[cabf_validation] Minutes from the meeting of 2 August 2018

[Ryan Sleevi]

On Thu, Aug 2, 2018 at 3:30 PM Wayne Thayer via Validation <
validation at cabforum.org> wrote:

> Minutes from the Validation Subcommittee meeting of 2 August 2018
>
>  Attendees: Tim Hollebeek, Ben Wilson, Shelley Brewer, Bruce Morton, Corey
> Bonnell, Doug Beattie, Frank Corday, Joanna Fox, Rich Smith, Robin Alden,
> Li-Chun Chen, Frank Corday
>
> 1. Continue re-direct discussion
> Wayne listed types of redirects in the Validation Summit Findings document
> [1] under method 6
> Tim: do we have a general idea of what the policy should be?
> Ben: No, we need to determine what the concerns are.
> Tim: the last two on the list (meta-refresh tag and JavaScript) are bad
> ideas because they require CAs to run a sophisticated HTML parser that adds
> complexity and risk. I don’t think CAs intentionally support these, but
> their code may incidentally support it. Is anyone against banning these two?
> Bruce: I can’t comment now
> Tim: Are people familiar enough with 300s to discuss?
> Doug: I can’t think of a good reason why we should allow any of these
> Tim: I’m particularly disturbed when a redirect points back to a site run
> by the CA. Pointing to another subdomain of the same domain seems
> reasonable. But I could also argue that it should be a new validation
> method.
> Tim: Does everyone need to give this more thought?
> Wayne: We should propose banning redirects and see who complains
> Tim: Clients like Curl automatically follow redirects, so people may not
> recognize the impact.
> Corey: Redirects from the base domain to the www subdomain are common.
> Banning this will cause some pain to Subscribers.
> Tim: Can everyone do some homework to determine what their CA’s current
> redirect behavior is?
> Wayne: In most cases CAs could check both the www and base name, but that
> won’t work if validating the subdomain and validation code is on the base
> domain.
> Tim: Redirecting to another subdomain of the same domain name might be
> okay - both are controlled by the same entity.
> Tim: the basic security property of this method is the ability to control
> the content of the website, so if www is the same site as the base domain
> then that should be okay.
>

Thanks for circulating these, Wayne.

Tim, I'm hoping you can expand more on "I’m particularly disturbed when a
redirect points back to a site run by the CA.". Are there existing threads
where you flesh out and articulate these concerns that you could link to?
If not, could you expand on why you're particularly disturbed?

For those that share Tim's concerns (as I see Doug just argued only 'www'
and 'www2' should be permitted), can you articulate them a bit more?


>
> 2. Discuss Ballot SC2
> Tim: Mainly failed due to it being Summertime and lack of time to review.
> Also some discussion about the phone number validation method colliding
> with Doug’s method 3 ballot. Decided to split out the phone number portions
> to a separate ballot.
> Bruce: Updated the text to use ADN per comment from Wayne
> Corey: what about splitting out text record to a separate ballot?
> Tim: most DNS tools don’t support new CAA tags, so the TXT record is
> essential and it’s a widely accepted approach in the IETF because it works.
> Wayne: is the use of a specific subdomain a change?
> Tim: no, that’s how it was spec’d in ballot SC2. I realize TXT support is
> controversial, but most DNS providers don’t support new CAA tags.
>
> 3. Validation Summit Method 3 Ballot
> Doug: Changed references to domain contact’s phone number rather than
> WHOIS registrant. Added info on voicemail handling. Added validation of an
> ADN. CA can request to be transferred to the domain contact. Plan is a
> ballot to update method 3 with these clarifications, effective immediately.
>

Is there a draft version circulating with these proposed changes? I may
have missed it, but I couldn't find it while scanning my e-mail.


> 5. Validation Methods in Certificates
> Wayne: my mental model is that certificates are issued as soon as each SAN
> passes one method of domain validation, but Doug pointed out on the list
> that some CAs might validate with multiple methods. The CA can just choose
> which method to indicate in the certificate, or can indicate multiple
> methods. The concern is if one method is found to be insecure, then that
> doesn’t necessarily mean that the cert needs to be replaced. In fact, CAs
> often revalidate rather than reissuing certs when a validation
> vulnerability is found. This leads to the conclusion that the validation
> method information in a certificate can’t be used to determine that the
> certificate needs to be revoked.
> Tim: I agree. The BRs state that the CA must validate using “at least one
> of the methods below”.
>

Can someone describe a bit more about the scenarios in which a CA performs
validation using several simultaneous methods?


> Doug: I also agree, but we don’t know what browsers will do with this
> information, so we have to assume that browsers will use it to make trust
> decisions.
> Wayne: I view this as information, not a way to enforce policies, and this
> discussion makes the case for that.
> Doug: Can the intent be part of the ballot?
> Wayne: Requirements can’t really describe intent, but I’d be happy to add
> that to the introductory language of the ballot.
> Tim: Another question is the ability to describe which sub-methods were
> used
> Wayne: the ballot expresses the current scheme of describing methods, so
> that scheme would need to change first. In the current scheme, we should
> break a method with N sub methods into N new methods.
> Tim: I agree. Another concern is with CAA, where constantly changing
> method numbers could cause problems when certificates are renewed
> Bruce: I don’t see method numbers constantly changing once we get through
> our review of all the methods. Agree that method 2 should be 3 methods.
> Doug: Method 2 could really be 9 methods. Or we could have one method for
> all flavors of phone validation, for instance. We need to decide if we want
> to make methods more granular. Not convinced it’s worth turning one method
> into 9.
> Corey: If we don’t make things more granular, there isn’t enough value in
> encoding the method into the cert. The OID for the old and new method 10
> would be the same.
> Tim: Method 10 is a problem child. It needs to be fixed.
>

Aren't any issues with this resolved by indicating the earliest of the
validation that occurred?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180809/437c6381/attachment.html>