[cabfpub] Ballot 92 reviewed

Steve Roylance steve.roylance at globalsign.com
Mon Oct 29 14:36:34 UTC 2012 

Hi Gerv.


On 29/10/2012 13:33, "Gervase Markham" <gerv at mozilla.org> wrote:

>On 29/10/12 12:15, Steve Roylance wrote:
>> The intention behind the wording in the proposed revision of 9.2.1 that
>> Jeremy was referring to was to constrain the issuance of certificates
>>with
>> non verifiable domain names/IP addresses/host names etc (deemed
>> dangerous/toxic by many CABForum and non CABForum members including
>> yourself).  Merely having one FQDN present does not identify the owner.
>
>It identifies them just as much as the owner of a single-FQDN DV cert is
>identified.

We are not debating the use of DV here.  We are saying that a non-unique
component added to a DV based certificate or one used alone makes it a
different animal with different rules.

>
>> It
>> identifies that the CA has performed some level of challenge response on
>> an FQDN only and not necessarily validated identity.  It's the identity
>> that becomes useful in any forensic examination of data packets
>>following
>> a successful attack.
>
>This seems to be "OV vs DV" in disguise. :-)

Nope :-)...I believe that DV is great for SSL when the owner does not need
to be authenticated.  There are lots of uses and clearly SSL is better
than no SSL, but where non uniqueness creeps in it's different.


>
>If a DV cert for www.foo.com is OK in a certain scenario, why is a DV
>cert for www.foo.com, foo.mail and foopymachine not OK? Both certs
>contain exactly the same amount of information regarding who 'owns' them
>- it's the person who owns www.foo.com.

See Melih's post and my reply and you'll see these are different cases.
Currently anyone can have access to foopymachine or foo.mail so make sure
the person/organisation requesting this is identified.

>
>> We've all discussed the suitability of DV in the
>> past in various scenarios and there's clearly a definite need for DV in
>> the market where owners of domains simply want a credential to prove
>> ownership, but what we are saying here is that we should not rely on the
>> DV only mechanisms to highlight the "owner" of non-verifiable items
>> because it doesn't.
>
>This is begging the question of whether you need to know the 'owner' in
>this sense in the first place. Or, to put it another way: why is this
>argument not an argument against all DV certs?

It's the non-unique element that makes them different and dangerous if
given out freely.  You can't use a DV cert to attack another FQDN, but you
can use a non unique to attack another same name non unique.
 
This trying to do the right thing is hard workŠ :-(

>
>Gerv

More information about the Public mailing list