[cabf_validation] Outline of Method 1 Replacement

Bruce Morton Bruce.Morton at entrustdatacard.com
Mon Mar 12 06:11:16 MST 2018


I think that would depend on how you do the 3.2.5 step.

Per Wayne’s proposal, we need to use the Registrant’s information to tie the domain to the Applicant; this will protect the use of the domain. However, we also need to protect the identity. This would be done by contacting the Applicant through 3.2.5. You cannot use the Registrant’s contact information for 3.2.5 as you will fall into the trap that the Registrant is the attacker. It would be best to use contact information found from the 3.2.2.1 identity check.

Bruce.

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Jeremy Rowley via Validation
Sent: March 9, 2018 6:02 PM
To: Wayne Thayer <wthayer at mozilla.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>; Jonathan Rudenberg <jonathan at titanous.com>
Subject: [EXTERNAL]Re: [cabf_validation] Outline of Method 1 Replacement

Not sure if this is legit Mozilla or not, but this could totally get an OV cert under method 1 as written/proposed:

https://secure.utah.gov/bes/details.html?entity=7141900-0143

Note that I could confirm authenticity with Ben Galbrath (replace that name with Jeremy Rowley). The address matches Mozilla’s mountain view address. If Ben had wanted, he could have listed his phone number there as well, allowing the authenticity check to complete with just Ben’s information.

EV would be more difficult as the jurisdiction info isn’t correct (and the status is listed as expired)

From: Validation <validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org>> On Behalf Of Wayne Thayer via Validation
Sent: Friday, March 9, 2018 12:23 PM
To: Jonathan Rudenberg <jonathan at titanous.com<mailto:jonathan at titanous.com>>
Cc: CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Subject: Re: [cabf_validation] Outline of Method 1 Replacement

On Fri, Mar 9, 2018 at 11:53 AM, Jonathan Rudenberg <jonathan at titanous.com<mailto:jonathan at titanous.com>> wrote:

Is there a compelling reason to bring back a new version of this method?

Yes, we're asking the same question.

It seems like any modification that adds the appropriate security properties would bring it very close to 3.2.2.4.2 / 3.2.2.4.3. Based on my understanding of the use of this method in the wild, it makes more sense to me for CAs to switch to .2 and .3 for domain ownership authorization and then do necessary additional subject validation with 3.2.2.1 or EVGL 11.8.3.

The obvious example to me is when the CA is already performing EV validation, in which case this could save a step. There are also cases where having a contractual relationship could make this method appealing to a CA. In general, while I see your point, I'm trying not to make assumptions.

Thanks,

Wayne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180312/9b2c311f/attachment.html>


More information about the Validation mailing list