box.
Likewise if I've got technical control of the domain I own the domain.
Regards,
Rich
-----Original Message-----
From: Mads Egil Henriksveen [mailto:Mads.Henriksveen at buypass.no]
Sent: Saturday, January 20, 2018 6:49 AM
To: Rich Smith <richard.smith at comodo.com>; 'CA/Browser Forum Public
Discussion List' <public at cabforum.org>; 'Gervase Markham' <gerv at mozilla.org>
Subject: RE: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain
Authorization Document
Hi Rich
I understand your concern and position.
I don't think the proposed new text for 3.2.2.4.1 by itself adds any new
assumption, but the overall process for issuing OV/EV certificates might be
subject to this. In your example the link between company A (the one you
register) and company B (the target) could be established by social
engineering independent of the proposed text. I could argue that the CA
should treat Company A as the Applicant and not Company B. In that case the
method cannot be used. If the CA treat Company B as the Applicant, then it
should be difficult to get the authenticity of the certificate request
established.
In my opinion, your last statement summarizes what the discussion really is
about. Should we allow issuance of an SSL certificate based on domain
ownership by the Applicant at all or should this only be allowed based on
some technical demonstration of domain control? I think this is the core
issue.
Regards
Mads
-----Original Message-----
From: Rich Smith [mailto:richard.smith at comodo.com]
Sent: fredag 19. januar 2018 20:37
To: Mads Egil Henriksveen <Mads.Henriksveen at buypass.no>; 'CA/Browser Forum
Public Discussion List' <public at cabforum.org>; 'Gervase Markham'
<gerv at mozilla.org>
Subject: RE: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain
Authorization Document
Mads,
I appreciate you trying to save this method, but IMO there is nothing that
can be done to strengthen this method enough to protect it against social
engineering. Your proposal relies on the assumption that EVERY validation
agent of EVERY CA MUST have at least the same level of understanding of
corporate structures as the people in this Forum. It's an unrealistic
assumption. All I have to do is register a company called Google, Inc., in
SOME jurisdiction, get listed in SOME QIIS, then just convince a validation
agent from ANY CA that I am a local branch office of the real Google, Inc.
that we all know and love and bam, I've got a cert for google.com.
I picked Google because they are an easy example. In reality I suspect
(hope) that no CA would fall for this particular example, but a less known
company? Almost certainly.
Through the discussion I've been convinced that we should leave some version
of 3.2.2.4.1 (3) in place, but I don't think you'll ever convince me that
the other bits of 3.2.2.4.1 or 3.2.2.4.5 are, or ever can be made to be, as
secure as the weakest technical demonstration of domain control.
Regards,
Rich
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Mads Egil
Henriksveen via Public
Sent: Friday, January 19, 2018 6:59 AM
To: Gervase Markham <gerv at mozilla.org>; CA/Browser Forum Public Discussion
List <public at cabforum.org>
Subject: Re: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain
Authorization Document
Hi Gerv
The current version 3.2.2.4.1 says:
----
3.2.2.4.1 Validating the Applicant as a Domain Contact Confirming the
Applicant's control over the FQDN by validating the Applicant is the Domain
Contact directly with the Domain Name Registrar.
This method may only be used if:
1. The CA authenticates the Applicant's identity under BR Section 3.2.2.1
and the authority of the Applicant Representative under BR Section 3.2.5, OR
2. The CA authenticates the Applicant's identity under EV Guidelines Section
11.2 and the agency of the Certificate Approver under EV Guidelines Section
11.8; OR 3. The CA is also the Domain Name Registrar, or an Affiliate of the
Registrar, of the Base Domain Name.
Note: Once the FQDN has been validated using this method, the CA MAY also
issue Certificates for other FQDNs that end with all the labels of the
validated FQDN. This method is suitable for validating Wildcard Domain
Names.
-----
Our proposal concentrates on the first part, i.e. the following statement:
>> Confirming the Applicant's control over the FQDN by validating the
Applicant is the Domain Contact directly with the Domain Name Registrar.
Is to be replaced with:
<< Conforming the Applicant's control over the FQDN by validating the
Applicant as the Domain Name Registrant by verifying that:
<< 1. The name of the Domain Name Registrant matches the Applicant's name
AND
<< 2. Additional information about the Domain Name Registrant in the WHOIS
meet the following requirements:
<< i. The Registrant's postal address in the WHOIS belongs to the
Applicant. CAs MUST verify this by matching it with one of the Applicant's
addresses in: (a) a QGIS, QTIS, or QIIS; or (b) a Verified Professional
Letter.
<< Note: Address details in the WHOIS are required
to use this option. Address details must include at a minimum the Country
and either Locality, State or Province. OR
<< ii. The WHOIS contains the Registration (or similar) Number
assigned to the Applicant by the Incorporating or Registration Agency in its
Jurisdiction of Incorporation or Registration as appropriate. CAs MUST
verify this by matching the Registration Number in the WHOIS with the
Applicant's Registration Number in a QGIS or a QTIS.
The first change is the use of Domain Name Registrant instead of Domain
Contact, i.e. the focus is on domain ownership.
The proposal requires that the name of the Registrant (in WHOIS) matches 1)
the name of the Applicant AND either 2 i) the postal address of the
Registrant (in WHOIS) matches the postal address of the Applicant (in
sources accepted for EV validation) OR 2 ii) a Registration Number for the
Registrant (in WHOIS) matches the Registration Number of the Applicant (in a
QGIS or QTIS).
The proposal addresses threats due to that organization names are not
unique, the combination of organization name and address or organization
name and registration number should be unique. It also removes ambiguities
the current language permits (according to Jeremy - see attachment).
Regards
Mads
-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
Markham via Public
Sent: fredag 19. januar 2018 10:29
To: Mads Egil Henriksveen via Public <public at cabforum.org>
Subject: Re: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain
Authorization Document
On 19/01/18 06:51, Mads Egil Henriksveen via Public wrote:
> Buypass, Entrust Datacard and GlobalSign have been working on some
> text to strengthen 3.2.2.4.1 instead of removing it - find the draft
> text below. The draft was discussed in the Validation Working Group
> meeting yesterday. We would like to offer this as an amendment to
> Ballot
218.
Is it possible to provide a diff, e.g. by turning the new text into a Github
pull request, or some other mechanism?
Once we have a diff, might it be possible for rationale to be provided for
each change?
Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list