[Smcwg-public] Proposed validation reuse periods based on validated entity.

[Stephen Davidson]

Thanks Fotis; we’ll continue this discussion in our scheduled meeting this week.

Agenda to follow shortly.

Regards, Stephen







From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Fotis Loukos via Smcwg-public
Sent: Sunday, January 30, 2022 6:57 AM
To: SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: [Smcwg-public] Proposed validation reuse periods based on validated entity.



Hello everyone,


I have just submitted a pull request for some language on the validation reuse period. I would like to provide an analysis and a rationale for the current suggestions.


First and foremost, I believe that we should make this decision based on the security properties of the entity we are validating. The limit on the validation reuse is a control to mitigate the risk of the Subscriber losing operation/control of the validated entity, and therefore I believe that the properties of the control should be based on the risk introduced which is related to the security properties of the entity.


Currently, we are using two different principles for validating control of an email address:
* Validating control of the respective mail server, either by validating control of the MX record in 3.2.2.1 or validating control of the server itself in the proposed 3.2.2.3 method; and
* Validating the mailbox in 3.2.2.2.

Since one of the major factors for deciding the validation reuse times is the frequency that these entities change, I believe that a small analysis would be helpful.


In the first case, we are effectively validating the operation/control of an FQDN or a DNS record. We already have insights on this, and section 4.2.1 of the WebPKI BRs mandates that validations must be obtained no more than 398 days prior to issuing the certificate. Therefore, I believe that the same should apply to methods 3.2.2.1 and proposed method 3.2.2.3. I believe that this is also aligned with the business practices of many CAs.


In the second case, things are more complicated. I haven't managed to find any exact data, but a research by the DMA shows that in 2015, 3% of the users kept their email address for 0-11 months and 7% for 1-2 years (https://www.zettasphere.com/how-many-email-addresses-people-typically-use/). Although these stats may have changed now, I believe that there is a consensus that email addresses change more frequently than SMTP servers, especially with cases such as business emails or emails by ISPs. Therefore, my recommendation is a 30 day validation reuse period for mailbox validation.


The pull request can be found at https://github.com/cabforum/smime/pull/35. Any comments are highly appreciated.



Best regards,

Fotis



--



Fotis Loukos |

 Security Engineer |

 fotisl at google.com<mailto:fotisl at google.com> |



Brandschenkestrasse 110, 8002 Zurich, Switzerland

Company Identifikationsnummer: CH-020.4.028.116-1



This email can contain confidential information.If you received this email by mistake,

do not pass it to third parties and delete all copies and enclosures,

and let us know that it has been delivered to the wrong address.



Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220131/155f75e4/attachment.html>