[cabf_validation] Pre pre ballot for updated validation method #3 (Phone)

Doug Beattie doug.beattie at globalsign.com
Mon May 14 07:06:17 MST 2018


As I look at the proposed text again based on Ryan's comment on the use of ADN in a different thread, I'm concerned that the proposed text is ambiguous or inaccurate.  When validating using a Domain Contact's phone number, the Base Domain might not always be the ADN like I had assumed.  

Proposed text: --------------------
Confirming the Applicant's control over the FQDN by calling the Domain Contact's  phone number and receiving a confirming response. The CA MUST place the call to a phone number identified by the Domain Name Registrar as the Domain Contact.

Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs, provided that the phone number is identified by the Domain Registrar as a valid contact phone number for every FQDN being verified using the phone call.

In the event that someone other than a Domain Contact is reached, the CA MAY request to be transferred to a Domain Contact. In the event of reaching voicemail, a Random Value shall be left and the Domain Contact may return that to the CA via Phone, Email, Fax, or SMS to approve the domain within 30 days of the voicemail.
---------------------------

The remaining question is about what is being validated.
- Applicant wants FQDN validated, www.exmple.com
- Domain Contact is obtained from example.com

In this scenario, is the ADN www.example.com or example.com?  Does the answer depend on that the CA asks during the call?  
- If they ask: "Do you approve validation of example.com", then that would be ADN and it can be re-used for subsequent validations.
- If they ask: "Do you approve validation of www.example.com", then the ADN is www.example.com.

Is that right?

Comment via email, or here: https://docs.google.com/document/d/1aJiOzYVTpoAPVWDucnp20cTO2PR_cRsHncvkhlrcR10/edit# 

Doug

From: Doug Beattie 
Sent: Thursday, May 10, 2018 4:18 PM
To: validation (validation at cabforum.org) <validation at cabforum.org>
Subject: Pre pre ballot for updated validation method #3 (Phone)


As discussed on the call today, I think we're getting ready to ballot this updated method.  

https://docs.google.com/document/d/1aJiOzYVTpoAPVWDucnp20cTO2PR_cRsHncvkhlrcR10/edit

Please provide me any comments, or make a comment directly on the above page.

When should this be effective?  In order to support an orderly transition, I recommend adding this as a new Domain Validation method and then set an end date for method 3, likely 3-6 months from the effective date.  Please comment on the timeline for removing the existing method 3.

I'm looking for 2 endorsers.

----------------------------------------
For ease of review, here is the current section of the above Google Doc:

Method 3 - Phone Contact with Domain Contact :
Current Ballot Text:
Confirming the Applicant's control over the FQDN by calling the Domain Name Registrant's phone number and obtaining a response confirming the Applicant's request for validation of the FQDN. The CA MUST place the call to a phone number identified by the Domain Name Registrar as the Domain Contact.
Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs, provided that the phone number is identified by the Domain Registrar as a valid contact method for every Base Domain Name being verified using the phone call.
Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN.  This method is suitable for validating Wildcard Domain Names.

Potential Risks

Risk
Mitigation
Discussion
This is more of a limitation than a risk, but using only the Domain Name Registrant's phone number is overly restrictive.
Change "Domain Name Registrant" to "Domain Contact"
We should allow the phone call to be placed to a Domain Contact (includes the registrant).
It's not clear how phone transfers should be handled, and this weakness could be exploited.
Prohibit transfers except to a specified Domain Contact (CA must ask to be transferred to them by name).  Use of un-named contacts (like IT Department) cannot be used.
Consider not allowing any transfers except to a Domain Contact, otherwise "anyone" could approve the domain.
It's not clear how voicemail messages can be used (or not) with this method.
If voicemail is reached, allow a Random Value to be left.  The Applicant can convey this back to the CA within 30 days to approve the domain
The challenge-response via a person is more clear (are you Mr. Domain Contact and do you approve this domain), but with voicemail you do not have this exchange.
In order for the individual listening to the voicemail to properly "authenticate" themselves to the CA when returning the call (or sending an email), they must provide proof that they listened to the voicemail. 
Recommend that the CA leave a Random Value on the voicemail which can be conveyed back to the CA to approval the domain.
While the Applicant is asking for a FQDN to be validated, the validation is actually being done for the Base Domain Name.
Recommend changing:
...confirming the Applicant's request for validation of the Base Domain Name FQDN

Does the "note" provide any value, or should this be deleted .
TBD


Recommended Updates
1. The phone call and response should confirm the validation of the Base Domain Name, not the FQDN.
2. There is an inconsistency between Domain Name Registrant and Domain Contact, so we should say the call can be made to a "Domain Contact" vs. "Domain Name Registrant".
3. Don't permit transfers except to a Domain Contact.
4. If voicemail is reached, allow Random Number to be left.  It must be returned to the CA within 30 days.
5. Should we remove the note?  TBD
Recommended new method
Confirming the Applicant's control over the FQDN by calling the Domain Name Registrant's Domain Contact's phone number and obtaining a response confirming the Applicant's request for validation of the Base Domain Name FQDN. The CA MUST place the call to a phone number identified by the Domain Name Registrar as the Domain Contact.

Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs Base Domain Names, provided that the phone number is identified by the Domain Registrar as a valid contact method for every Base Domain Name being verified using the phone call.

In the event that someone other than a Domain Contact is reached, the CA MAY request to be transferred to a Domain Contact. In the event of reaching voicemail, a Random Value shall be left and the Domain contact may return that to the CA via Phone, Email, Fax, or SMS to approve the domain within 30 days of the voicemail.

Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN Base Domain Name.  This method is suitable for validating Wildcard Domain Names. 



Doug Beattie
Vice President of Product Management
GlobalSign
Two International Drive | Suite 150 | Portsmouth, NH 03801
Email: mailto:doug.beattie at globalsign.com 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.globalsign.com_&d=AwMFAg&c=qRq7a-87GiVVW7v8KD1gdQ&r=yL2kJgSsccUq5VcaUHiaiErHSMoqqBV4kmZtle8pI0U&m=7LSnl4Q_Qu_BEe5I_P8WSvWs0evmNYHNhThvhJlrvzE&s=8HjQZHbWrcD_ik5cm6C2gK7iPzU_KT9tF7RSZfrF1c0&e= 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 15448 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180514/546c9079/attachment-0001.bin>


More information about the Validation mailing list