[cabf_validation] Minutes from the meeting of 2 August 2018

Tim Hollebeek tim.hollebeek at digicert.com
Thu Aug 9 10:06:42 MST 2018

Thanks Doug.  Here is our disclosure.


Our current behavior is to follow one 301 or 302 re-direct.  We will not follow any other kind of redirect.  


We do not operate any locations the re-direct could point to that would allow the domain owner to remove themselves from the process, and would support proposals to tighten up the rules to prohibit re-directs to a location under the CAs control.


We also would support a proposal to restrict the redirect to have to be within the same ADN.  This solves the “re-direct to www” problem a little more cleanly.




From: Validation <validation-bounces at cabforum.org> On Behalf Of Doug Beattie via Validation
Sent: Thursday, August 9, 2018 8:44 AM
To: Wayne Thayer <wthayer at mozilla.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] Minutes from the meeting of 2 August 2018


Per our homework assignment:


I looked into how GlobalSign performs HTTP validation with respect to redirects:  We do not follow any redirects.


However, I believe that following redirects only from a domain to the www or www2 subdomain should be supported for the purposes of validating the domain (and redirects to any other domain should not be permitted).




From: Validation < <mailto:validation-bounces at cabforum.org> validation-bounces at cabforum.org> On Behalf Of Wayne Thayer via Validation
Sent: Thursday, August 2, 2018 3:30 PM
To: CA/Browser Forum Validation WG List < <mailto:validation at cabforum.org> validation at cabforum.org>
Subject: [cabf_validation] Minutes from the meeting of 2 August 2018


Minutes from the Validation Subcommittee meeting of 2 August 2018


 Attendees: Tim Hollebeek, Ben Wilson, Shelley Brewer, Bruce Morton, Corey Bonnell, Doug Beattie, Frank Corday, Joanna Fox, Rich Smith, Robin Alden, Li-Chun Chen, Frank Corday


1. Continue re-direct discussion

Wayne listed types of redirects in the Validation Summit Findings document [1] under method 6
Tim: do we have a general idea of what the policy should be?
Ben: No, we need to determine what the concerns are.
Tim: the last two on the list (meta-refresh tag and JavaScript) are bad ideas because they require CAs to run a sophisticated HTML parser that adds complexity and risk. I don’t think CAs intentionally support these, but their code may incidentally support it. Is anyone against banning these two?
Bruce: I can’t comment now
Tim: Are people familiar enough with 300s to discuss?
Doug: I can’t think of a good reason why we should allow any of these
Tim: I’m particularly disturbed when a redirect points back to a site run by the CA. Pointing to another subdomain of the same domain seems reasonable. But I could also argue that it should be a new validation method.
Tim: Does everyone need to give this more thought?
Wayne: We should propose banning redirects and see who complains
Tim: Clients like Curl automatically follow redirects, so people may not recognize the impact.
Corey: Redirects from the base domain to the www subdomain are common. Banning this will cause some pain to Subscribers.
Tim: Can everyone do some homework to determine what their CA’s current redirect behavior is?
Wayne: In most cases CAs could check both the www and base name, but that won’t work if validating the subdomain and validation code is on the base domain.
Tim: Redirecting to another subdomain of the same domain name might be okay - both are controlled by the same entity.
Tim: the basic security property of this method is the ability to control the content of the website, so if www is the same site as the base domain then that should be okay.

2. Discuss Ballot SC2
Tim: Mainly failed due to it being Summertime and lack of time to review. Also some discussion about the phone number validation method colliding with Doug’s method 3 ballot. Decided to split out the phone number portions to a separate ballot.
Bruce: Updated the text to use ADN per comment from Wayne
Corey: what about splitting out text record to a separate ballot?
Tim: most DNS tools don’t support new CAA tags, so the TXT record is essential and it’s a widely accepted approach in the IETF because it works. 
Wayne: is the use of a specific subdomain a change?
Tim: no, that’s how it was spec’d in ballot SC2. I realize TXT support is controversial, but most DNS providers don’t support new CAA tags.

3. Validation Summit Method 3 Ballot
Doug: Changed references to domain contact’s phone number rather than WHOIS registrant. Added info on voicemail handling. Added validation of an ADN. CA can request to be transferred to the domain contact. Plan is a ballot to update method 3 with these clarifications, effective immediately. Also add method 15 for domain contact phone number in CAA and method 16 for domain contact phone number in DNS TXT record. There will only be a phone number and no name in these records because they are there specifically for the purpose of domain validation rather than a more general WHOIS contact phone number. Doug will send out an updated pre-ballot in the next few days. 
Tim: the question of whether you have to ask for someone specific when making the call is an interesting one. Have to think about that.

4. Validation Methods in CAA, ACME, and IETF
Tim: A lot going on here. There is an ACME draft for specifying validation methods in CAA. We discussed in London the use of friendly names rather than OIDs for CAA records. Wayne, the ‘validation method in certificate” ballot uses OIDs, correct?
Wayne: Correct. Concatenate the validation method number with the OID arc.
Wayne: There should be a mapping between OIDs and names
Tim: I prefer to run this through IETF
Ben:  We would be dependent on IETF for adding validation methods
Tim: It would be an IANA registry so would be relatively easy to update
Tim: Also going to send CAA contact tags through IETF but shouldn’t hold up introduction of new methods

5. Validation Methods in Certificates
Wayne: my mental model is that certificates are issued as soon as each SAN passes one method of domain validation, but Doug pointed out on the list that some CAs might validate with multiple methods. The CA can just choose which method to indicate in the certificate, or can indicate multiple methods. The concern is if one method is found to be insecure, then that doesn’t necessarily mean that the cert needs to be replaced. In fact, CAs often revalidate rather than reissuing certs when a validation vulnerability is found. This leads to the conclusion that the validation method information in a certificate can’t be used to determine that the certificate needs to be revoked.
Tim: I agree. The BRs state that the CA must validate using “at least one of the methods below”.
Doug: I also agree, but we don’t know what browsers will do with this information, so we have to assume that browsers will use it to make trust decisions.
Wayne: I view this as information, not a way to enforce policies, and this discussion makes the case for that.
Doug: Can the intent be part of the ballot?
Wayne: Requirements can’t really describe intent, but I’d be happy to add that to the introductory language of the ballot.
Tim: Another question is the ability to describe which sub-methods were used
Wayne: the ballot expresses the current scheme of describing methods, so that scheme would need to change first. In the current scheme, we should break a method with N sub methods into N new methods. 
Tim: I agree. Another concern is with CAA, where constantly changing method numbers could cause problems when certificates are renewed
Bruce: I don’t see method numbers constantly changing once we get through our review of all the methods. Agree that method 2 should be 3 methods.
Doug: Method 2 could really be 9 methods. Or we could have one method for all flavors of phone validation, for instance. We need to decide if we want to make methods more granular. Not convinced it’s worth turning one method into 9.
Corey: If we don’t make things more granular, there isn’t enough value in encoding the method into the cert. The OID for the old and new method 10 would be the same.
Tim: Method 10 is a problem child. It needs to be fixed.

[1] https://docs.google.com/document/d/1aJiOzYVTpoAPVWDucnp20cTO2PR_cRsHncvkhlrcR10/edit#heading=h.29h2q2aeb3nh

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180809/8920c149/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180809/8920c149/attachment-0001.p7s>

More information about the Validation mailing list