[Smcwg-public] Methods for email verification
Stefan Selbitschka
selbitschka at rundquadrat.at
Mon Mar 1 10:18:46 UTC 2021
Sorry for my late feedback but I was busy last week.
Following your discussion about the reuse of validation to issue
multiple certificate the question is how long should a validation last?
Especially if we talk about validation via email it could be problematic
if the validation last more then a day, since we cannot control the
providers mailbox handling, reuse of email addresses etc.
Just consider the case where I'm requesting a certificate for a email
distribution group and get kicked out after some days. I'm should not be
able to request another certificate without a prove of possession of the
mailbox.
To minimize a possible attack surface I would prefer a validation for
every issuance. Maybe it make sense to distinguish between a complete
validation and a simple proof of possession (may by sending a otp token
or whatever), if a validation is getting to complex to do it more often.
Since I'm the newbee here my apologies if I missed some prior discussion
about that topic which led to that conclusion.
regards
Stefan
On 2/24/21 12:26 AM, Stephen Davidson via Smcwg-public wrote:
> Thanks for the feedback.
>
>
>
> Yes I wrote that section intending a mailbox re-verification at each
> cert issuance.
>
>
>
> But I appreciate the arguments in favor of having a re-use period for
> that first verification, particularly in cases where certs may be
> periodically reissued, or when multiple certs are to be issued at the
> same time (as in the case of split signing and encryption certs).
>
>
>
> I will adapt that proposed text.
>
>
>
> As you may have noticed in Doug’s email, we have now made the draft
> SMIME BR public at https://github.com/srdavidson/smime/tree/PreSBR
> <https://github.com/srdavidson/smime/tree/PreSBR> in a “PreSBR” branch,
> which you can view or Watch. It’s in active development now and this
> will be the working version of the SBR; it will be pulled into the
> cabf-smime repository later when the dust settles.
>
>
>
> Best regards, Stephen
>
>
>
>
>
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org> *On Behalf Of
> *Doug Beattie via Smcwg-public
> *Sent:* Tuesday, February 23, 2021 12:48 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; Dimitris Zacharopoulos
> (HARICA) <dzacharo at harica.gr>; SMIME Certificate Working Group
> <smcwg-public at cabforum.org>; Wendy Brown - QT3LB-C <wendy.brown at gsa.gov>
> *Subject:* Re: [Smcwg-public] Methods for email verification
>
>
>
> Tim – I Agree.
>
>
>
> My initial question that started this thread was asking about this
> statement in section 3.2.2.2.2:
> https://github.com/srdavidson/smime/blob/PreSBR/SBR.md#32222--validating-control-over-email-address-via-email
> <https://github.com/srdavidson/smime/blob/PreSBR/SBR.md#32222--validating-control-over-email-address-via-email>
>
> * Completed validations of Applicant control over the email address
> must be performed _for each Certificate issuance_.
>
> This sounds like you can’t re-use the email box validation at all, so I
> wanted to see if we can clarify that. We don’t have the same statement
> in the prior section 3.2.2.2.1
> https://github.com/srdavidson/smime/blob/PreSBR/SBR.md#32221--validating-authority-over-email-address-via-domain
> <https://github.com/srdavidson/smime/blob/PreSBR/SBR.md#32221--validating-authority-over-email-address-via-domain>
> and assume normal re-use of domain validation applies there.
>
>
>
> Wendy Brown asked a similar question to see if they same validation can
> be used for issuance of 2 certs (signing and encryption). If we take
> the words in 3.2.2.2.2 literally, the answer is no.
>
>
>
> If we remove that line in the spec, then both question are resolved, but
> does issuing a second cert to the same email address WITHOUT verifying
> the email address reduce security? In all cases of domain/email
> validation re-use, you must make sure it’s the same subscriber. This
> might be done via sending an email (most logical and surely compliant),
> but there may be service providers that host and are the
> Applicant/Subscriber on behalf of the owner of the mailbox. Does the
> mail box owner need to click a link every time the service provider
> creates a new cert for them? When the Enterprise does not want to hand
> over full control to issue certs for ALL mailboxes within that domain,
> it needs to be done at the mail box level with the mail box owner in the
> loop. Permitting re-use of the email box level validation provides some
> value.
>
>
>
> Doug
>
>
>
>
>
> *From:* Tim Hollebeek <tim.hollebeek at digicert.com
> <mailto:tim.hollebeek at digicert.com>>
> *Sent:* Tuesday, February 23, 2021 11:30 AM
> *To:* Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr
> <mailto:dzacharo at harica.gr>>; SMIME Certificate Working Group
> <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org>>; Wendy
> Brown - QT3LB-C <wendy.brown at gsa.gov <mailto:wendy.brown at gsa.gov>>; Doug
> Beattie <doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com>>
> *Subject:* RE: [Smcwg-public] Methods for email verification
>
>
>
> Right, we should follow the CABF validation reuse rules. I.e. as long
> as they’re both issued within the validation reuse timeframe, the second
> can reuse the first’s validation.
