[cabf_validation] Domain Validation Requirement of MozillaCAInclusion Policy
Rich Smith
richard.smith at comodo.com
Thu Jul 30 12:57:42 MST 2015
I somewhat agree, Bruce, but identity verification notwithstanding, domain
control verification is THE absolute critical component of any type of
SSL/TLS certificate. IMO we should never rely solely on looking at WHOIS
info for that. There should always be required some sort of
challenge/response that clearly demonstrates domain control. I don't
necessarily think that needs to happen on EVERY request, if dealing with a
client who orders multiple certificates for various sub-domains, but I think
it should be required to be demonstrated at least once every 39 months just
like every thing else.
-Rich
From: Bruce Morton [mailto:bruce.morton at entrust.com]
Sent: Thursday, July 30, 2015 3:27 PM
To: richard.smith at comodo.com; 'Ben Wilson'; validation at cabforum.org
Subject: RE: [cabf_validation] Domain Validation Requirement of
MozillaCAInclusion Policy
For OV and EV, the CAs do more. In both cases the identity, domain and
authorization need to be validated. This combination has been working well
for us over the last many years.
On the other hand, I do not think that it is best for DV.
Bruce.
From: validation-bounces at cabforum.org
[mailto:validation-bounces at cabforum.org] On Behalf Of Rich Smith
Sent: Thursday, July 30, 2015 2:33 PM
To: 'Ben Wilson' <ben.wilson at digicert.com>; validation at cabforum.org
Subject: Re: [cabf_validation] Domain Validation Requirement of Mozilla
CAInclusion Policy
+1
I tried to address this fact quite some time ago, and either I did not
communicate the idea effectively, or at the time everyone simply disagreed
with my reasoning. Glad to see this topic resurrected.
From: validation-bounces at cabforum.org
[mailto:validation-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, July 30, 2015 1:03 PM
To: validation at cabforum.org
Subject: [cabf_validation] Domain Validation Requirement of Mozilla
CAInclusion Policy
On today's call I mentioned that the Mozilla CA Inclusion Policy had
something to say about method 1 - "Confirming the Applicant as the Domain
Name Registrant directly with the Domain Name Registrar through a Reliable
Method of Communication, for example using information provided through
WHOIS"
Section 7 of the Mozilla CA Inclusion Policy states: "for a certificate to
be used for SSL-enabled servers, the CA takes reasonable measures to verify
that the entity submitting the certificate signing request has registered
the domain(s) referenced in the certificate or has been authorized by the
domain registrant to act on the registrant's behalf;"
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs
/policy/inclusion/
I don't have any objection to the current wording of method 1, but in my
opinion, a simple WHOIS lookup, without more, doesn't establish that the
entity submitting the CSR is the same entity that registered or is
authorized to use the FQDN because anyone can submit a CSR and claim to be
the entity listed in WHOIS.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150730/5b043450/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6378 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20150730/5b043450/attachment-0001.bin
More information about the Validation
mailing list