[cabf_validation] Agenda for March 1st prep call for Validation Summit

Doug Beattie doug.beattie at globalsign.com
Tue Feb 27 12:59:56 MST 2018


Hi Tim,

I'm not clear on what we're spending the first hour on and would suggest we get right to the descriptions of the 12 methods as quickly as possible.

I'm hoping we can discuss the pros and cons of each method and document the strengths and weaknesses, but you have only 30 minutes for that at the end.  I don't think Hour 5 is fully loaded, so maybe there is time there?  Can we find more time for this, or prepare ahead of time?  I'd like to understand things like this, which I think is the most important thing we can do:

-          For email validation using constructed email addresses: If the domain owner permits email on the domain and they don't lock down the approved email boxes (admin, root, etc.) then they are at risk (the domain owner needs to take action to protect their domain)

-          For well-known:

o   If the hosting entity can insert web site content, then the web provider can get certs for any site they host.  If you've delegated control of your web site, then perhaps you've knowingly delegated cert issuance.  But, maybe you didn't understand what you delegated. (Same goes for DNS validation)

o   If the server follows redirects, and there are blanket redirects, then that opens up the system to attacks (per Ryan and I probably have this incorrectly stated)

-          For methods 9 and 10, if the hosting provider does not separate different customers on shared IP addresses sufficiently well, then one customer can obtain certificates for any other customer on their shared IP address.  In order to use these methods, you need the hosting entity to acknowledge they are abiding by these rules.

Would it make sense to start defining these prior to the summit?  If so, maybe we should create a shared document like Wayne did for his "Ground Rules" document.  What do you think?

https://docs.google.com/document/d/1IzCmKXyPoPgIpUsyPeKG4r3AHuSp5JCcaEOJSiKk_zY/edit


IP address validation: We should lay out the top level questions and assumptions.  We discussed this on a call or two and I think we understand some of the concerns which would be a good starting point.

Doug


From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Tim Hollebeek via Validation
Sent: Tuesday, February 27, 2018 2:15 PM
To: validation at cabforum.org
Subject: [cabf_validation] Agenda for March 1st prep call for Validation Summit


See attached.

If you have any comments or questions, please respond on this thread.  The more we can handle before the summit, the more time we will have for discussion at the summit.

-Tim

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180227/40c421c7/attachment.html>


More information about the Validation mailing list