[cabf_validation] Outline of Method 1 Replacement

Sun Mar 11 15:45:07 MST 2018

Hi Wayne,

I am still compiling the minutes on the Method 1 discussion we had
during the Validation WG Summit. Please allow 1-2 days to get all my
notes straight. I just received the presentation from Mads. I think the
minutes will be useful to the WG and this thread. I was also left with
the impression of a way to improve method 1 and turn it in a robust new
method which will have at least the same (if not better) level of
assurance than the existing methods.

Thanks,
Dimitris.

On 9/3/2018 8:44 μμ, Wayne Thayer via Validation wrote:
> My takeaway from the validation summit was that there is some
> possibility that a more robust version of method #1 can be defined.
> The concept behind 3.2.2.4.1 was that the Domain Name Registrant (DNR)
> implicitly permits issuance of certificates for the domain to the
> organization listed as the DNR. The weaknesses we discussed included:
> 1. Org names are not unique. 3.2.2.4.1 doesn't specify how to ensure
> the DNR is truly the Applicant.
> 2. What if the information source used to verify the identity of the
> applicant contains false information?
> 3. The process for Validation of Authority specified in 3.2.5 is not
> sufficiently robust in this scenario, and it does not ensure that the
> person completing the validation has proper authority to do so on
> behalf of the Applicant.
>
> Here is an outline of a method that attempts to address these concerns:
> ==============
> *3.2.2.4.13 Validating the Applicant as a Domain Contact
> *
>
> Confirming the Applicant's control over the FQDN by validating the
> Applicant is the Domain Name Registrant directly with the Domain Name
> Registrar by matching the Domain Name Registrant’s legal name and
> complete address with the Applicant’s authenticated identity.
>
> This method may only be used if the CA authenticates (1) the
> Applicant's identity under BR Section 3.2.2.1 or EV Guidelines Section
> 11.2 AND (2) the Authority of the Certificate Approver under EV
> Guidelines Section 11.8.3.
> ==============
>
> I've included a copy of EV section 11.8.3 below for reference. I'm
> interested to know if CAs think this would be useful, assuming that it
> is sufficient to address all the concerns raised with method 1.
>
> Thanks,
>
> Wayne
>
>
> 11.8.3. Acceptable Methods of Verification – Authority
>
> Acceptable methods of verification of the Signing Authority of the
> Contract Signer, and the EV Authority of the Certificate Approver, as
> applicable, include:
>
> 1.
>
>     (1)  Verified Professional Letter: The Signing Authority of the
>     Contract Signer, and/or the EV Authority of the Certificate
>     Approver, MAY be verified by reliance on a Verified Professional
>     Letter;
>
> 2.
>
>     (2)  Corporate Resolution: The Signing Authority of the Contract
>     Signer, and/or the EV Authority of the Certificate Approver, MAY
>     be verified by reliance on a properly authenticated corporate
>     resolution that confirms that the person has been granted such
>     Signing Authority, provided that such resolution is (i) certified
>     by the appropriate corporate officer (e.g., secretary), and (ii)
>     the CA can reliably verify that the certification was validly
>     signed by such person, and that such person does have the
>     requisite authority to provide such certification;
>
> 3.
>
>     (3)  Independent Confirmation from Applicant: The Signing
>     Authority of the Contract Signer, and/or the EV Authority of the
>     Certificate Approver, MAY be verified by obtaining an Independent
>     Confirmation from the Applicant (as described in Section 11.11.4);
>
> 4.
>
>     (4)  Contract between CA and Applicant: The EV Authority of the
>     Certificate Approver MAY be verified by reliance on a contract
>     between the CA and the Applicant that designates the Certificate
>     Approver with such EV Authority, provided that the contract is
>     signed by the Contract Signer and provided that the agency and
>     Signing Authority of the Contract Signer have been verified;
>
> 5.
>
>     (5)  Prior Equivalent Authority: The signing authority of the
>     Contract Signer, and/or the EV authority of the Certificate
>     Approver, MAY be verified by relying on a demonstration of Prior
>     Equivalent Authority.
>
> (A) Prior Equivalent Authority of a Contract Signer MAY be relied upon
> for confirmation or verification of the signing authority of the
> Contract Signer when the Contract Signer has executed a binding
> contract between the CA and the Applicant with a legally valid and
> enforceable seal or handwritten signature and only when the contract
> was executed more than 90 days prior to the EV Certificate
> application. The CA MUST record sufficient details of the previous
> agreement to correctly identify it and associate it with the EV
> application. Such details MAY include any of the following:
>
> (i) Agreement title,
> (ii) DateofContractSigner’ssignature, (iii) Contract reference number, and
> (iv) Filing location.
>
> (B) Prior Equivalent Authority of a Certificate Approver MAY be relied
> upon for confirmation or verification of the EV Authority of the
> Certificate Approver when the Certificate Approver has performed one
> or more of the following:
>
> (i) Under contract to the CA, has served (or is serving) as an
> Enterprise RA for the Applicant, or EV Guidelines, v. 1.6.7 22
>
> (ii) Has participated in the approval of one or more certificate
> requests, for certificates issued by the CA and which are currently
> and verifiably in use by the Applicant. In this case the CA MUST have
> contacted the Certificate Approver by phone at a previously validated
> phone number or have accepted a signed and notarized letter approving
> the certificate request.
>
> (6) QIIS or QGIS: The Signing Authority of the Contract Signer, and/or
> the EV Authority of the Certificate Approver, MAY be verified by a
> QIIS or QGIS that identifies the Contract Signer and/or the
> Certificate Approver as a corporate officer, sole proprietor, or other
> senior official of the Applicant.
>
> (7) Contract Signer’s Representation/Warranty: Provided that the CA
> verifies that the Contract Signer is an employee or agent of the
> Applicant, the CA MAY rely on the signing authority of the Contract
> Signer by obtaining a duly executed representation or warranty from
> the Contract Signer that includes the following acknowledgments:
>
> (A) (B) (C) (D) (E)
>
> That the Applicant authorizes the Contract Signer to sign the
> Subscriber Agreement on the Applicant's behalf, That the Subscriber
> Agreement is a legally valid and enforceable agreement,
> That, upon execution of the Subscriber Agreement, the Applicant will
> be bound by all of its terms and conditions, That serious consequences
> attach to the misuse of an EV certificate, and
>
> The contract signer has the authority to obtain the digital equivalent
> of a corporate seal, stamp or officer's signature to establish the
> authenticity of the company's Web site.
>
>
>
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180312/93f155d6/attachment.html>