>
>
>
> One of the annoying things is that CABF policies and traditional PKI
> policies say basically the same thing in two different ways.
>
>
>
> Traditional PKIs have no provisions for reuse of validation, but define
> issuance categories like “renewal” and “replacement” that have
> pared-down validation and issuance rules based on the existence of a
> previously issued certificate with the same validated information.
>
>
>
> CABF PKIs forbid “renewal”, etc and treat everything as a new issuance,
> but have validation reuse requirements that in practice … tend to have
> exactly the same effect. You can renew (etc) a certificate without
> having to completely redo the validation for previously validated
> information.
>
>
>
> It’s mostly just tomayto tomahto, but it is a pain for PKIs that span
> both worlds.
>
>
>
> -Tim
>
>
>
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org
> <mailto:smcwg-public-bounces at cabforum.org>> *On Behalf Of *Dimitris
> Zacharopoulos (HARICA) via Smcwg-public
> *Sent:* Sunday, February 21, 2021 5:17 AM
> *To:* Wendy Brown - QT3LB-C <wendy.brown at gsa.gov
> <mailto:wendy.brown at gsa.gov>>; SMIME Certificate Working Group
> <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org>>; Doug
> Beattie <doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com>>
> *Subject:* Re: [Smcwg-public] Methods for email verification
>
>
>
>
>
> On 18/2/2021 6:25 μ.μ., Wendy Brown - QT3LB-C via Smcwg-public wrote:
>
> also could a single validation of the email address be used for
> issuance of both the signature & encryption certs in the case of the
> dual certs vs single cert case?
>
>
> That makes perfect sense to me.
>
> Validations in general should be allowed to be reused as it is allowed
> in other Certificate types.
>
>
> Dimitris.
>
> Wendy
>
> Wendy Brown
> Supporting GSA FPKI
> Protiviti Government Services
>
> 703-965-2990 (cell)
>
> wendy.brown at gsa.gov <mailto:wendy.brown at gsa.gov>
> wendy.brown at protiviti.com <mailto:wendy.brown at protiviti.com>
>
>
>
>
>
> On Thu, Feb 18, 2021 at 10:54 AM Doug Beattie via Smcwg-public
> <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org>> wrote:
>
> Hi Stephen,
>
>
>
> I’m not sure I agree with this statement in section 3.2.2.2.2
> Validating control over email address via email
>
>
>
> * Completed validations of Applicant control over the email
> address must be performed _for each Certificate issuance_.
>
>
>
> I’d like to permit re-use of that validation over and over for
> the re-use period for that subscriber if possible. Is there a
> reason we preclude that? For example, an email gateway provider
> might validate this email address and then want to replace
> certificates more frequently than 397 days, but this would
> require emails to the email box to act on that.
>
>
>
> Doug
>
>
>
>
>
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org
> <mailto:smcwg-public-bounces at cabforum.org>> *On Behalf Of
> *Stephen Davidson via Smcwg-public
> *Sent:* Wednesday, February 17, 2021 6:02 PM
> *To:* SMIME Certificate Working Group <smcwg-public at cabforum.org
> <mailto:smcwg-public at cabforum.org>>
> *Subject:* [Smcwg-public] Methods for email verification
>
>
>
> Hello all:
>
>
>
> Following our discussion on the call today, I attach draft text
> for section 3.2.2.2 of the SMIME BR (SBR) that deals with 1)
> Validating authority over email address via domain and 2)
> Validating control over email address via email.
>
>
>
> It aims to fulfill the requirements of the Mozilla policy. It
> includes comments with some questions that require further
> discussion. Additional methods can be addressed in future
> versions of the SBR.
>
>
>
> Many thanks for Doug and Sebastian at GlobalSign for their help
> in drafting this. We’ll discuss this in a future meeting, but
> feel free to also provide feedback here.
>
>
>
> Many thanks, Stephen
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org>
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
> <https://lists.cabforum.org/mailman/listinfo/smcwg-public>
>
>
>
> _______________________________________________
>
> Smcwg-public mailing list
>
> Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org>
>
> https://lists.cabforum.org/mailman/listinfo/smcwg-public <https://lists.cabforum.org/mailman/listinfo/smcwg-public>
>
>
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
More information about the Smcwg-public
mailing list