[cabfpub] Recourse for domain owners who discover unknown certificates issued to their domain

Rick Andrews Rick_Andrews at symantec.com
Tue Oct 11 00:31:08 UTC 2016


During the discussions about CT name redaction ([1], [2]), it became clear
that there is no formal policy regarding what actions a CA should take if a
domain owner approached the CA to get information about a certificate issued
by the CA for a domain owned by the domain owner. We'd like to start a
discussion to craft such a policy. Note that this is not specific to name
redaction. A domain owner might discover a non-redacted certificate in a CT
log or public web crawl, and if the owner doesn't recognize the certificate,
they should be able to get detailed information from the CA so that the
domain owner can determine if the cert was properly issued, and request
revocation if it was not.

Let's break it up into three cases:
1.	The domain owner has a business relationship with the CA, and has
previously requested a certificate for the base domain in question
2.	The domain owner has a business relationship with the CA, but has
never requested a certificate for the base domain in question
3.	The domain owner does not have a business relationship with the CA

In case 1, the CA presumably has some existing ability to validate the
identity of the domain owner (a password or client certificate used to
access an account), but the certificate in question is not found in that
account. If the account contains a different certificate for the base domain
in question, then the CA must verify that the validation of the base domain
of that different certificate was done within the past 39 months (to comply
with the time limit for reuse of documents or data in BR 4.2.1). If that
validation is fresh enough, the CA can then release detailed information
about the certificate in question and revoke the cert if requested by the
domain owner. If that validation is too old, then the CA can direct the
domain owner to enroll for a certificate for the base domain in question,
essentially performing the steps outlined for case 2 below. If the domain
owner doesn't need a new certificate, most of the methods in 3.2.2.4 can
serve to prove ownership or control without a CSR (so Random Values can be
used but Request Tokens probably cannot).

In case 2, the CA presumably has some existing ability to validate the
identity of the domain owner (a password or client certificate used to
access an account), but the certificate in question is not found in that
account, nor is any valid certificate for the base domain in question. The
CA can direct the domain owner to make a request (not necessarily a
certificate request) for the base domain in question, and then the CA will
perform domain validation as per one of the methods in BR 3.2.2.4. If that
validation succeeds, the CA can then release detailed information about the
certificate in question and revoke the cert if requested by the domain
owner.

In case 3, the CA has no existing ability to validate the identity of the
domain owner, but the CA could direct the customer to make a request (not
necessarily a certificate request) for the base domain in question. The CA
will perform domain validation as per one of the methods in BR 3.2.2.4. If
that validation succeeds, the CA can then release detailed information about
the certificate in question and revoke the cert if requested by the domain
owner.

There may be cases in which the domain owner has lost control over the
domain and no longer owns it. If it can be covered in case 1 above, then the
(former) domain owner can get information about the certificate in question
and request its revocation. If not covered in case 1, then the (former)
domain owner has no recourse. It might make sense to put a short time limit
on this, perhaps 60 days from the loss of domain name control.

Another exceptional case is when a domain name changes hands, and the new
owner wants information about previously-issued certificates. The new domain
owner may even want to force the revocation of existing certificates. This
is covered by case 3 above. Since the new domain owner did not own the
domain at the time of certificate issuance, they should *not* be able to get
information on any previously-issued certs (or the associated PII like
contact information), but they should be able to ask the CA to revoke them.
This is expected to be a rare case.

Do others feel that we should come to agreements on the detail of this
policy and add it to the BRs?

[1]
https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/vsTzv8oNcws
[2]
https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/fCt4Bm03GsI
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5725 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161011/9dde3a9e/attachment.p7s>


More information about the Public mailing list