[cabf_validation] Domain Validation Requirement of MozillaCAInclusion Policy

Doug Beattie doug.beattie at globalsign.com
Thu Jul 30 13:43:45 MST 2015


Yea, I agree with both of you.  Item 1 is not good unless you've validated that the Applicant (or company, whatever) is the entity submitting the request to have the domain validated.  For DV orders this really defaults to #2 where you send an email or communicate via a Reliable Method - something electronic which is a challenge. For OV orders you may have a more "personal" relationship where you challenge via doing business with each other (POs, billing, emails, etc.) and that you know (again, via a different type of challenge response) the person you're talking to is the Domain Name Registrant (still looking at the who-is info).

It all comes down to being sure you "Confirm the Applicant...".  Looking up their provided name without knowing who you're really talking to isn't Confirming the Applicant.  I think #1 as written is good, maybe we need to add a couple of the Mozilla words: "take reasonable measures to verify the entity submitting the request is..."   Kirk and I will come up with something and send it around.

Doug

From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of Rich Smith
Sent: Thursday, July 30, 2015 3:58 PM
To: 'Bruce Morton' <bruce.morton at entrust.com>; 'Ben Wilson' <ben.wilson at digicert.com>; validation at cabforum.org
Subject: Re: [cabf_validation] Domain Validation Requirement of MozillaCAInclusion Policy

I somewhat agree, Bruce, but identity verification notwithstanding, domain control verification is THE absolute critical component of any type of SSL/TLS certificate.  IMO we should never rely solely on looking at WHOIS info for that.  There should always be required some sort of challenge/response that clearly demonstrates domain control.  I don't necessarily think that needs to happen on EVERY request, if dealing with a client who orders multiple certificates for various sub-domains, but I think it should be required to be demonstrated at least once every 39 months just like every thing else.
-Rich

From: Bruce Morton [mailto:bruce.morton at entrust.com]
Sent: Thursday, July 30, 2015 3:27 PM
To: richard.smith at comodo.com<mailto:richard.smith at comodo.com>; 'Ben Wilson'; validation at cabforum.org<mailto:validation at cabforum.org>
Subject: RE: [cabf_validation] Domain Validation Requirement of MozillaCAInclusion Policy

For OV and EV, the CAs do more. In both cases the identity, domain and authorization need to be validated. This combination has been working well for us over the last many years.

On the other hand, I do not think that it is best for DV.

Bruce.

From: validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org] On Behalf Of Rich Smith
Sent: Thursday, July 30, 2015 2:33 PM
To: 'Ben Wilson' <ben.wilson at digicert.com<mailto:ben.wilson at digicert.com>>; validation at cabforum.org<mailto:validation at cabforum.org>
Subject: Re: [cabf_validation] Domain Validation Requirement of Mozilla CAInclusion Policy

+1
I tried to address this fact quite some time ago, and either I did not communicate the idea effectively, or at the time everyone simply disagreed with my reasoning.  Glad to see this topic resurrected.

From: validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, July 30, 2015 1:03 PM
To: validation at cabforum.org<mailto:validation at cabforum.org>
Subject: [cabf_validation] Domain Validation Requirement of Mozilla CAInclusion Policy

On today's call I mentioned that the Mozilla CA Inclusion Policy had something to say about method 1 - "Confirming the Applicant as the Domain Name Registrant directly with the Domain Name Registrar through a Reliable Method of Communication, for example using information provided through WHOIS"

Section 7 of the Mozilla CA Inclusion Policy states: "for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf;"  https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/

I don't have any objection to the current wording of method 1, but in my opinion, a simple WHOIS lookup, without more, doesn't establish that the entity submitting the CSR is the same entity that registered or is authorized to use the FQDN because anyone can submit a CSR and claim to be the entity listed in WHOIS.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150730/dda7e368/attachment.html 


More information about the Validation mailing list