[cabfpub] Ballot 92 reviewed
Gervase Markham
gerv at mozilla.org
Mon Oct 29 13:33:05 UTC 2012
On 29/10/12 12:15, Steve Roylance wrote:
> The intention behind the wording in the proposed revision of 9.2.1 that
> Jeremy was referring to was to constrain the issuance of certificates with
> non verifiable domain names/IP addresses/host names etc (deemed
> dangerous/toxic by many CABForum and non CABForum members including
> yourself). Merely having one FQDN present does not identify the owner.
It identifies them just as much as the owner of a single-FQDN DV cert is
identified.
> It
> identifies that the CA has performed some level of challenge response on
> an FQDN only and not necessarily validated identity. It's the identity
> that becomes useful in any forensic examination of data packets following
> a successful attack.
This seems to be "OV vs DV" in disguise. :-)
If a DV cert for www.foo.com is OK in a certain scenario, why is a DV
cert for www.foo.com, foo.mail and foopymachine not OK? Both certs
contain exactly the same amount of information regarding who 'owns' them
- it's the person who owns www.foo.com.
> We've all discussed the suitability of DV in the
> past in various scenarios and there's clearly a definite need for DV in
> the market where owners of domains simply want a credential to prove
> ownership, but what we are saying here is that we should not rely on the
> DV only mechanisms to highlight the "owner" of non-verifiable items
> because it doesn't.
This is begging the question of whether you need to know the 'owner' in
this sense in the first place. Or, to put it another way: why is this
argument not an argument against all DV certs?
Gerv
More information about the Public
mailing list