[cabfpub] Pre-ballot for Ballot SC5: Improve Phone Validation Methods

Doug Beattie doug.beattie at globalsign.com
Wed Oct 10 18:41:46 UTC 2018 

I'd like to get some discussion started on this approach for tightening down
the Phone Validation method and adding a new method.  Please take a look and
comment, then we can discuss Tuesday at the Face 2 Face meeting.

 

Modify Method 3 to:

-          Identify where the phone number comes from.  The current method 3
says that the number is one that is identified by the Domain Name Registrar
as the Domain Contact, but we have a defined term that is better "Domain
Contact". "The Domain Name Registrant, technical contact, or administrative
contract (or the equivalent under a ccTLD) as listed in the WHOIS record of
the Base Domain Name or in a DNS SOA record, or as obtained through direct
contact with the Domain Name Registrar.".

-          Clarify how to handle transfers and voicemail.  

-          Clarify that this process verifies an ADN (not FQDN)

Add Section 3.2.2.4.15: Domain Contact Phone published in a DNS CAA Record

 

Add Section 3.2.2.4.16 Domain Contact Phone published in a DNS TXT record

 

Modify Appendix B: DNS Contact Types (based on Ballot SC4) to include the
definition of Phone numbers.  Unfortunately, until ballot SC4 is finalized,
I'm in a bit of a holding pattern on this update.

 

I think we should try to do this as one Ballot, but perhaps having one that
just modified method 3 would permit a more rapid approval.  Let me know your
thoughts on that.

 

Please comment this week if you have the time.

 

Doug

 

 

From: Doug Beattie 
Sent: Friday, August 17, 2018 9:01 AM
To: 'CA/Browser Forum Public Discussion List' <public at cabforum.org>
Subject: Pre-ballot for Ballot SC5: Improve Phone Validation Methods

 

Since this is dependent on the CAA and TXT approach defined in ballot SC4
which is in process, this isn't yet a complete ballot, but we wanted to get
input on the basic set of changes being proposed in parallel with SC4
discussions

 

Redlined version attached.

 

Ballot SC5: Improve Phone Validation Methods

 

Purpose of Ballot: As discussed during the Validation Summit, Method 3 of
the Baseline Requirements could use some improvements to close off some
potential bad practices that might lead to security risks. This ballot
builds on "Ballot SC4 - email and CAA CONTACT" to introduce 2 new validation
methods for Phone number validation with the source of the phone number
being a CAA record and a DNS TXT record.

 

This Ballot tightens up the rules around phone validation in order to make
sure domain authorization or control is verified with a person who is
authorized to do so. This ballot changes Method 3, but if we need to create
a new method and sunset Method 3, we can do that.

 

The following motion has been proposed by Tim Hollebeek of DigiCert and
endorsed by Bruce Morton of Entrust and Doug Beattie of GlobalSign.

 

--- MOTION BEGINS ---

This ballot modifies the "Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates" as follows, based on Version
1.X.X:

 

Modify 3.2.2.4.3 Phone Contact with Domain Contact to read as follows: 

 

Confirm the Applicant's control over the FQDN by calling the Domain
Contact's phone number and receive a confirming response to validate the
ADN.

Each phone call MAY confirm control of multiple ADNs provided that the same
Domain Contact phone number is listed for each ADN being verified and they
provide a confirming response for each ADN.

In the event that someone other than a Domain Contact is reached, the CA MAY
request to be transferred to the Domain Contact. 

 

In the event of reaching voicemail, the CA may leave the Random Value and
the ADN(s) being validated.  The Domain Contact may return the Random Number
to the CA via Phone, Email, Fax, or SMS to approve the request within 30
days of the voicemail.

 

 

Add Section 3.2.2.4.15: Domain Contact Phone published in a DNS CAA Record

 

Confirm the Applicant's control over the FQDN by calling the phone number
identified as a CAA Contact property record as defined in Appendix B and
receive a confirming response to validate the ADN. 

Each phone call MAY confirm control of multiple ADNs, provided that the same
phone number is listed for each ADN being verified and they provide a
confirming response for each ADN.

The CA may not be transferred or request to be transferred as this phone
number has been specifically listed for the purposes of Domain Validation. 

 

In the event of reaching voicemail, the CA may leave the Random Value and
the ADN(s) being validated.  The CAA Contact may return the Random Number to
the CA via Phone, Email, Fax, or SMS to approve the request within 30 days
of the voicemail.

 

 

Add Section 3.2.2.4.16 Domain Contact Phone published in a DNS TXT record

 

Confirm the Applicant's control over the FQDN by calling the phone number
identified as a  DNS domain-authorization-phone TXT phone number as defined
in Appendix B and receive a confirming response to validate the ADN. 

Each phone call MAY confirm control of multiple ADNs, provided that the same
phone number is listed for each ADN being verified and they provide a
confirming response for each ADN.

The CA may not be transferred or request to be transferred as this phone
number has been specifically listed for the purposes of Domain Validation. 

In the event of reaching voicemail, the CA may leave the Random Value and
the ADN(s) being validated.  The CAA Contact may return the Random Number to
the CA via Phone, Email, Fax, or SMS to approve the request within 30 days
of the voicemail.

 

Modify Appendix B: DNS Contact Types

 

When Ballot SC4 is finalized, this ballot will add Phone number to the
permitted CAA and DNS TXT record Contact types.

 

--- MOTION ENDS ---

 

A comparison of the changes can be found at: TBD

 

The procedure for approval of this ballot is as follows:

 

Discussion (7+ days)

 

Start Time: TBD

 

End Time: TBD

 

Vote for approval (7 days)

 

Start Time: TBD

 

End Time: TBD

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20181010/18f10fcb/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Domain Name Validation via Phone rev 2.pdf
Type: application/pdf
Size: 253719 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20181010/18f10fcb/attachment-0002.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5736 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20181010/18f10fcb/attachment-0002.p7s>

More information about the Public mailing list