[cabfpub] Recourse for domain owners who discover unknown certificates issued to their domain

Peter Bowen pzb at amzn.com
Tue Oct 11 03:34:46 UTC 2016 

> On Oct 10, 2016, at 5:31 PM, public at cabforum.org wrote:
> 
> During the discussions about CT name redaction ([1], [2]), it became clear
> that there is no formal policy regarding what actions a CA should take if a
> domain owner approached the CA to get information about a certificate issued
> by the CA for a domain owned by the domain owner. We'd like to start a
> discussion to craft such a policy. Note that this is not specific to name
> redaction. A domain owner might discover a non-redacted certificate in a CT
> log or public web crawl, and if the owner doesn't recognize the certificate,
> they should be able to get detailed information from the CA so that the
> domain owner can determine if the cert was properly issued, and request
> revocation if it was not.

Rick,

Before we discuss how we authenticate the domain registrant, I think need to discuss what a CA must do when so asked by a domain registrant.

As a straw man, I’m going to suggest that an authenticated domain registrant can do the following:

- Require revocation of a certificate containing a FQDN or Wildcard DN under their registered domain by providing the CA the issuer DN and serial number of the certificate

- Require revocation of all certificates containing a FQDN or Wildcard DN under their registered domain or a portion of the namespace under their registered domain

- Authorize the issuance of certificates containing a FQDN or Wildcard DN under their registered domain 

- Require the CA to only allow certain named people or email addresses to authorize future issuance

The registrant cannot:

- Require the CA to provide a list of all certificates containing a FQDN or Wildcard DN under their registered domain

- Require the CA to provide details on the applicant/subscriber for a certificate containing a FQDN or Wildcard DN under their registered domain

- Require the CA to provide an unredacted version of a redacted certificate containing a FQDN or Wildcard DN under their registered domain

To come up with this list, I considered the situation where domain foo.example is registered to Alice (potentially using a proxy as the registrant).  Mallory is a nefarious individual and wants to bring harm to Alice or Alice’s organization.  Mallory manages to take over foo.example (either due to Alice letting it expire or via domain transfer fraud) and then proceeds to contact CAs to get info about foo.example and Alice.  What should a CA be required to release?

Thanks,
Peter

More information about the Public mailing list