[Smcwg-public] Proposed validation reuse periods based on validated entity.

Fotis Loukos fotisl at google.com
Sun Jan 30 10:56:51 UTC 2022


Hello everyone,

I have just submitted a pull request for some language on the validation
reuse period. I would like to provide an analysis and a rationale for the
current suggestions.

First and foremost, I believe that we should make this decision based on
the security properties of the entity we are validating. The limit on the
validation reuse is a control to mitigate the risk of the Subscriber losing
operation/control of the validated entity, and therefore I believe that the
properties of the control should be based on the risk introduced which is
related to the security properties of the entity.

Currently, we are using two different principles for validating control of
an email address:
* Validating control of the respective mail server, either by validating
control of the MX record in 3.2.2.1 or validating control of the server
itself in the proposed 3.2.2.3 method; and
* Validating the mailbox in 3.2.2.2.

Since one of the major factors for deciding the validation reuse times is
the frequency that these entities change, I believe that a small analysis
would be helpful.

In the first case, we are effectively validating the operation/control of
an FQDN or a DNS record. We already have insights on this, and section
4.2.1 of the WebPKI BRs mandates that validations must be obtained no more
than 398 days prior to issuing the certificate. Therefore, I believe that
the same should apply to methods 3.2.2.1 and proposed method 3.2.2.3. I
believe that this is also aligned with the business practices of many CAs.

In the second case, things are more complicated. I haven't managed to find
any exact data, but a research by the DMA shows that in 2015, 3% of the
users kept their email address for 0-11 months and 7% for 1-2 years (
https://www.zettasphere.com/how-many-email-addresses-people-typically-use/).
Although these stats may have changed now, I believe that there is a
consensus that email addresses change more frequently than SMTP servers,
especially with cases such as business emails or emails by ISPs. Therefore,
my recommendation is a 30 day validation reuse period for mailbox
validation.

The pull request can be found at https://github.com/cabforum/smime/pull/35.
Any comments are highly appreciated.

Best regards,
Fotis

-- 

Fotis Loukos |  Security Engineer |  fotisl at google.com |
Brandschenkestrasse 110, 8002 Zurich, Switzerland
Company Identifikationsnummer: CH-020.4.028.116-1

This email can contain confidential information.If you received this email
by mistake,
do not pass it to third parties and delete all copies and enclosures,
and let us know that it has been delivered to the wrong address.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220130/bba3b2e6/attachment.html>


More information about the Smcwg-public mailing list