[Servercert-wg] Fwd: [cabfpub] Highlight repeated non-acceptable practices, clarify requirements and discuss about DTPs
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Thu Jan 11 16:54:49 UTC 2024
Forwarding to the Server Certificate WG list to continue the discussion
for the TLS BRs.
Thanks Aaron,
Dimitris.
-------- Forwarded Message --------
Subject: Re: [cabfpub] Highlight repeated non-acceptable practices,
clarify requirements and discuss about DTPs
Date: Thu, 11 Jan 2024 08:53:26 -0800
From: Aaron Gable <aaron at letsencrypt.org>
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>, CA/Browser
Forum Public Discussion List <public at cabforum.org>
For the sake of discussion, here's a concrete proposal for how to easily
clarify that use of a public (third-party) DNS resolver is forbidden:
Add to Section 3.2.2.4, immediately after the two numbered sentences:
"All DNS queries conducted in the course of validation MUST be made from
the CA to authoritative nameservers, i.e. without the use of recursive
resolvers operated by third parties."
This proposal does not address the possibility that we could establish a
lightweight audit scheme that third-party recursive resolvers could
satisfy to be allowed. It also does not address the possibility that CAs
are unknowingly using delegated third parties for other aspects of
domain validation, such as Mailchimp / Sendgrid for sending emails. But
it's a starting point to kick off discussion.
Thanks,
Aaron
On Wed, Dec 27, 2023 at 11:09 PM Dimitris Zacharopoulos (HARICA) via
Public <public at cabforum.org> wrote:
Dear Members,
While monitoring a specific recent bugzilla incident, I realized
that it
is very easy to unintentionally misinterpret some parts within the
Forum
Guidelines that can lead to compliance problems. I think it is our
obligation as a Forum to monitor compliance issues reported by CAs or
independent researchers and in case of repeated incidents, suggest
clarification language in the Forum's Guidelines. Nobody wants more
incidents, but a repeated pattern doesn't necessarily mean
negligence on
the CA's part. It could very well be that the Guidelines are not well
written in some areas.
In that regard, I would strongly encourage our Certificate Consumer
Members, that continuously review and monitor incidents, to search for
common patterns and try to locate the language in the Forum Guidelines
that might be somewhat unclear, and work on improving those parts. Even
if the language seems "clear enough", for cases that have caused
multiple incidents by multiple CAs, it might be worth to add NOTES or
NOTICES to highlight non-acceptable practices that have been
misunderstood my multiple CAs.
The Delegated Third Party concept is understandably very open and not
very well defined. I recommend all WGs to try and clarify how DTPs
could
be used in the certificate lifecycle process, including
Domain/Identity/Email Validation but also in the supporting
infrastructure services like compute, storage, network, backup, WHOIS,
DNS, Email, regular post, SMS, and more. Perhaps this is a task for the
Network Security Working Group but some elements are specific to
other WGs.
My recommendation to all WGs is that when we see repeated patterns of
practices that, by consensus, are not acceptable and do not meet the
spirit and language of the Guidelines, try to highlight them in a type
of "practices clarification" ballot series.
Best wishes for a Happy New Year to all!
Dimitris.
CA/B Forum Chair
_______________________________________________
Public mailing list
Public at cabforum.org
https://lists.cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240111/5401a176/attachment.html>
More information about the Servercert-wg
mailing list