[cabf_validation] Minutes from the meeting of 2 August 2018

Wayne Thayer wthayer at mozilla.com
Thu Aug 9 14:27:53 MST 2018


On Thu, Aug 9, 2018 at 9:03 AM Ryan Sleevi <sleevi at google.com> wrote:

>
> On Thu, Aug 2, 2018 at 3:30 PM Wayne Thayer via Validation <
> validation at cabforum.org> wrote:
>
>> Minutes from the Validation Subcommittee meeting of 2 August 2018
>>
>>  Attendees: Tim Hollebeek, Ben Wilson, Shelley Brewer, Bruce Morton,
>> Corey Bonnell, Doug Beattie, Frank Corday, Joanna Fox, Rich Smith, Robin
>> Alden, Li-Chun Chen, Frank Corday
>>
>> 1. Continue re-direct discussion
>> Wayne listed types of redirects in the Validation Summit Findings
>> document [1] under method 6
>> Tim: do we have a general idea of what the policy should be?
>> Ben: No, we need to determine what the concerns are.
>> Tim: the last two on the list (meta-refresh tag and JavaScript) are bad
>> ideas because they require CAs to run a sophisticated HTML parser that adds
>> complexity and risk. I don’t think CAs intentionally support these, but
>> their code may incidentally support it. Is anyone against banning these two?
>> Bruce: I can’t comment now
>> Tim: Are people familiar enough with 300s to discuss?
>> Doug: I can’t think of a good reason why we should allow any of these
>> Tim: I’m particularly disturbed when a redirect points back to a site run
>> by the CA. Pointing to another subdomain of the same domain seems
>> reasonable. But I could also argue that it should be a new validation
>> method.
>> Tim: Does everyone need to give this more thought?
>> Wayne: We should propose banning redirects and see who complains
>> Tim: Clients like Curl automatically follow redirects, so people may not
>> recognize the impact.
>> Corey: Redirects from the base domain to the www subdomain are common.
>> Banning this will cause some pain to Subscribers.
>> Tim: Can everyone do some homework to determine what their CA’s current
>> redirect behavior is?
>> Wayne: In most cases CAs could check both the www and base name, but that
>> won’t work if validating the subdomain and validation code is on the base
>> domain.
>> Tim: Redirecting to another subdomain of the same domain name might be
>> okay - both are controlled by the same entity.
>> Tim: the basic security property of this method is the ability to control
>> the content of the website, so if www is the same site as the base domain
>> then that should be okay.
>>
>
> Thanks for circulating these, Wayne.
>
> Tim, I'm hoping you can expand more on "I’m particularly disturbed when a
> redirect points back to a site run by the CA.". Are there existing threads
> where you flesh out and articulate these concerns that you could link to?
> If not, could you expand on why you're particularly disturbed?
>
> FWIW and without taking a position, I believe the concern here is that
allowing a redirect to the CA creates a "perma-delegation" of authority to
the CA that, when used much later, may not reflect the intent of the site
owner, just as the ability to indefinitely reuse a random value placed on
the website would if that were permitted. Of course this can also be
achieved with automation like Certbot, but most of our validation methods
are designed to require the domain/site owner to consciously approve the
request. My recollection is that the passive nature of method #1 was one
argument against it.


> For those that share Tim's concerns (as I see Doug just argued only 'www'
> and 'www2' should be permitted), can you articulate them a bit more?
>
>
>>
>> 2. Discuss Ballot SC2
>> Tim: Mainly failed due to it being Summertime and lack of time to review.
>> Also some discussion about the phone number validation method colliding
>> with Doug’s method 3 ballot. Decided to split out the phone number portions
>> to a separate ballot.
>> Bruce: Updated the text to use ADN per comment from Wayne
>> Corey: what about splitting out text record to a separate ballot?
>> Tim: most DNS tools don’t support new CAA tags, so the TXT record is
>> essential and it’s a widely accepted approach in the IETF because it works.
>> Wayne: is the use of a specific subdomain a change?
>> Tim: no, that’s how it was spec’d in ballot SC2. I realize TXT support is
>> controversial, but most DNS providers don’t support new CAA tags.
>>
>> 3. Validation Summit Method 3 Ballot
>> Doug: Changed references to domain contact’s phone number rather than
>> WHOIS registrant. Added info on voicemail handling. Added validation of an
>> ADN. CA can request to be transferred to the domain contact. Plan is a
>> ballot to update method 3 with these clarifications, effective immediately.
>>
>
> Is there a draft version circulating with these proposed changes? I may
> have missed it, but I couldn't find it while scanning my e-mail.
>
>
I believe the proposal is under method 3 in the Validation Summit Findings
doc.

5. Validation Methods in Certificates
>> Wayne: my mental model is that certificates are issued as soon as each
>> SAN passes one method of domain validation, but Doug pointed out on the
>> list that some CAs might validate with multiple methods. The CA can just
>> choose which method to indicate in the certificate, or can indicate
>> multiple methods. The concern is if one method is found to be insecure,
>> then that doesn’t necessarily mean that the cert needs to be replaced. In
>> fact, CAs often revalidate rather than reissuing certs when a validation
>> vulnerability is found. This leads to the conclusion that the validation
>> method information in a certificate can’t be used to determine that the
>> certificate needs to be revoked.
>> Tim: I agree. The BRs state that the CA must validate using “at least one
>> of the methods below”.
>>
>
> Can someone describe a bit more about the scenarios in which a CA performs
> validation using several simultaneous methods?
>
>
The scenario I'm thinking about is a CA that simultaneously attempts
multiple automated methods of domain validation where more than one can
succeed prior to issuance. Regardless of the scenario, this is possible so
we should account for it.

Doug: I also agree, but we don’t know what browsers will do with this
>> information, so we have to assume that browsers will use it to make trust
>> decisions.
>> Wayne: I view this as information, not a way to enforce policies, and
>> this discussion makes the case for that.
>> Doug: Can the intent be part of the ballot?
>> Wayne: Requirements can’t really describe intent, but I’d be happy to add
>> that to the introductory language of the ballot.
>> Tim: Another question is the ability to describe which sub-methods were
>> used
>> Wayne: the ballot expresses the current scheme of describing methods, so
>> that scheme would need to change first. In the current scheme, we should
>> break a method with N sub methods into N new methods.
>> Tim: I agree. Another concern is with CAA, where constantly changing
>> method numbers could cause problems when certificates are renewed
>> Bruce: I don’t see method numbers constantly changing once we get through
>> our review of all the methods. Agree that method 2 should be 3 methods.
>> Doug: Method 2 could really be 9 methods. Or we could have one method for
>> all flavors of phone validation, for instance. We need to decide if we want
>> to make methods more granular. Not convinced it’s worth turning one method
>> into 9.
>> Corey: If we don’t make things more granular, there isn’t enough value in
>> encoding the method into the cert. The OID for the old and new method 10
>> would be the same.
>> Tim: Method 10 is a problem child. It needs to be fixed.
>>
>
> Aren't any issues with this resolved by indicating the earliest of the
> validation that occurred?
>

I'm not following - please explain your thinking.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180809/d7349414/attachment.html>


More information about the Validation mailing list