[cabf_validation] Outline of Method 1 Replacement

Wayne Thayer wthayer at mozilla.com
Fri Mar 9 11:44:11 MST 2018 

My takeaway from the validation summit was that there is some possibility
that a more robust version of method #1 can be defined. The concept behind
3.2.2.4.1 was that the Domain Name Registrant (DNR) implicitly permits
issuance of certificates for the domain to the organization listed as the
DNR. The weaknesses we discussed included:
1. Org names are not unique. 3.2.2.4.1 doesn't specify how to ensure the
DNR is truly the Applicant.
2. What if the information source used to verify the identity of the
applicant contains false information?
3. The process for Validation of Authority specified in 3.2.5 is not
sufficiently robust in this scenario, and it does not ensure that the
person completing the validation has proper authority to do so on behalf of
the Applicant.

Here is an outline of a method that attempts to address these concerns:
==============

*3.2.2.4.13 Validating the Applicant as a Domain Contact *

Confirming the Applicant's control over the FQDN by validating the
Applicant is the Domain Name Registrant directly with the Domain Name
Registrar by matching the Domain Name Registrant’s legal name and complete
address with the Applicant’s authenticated identity.

This method may only be used if the CA authenticates (1) the Applicant's
identity under BR Section 3.2.2.1 or EV Guidelines Section 11.2 AND (2) the
Authority of the Certificate Approver under EV Guidelines Section 11.8.3.
==============

I've included a copy of EV section 11.8.3 below for reference. I'm
interested to know if CAs think this would be useful, assuming that it is
sufficient to address all the concerns raised with method 1.

Thanks,

Wayne


11.8.3. Acceptable Methods of Verification – Authority

Acceptable methods of verification of the Signing Authority of the Contract
Signer, and the EV Authority of the Certificate Approver, as applicable,
include:

   1.

   (1)  Verified Professional Letter: The Signing Authority of the Contract
   Signer, and/or the EV Authority of the Certificate Approver, MAY be
   verified by reliance on a Verified Professional Letter;
   2.

   (2)  Corporate Resolution: The Signing Authority of the Contract Signer,
   and/or the EV Authority of the Certificate Approver, MAY be verified by
   reliance on a properly authenticated corporate resolution that confirms
   that the person has been granted such Signing Authority, provided that such
   resolution is (i) certified by the appropriate corporate officer (e.g.,
   secretary), and (ii) the CA can reliably verify that the certification was
   validly signed by such person, and that such person does have the requisite
   authority to provide such certification;
   3.

   (3)  Independent Confirmation from Applicant: The Signing Authority of
   the Contract Signer, and/or the EV Authority of the Certificate Approver,
   MAY be verified by obtaining an Independent Confirmation from the Applicant
   (as described in Section 11.11.4);
   4.

   (4)  Contract between CA and Applicant: The EV Authority of the
   Certificate Approver MAY be verified by reliance on a contract between the
   CA and the Applicant that designates the Certificate Approver with such EV
   Authority, provided that the contract is signed by the Contract Signer and
   provided that the agency and Signing Authority of the Contract Signer have
   been verified;
   5.

   (5)  Prior Equivalent Authority: The signing authority of the Contract
   Signer, and/or the EV authority of the Certificate Approver, MAY be
   verified by relying on a demonstration of Prior Equivalent Authority.

(A) Prior Equivalent Authority of a Contract Signer MAY be relied upon for
confirmation or verification of the signing authority of the Contract
Signer when the Contract Signer has executed a binding contract between the
CA and the Applicant with a legally valid and enforceable seal or
handwritten signature and only when the contract was executed more than 90
days prior to the EV Certificate application. The CA MUST record sufficient
details of the previous agreement to correctly identify it and associate it
with the EV application. Such details MAY include any of the following:

(i) Agreement title,
(ii) DateofContractSigner’ssignature, (iii) Contract reference number, and
(iv) Filing location.

(B) Prior Equivalent Authority of a Certificate Approver MAY be relied upon
for confirmation or verification of the EV Authority of the Certificate
Approver when the Certificate Approver has performed one or more of the
following:

(i) Under contract to the CA, has served (or is serving) as an Enterprise
RA for the Applicant, or EV Guidelines, v. 1.6.7 22

(ii) Has participated in the approval of one or more certificate requests,
for certificates issued by the CA and which are currently and verifiably in
use by the Applicant. In this case the CA MUST have contacted the
Certificate Approver by phone at a previously validated phone number or
have accepted a signed and notarized letter approving the certificate
request.

(6) QIIS or QGIS: The Signing Authority of the Contract Signer, and/or the
EV Authority of the Certificate Approver, MAY be verified by a QIIS or QGIS
that identifies the Contract Signer and/or the Certificate Approver as a
corporate officer, sole proprietor, or other senior official of the
Applicant.

(7) Contract Signer’s Representation/Warranty: Provided that the CA
verifies that the Contract Signer is an employee or agent of the Applicant,
the CA MAY rely on the signing authority of the Contract Signer by
obtaining a duly executed representation or warranty from the Contract
Signer that includes the following acknowledgments:

(A) (B) (C) (D) (E)

That the Applicant authorizes the Contract Signer to sign the Subscriber
Agreement on the Applicant's behalf, That the Subscriber Agreement is a
legally valid and enforceable agreement,
That, upon execution of the Subscriber Agreement, the Applicant will be
bound by all of its terms and conditions, That serious consequences attach
to the misuse of an EV certificate, and

The contract signer has the authority to obtain the digital equivalent of a
corporate seal, stamp or officer's signature to establish the authenticity
of the company's Web site.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180309/aa4113aa/attachment.html>

More information about the Validation mailing list