[cabf_validation] Agenda for March 1st prep call for Validation Summit

Peter Bowen pzb at amzn.com
Sat Mar 3 09:12:44 MST 2018 

Doug,

It isn’t possible to determine if a validation method is “adequate” if it isn’t defined what is required to be validated.  For example, a validation method for some contexts is “using a magnifying glass to visually confirm the presence of a small watermark on the document”, but this likely is not relevant to certificates. 

Section 9.6.1 of the BRs lists what CAs are certifying.  I was hoping to the validation working group would review this so that all the methods can be compared to this list to determine if the method provides reasonable assurance the requirements for certification are met.

From the BRs: The CA certifies that, at the time the certificate was issued:
1) the Applicant either had the right to use, or had control of, the Domain Name(s) and IP address(es) listed in the Certificate’s subject field and subjectAltName extension or, in the case of Domain Names, was delegated such right or control by someone who had such right to use or control, and

2) the natural person, device, system, unit, or Legal Entity identified in the Certificate as the Subject authorized the issuance of the Certificate, and

3) the Subject is either the Applicant or a device under the control and operation of the Applicant, and

4) that the natural person or human sponsor who was either the Applicant, employed by the Applicant, or an authorized agent who had express authority to represent the Applicant was authorized to request the Certificate on behalf of the Subject

The other thing that might be worth discussing is whether one or more of these items should be removed as being required for certification.

Thanks,
Peter

> On Mar 1, 2018, at 5:27 AM, Tim Hollebeek via Validation <validation at cabforum.org> wrote:
> 
> First of all, I’m all for doing as much prep work ahead of time as possible.  Everyone please feel free to go nuts on this mailing list.  I only have 30 minutes at the end for pros/cons/strengths/weaknesses b/c I was hoping by that point we’d already discussed every method’s strengths and weaknesses, and will just be summarizing/comparing.  It’s entirely possible that’s not enough time, and if it isn’t, we’ll extend that discussion as it’s one of the most important things that can come out of the summit.
>  
> Several other people wanted to start with what we are validating.  If that turns out to be less productive in the abstract, and we need to move on to concrete discussions more quickly than the schedule anticipates, I’m fine with that.
>  
> If we do get to IP addresses, yeah, we should summarize the analysis and concerns that have been done on VWG calls up front.  It’s a complex topic.
>  
> Sorry I’ve been slower than usual to respond, I’m in the middle of an epic standards road trip.
>  
> -Tim
>  
> From: Doug Beattie [mailto:doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com>] 
> Sent: Tuesday, February 27, 2018 1:00 PM
> To: Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com>>; CA/Browser Forum Validation WG List <validation at cabforum.org <mailto:validation at cabforum.org>>
> Subject: RE: [cabf_validation] Agenda for March 1st prep call for Validation Summit
>  
> Hi Tim,
>  
> I’m not clear on what we’re spending the first hour on and would suggest we get right to the descriptions of the 12 methods as quickly as possible.
>  
> I’m hoping we can discuss the pros and cons of each method and document the strengths and weaknesses, but you have only 30 minutes for that at the end.  I don’t think Hour 5 is fully loaded, so maybe there is time there?  Can we find more time for this, or prepare ahead of time?  I’d like to understand things like this, which I think is the most important thing we can do:
> For email validation using constructed email addresses: If the domain owner permits email on the domain and they don’t lock down the approved email boxes (admin, root, etc.) then they are at risk (the domain owner needs to take action to protect their domain)
> For well-known: 
> If the hosting entity can insert web site content, then the web provider can get certs for any site they host.  If you’ve delegated control of your web site, then perhaps you’ve knowingly delegated cert issuance.  But, maybe you didn’t understand what you delegated. (Same goes for DNS validation)
> If the server follows redirects, and there are blanket redirects, then that opens up the system to attacks (per Ryan and I probably have this incorrectly stated)
> For methods 9 and 10, if the hosting provider does not separate different customers on shared IP addresses sufficiently well, then one customer can obtain certificates for any other customer on their shared IP address.  In order to use these methods, you need the hosting entity to acknowledge they are abiding by these rules.
>  
> Would it make sense to start defining these prior to the summit?  If so, maybe we should create a shared document like Wayne did for his “Ground Rules” document.  What do you think?
>  
> https://docs.google.com/document/d/1IzCmKXyPoPgIpUsyPeKG4r3AHuSp5JCcaEOJSiKk_zY/edit <https://docs.google.com/document/d/1IzCmKXyPoPgIpUsyPeKG4r3AHuSp5JCcaEOJSiKk_zY/edit>
>  
>  
> IP address validation: We should lay out the top level questions and assumptions.  We discussed this on a call or two and I think we understand some of the concerns which would be a good starting point.
>  
> Doug
>  
>  
> From: Validation [mailto:validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org>] On Behalf Of Tim Hollebeek via Validation
> Sent: Tuesday, February 27, 2018 2:15 PM
> To: validation at cabforum.org <mailto:validation at cabforum.org>
> Subject: [cabf_validation] Agenda for March 1st prep call for Validation Summit
>  
> 
> See attached.
>  
> If you have any comments or questions, please respond on this thread.  The more we can handle before the summit, the more time we will have for discussion at the summit.
>  
> -Tim
>  
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org <mailto:Validation at cabforum.org>
> https://cabforum.org/mailman/listinfo/validation <https://cabforum.org/mailman/listinfo/validation>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180303/1e2e4673/attachment-0001.html>

More information about the Validation mailing list