[cabf_validation] Fwd: RE: Outline of Method 1 Replacement

Mads Egil Henriksveen Mads.Henriksveen at buypass.no
Thu Mar 15 00:31:35 MST 2018


Hi

Regarding the EVG requirements, I have not identified the specific sections yet. This is simply to indicate that it should be possible to use this specific method for OV in some situations (and not only for EV).

If the Domain Name Registrant is not the Applicant, I think we should use another method. If we allow for the Domain Name Registrant to be the Applicant’s Parent, Subsidiary etc we need to add some additional controls to manage the complexity related to corporate structures. This complicates the use of this method and introduces additional risks for social engineering etc.

Regards
Mads

From: Validation <validation-bounces at cabforum.org> On Behalf Of Adriano Santoni via Validation
Sent: mandag 12. mars 2018 12:10
To: validation at cabforum.org
Subject: Re: [cabf_validation] Fwd: RE: Outline of Method 1 Replacement


Hi,

see my comments in-line >>

Il 12/03/2018 10:34, Dimitris Zacharopoulos via Validation ha scritto:
Posting on behalf of Mads until his posting rights are fixed.

Dimitris.

-------- Forwarded Message --------
Subject:

RE: [cabf_validation] Outline of Method 1 Replacement

Date:

Sun, 11 Mar 2018 12:11:24 +0000

From:

Mads Egil Henriksveen <Mads.Henriksveen at buypass.no><mailto:Mads.Henriksveen at buypass.no>

To:

Wayne Thayer <wthayer at mozilla.com><mailto:wthayer at mozilla.com>, CA/Browser Forum Validation WG List <validation at cabforum.org><mailto:validation at cabforum.org>, Jonathan Rudenberg <jonathan at titanous.com><mailto:jonathan at titanous.com>




As one of the CAs using this method I can confirm that the main objective for us is to avoid an excessive step. If the Applicant is validated according to EV, the authorization to issue is verified similarly and it is “beyond reasonable doubt” that the Applicant is the Domain Name Registrant, we don’t see that adding .2/.3 should be necessary.
>> I agree. In our case, and I am sure the same holds for many other CAs, there are many situations where the Applicant's ownership of a domain can be ascertained beyond any reasonable doubt by examining WHOIS records and cross-checking with the Applicant over a reliable communication channel or possibly face-to-face (in front of a CA salesperson), without any need to technically interact with the domain's HTTP server or DNS server or to send emails to the domain's administrator. The fact (which is unquestionable) that in certain countries and/or with certain request channels the above is not always true, does not seem a good reason to abolish this method.


To achieve this, we could require that this method is to be used for a) EV only or for b) EV and OV if the validation of Applicant identity and the authorization to issue is verified according to EVG.
>> Could you specify the exact EVG sections that would apply in this scenario, in the OV case ?


We should also consider to remove the possibility of allowing the Applicant to include the Applicant's Parent Company, Subsidiary Company, or Affiliate when using this specific method.
>> I am unclear why are you suggesting this... could you please elaborate?


One additional improvement we might consider is to require that the Applicant’s identity (and similar for Domain Name Registrant) should include a registration number or other disambiguating information. As discussed during the validation summit this would be useful for Norwegian organizations and domains in our national TLD-registry and presumably for organizations and ccTLDs in other European countries as well.
>> I agree, and I would also require the Registrant's full address in the whois record for this latter to be acceptable.


The outlined method with or without any combination of the above options will be useful for Buypass, but it would we good to hear what other CAs think about this.
>> I agree.


And I suggest we change the title of the new method to ‘3.2.2.4.13 Validating the Applicant as a Domain Name Registrant’.
>> As there can only be one registrant at any given time, I would rather say "_the_ Domain Name Registrant".


Regards
Mads


From: Validation <validation-bounces at cabforum.org><mailto:validation-bounces at cabforum.org> On Behalf Of Wayne Thayer via Validation
Sent: fredag 9. mars 2018 20:23
To: Jonathan Rudenberg <jonathan at titanous.com><mailto:jonathan at titanous.com>
Cc: CA/Browser Forum Validation WG List <validation at cabforum.org><mailto:validation at cabforum.org>
Subject: Re: [cabf_validation] Outline of Method 1 Replacement

On Fri, Mar 9, 2018 at 11:53 AM, Jonathan Rudenberg <jonathan at titanous.com<mailto:jonathan at titanous.com>> wrote:

Is there a compelling reason to bring back a new version of this method?

Yes, we're asking the same question.

It seems like any modification that adds the appropriate security properties would bring it very close to 3.2.2.4.2 / 3.2.2.4.3. Based on my understanding of the use of this method in the wild, it makes more sense to me for CAs to switch to .2 and .3 for domain ownership authorization and then do necessary additional subject validation with 3.2.2.1 or EVGL 11.8.3.

The obvious example to me is when the CA is already performing EV validation, in which case this could save a step. There are also cases where having a contractual relationship could make this method appealing to a CA. In general, while I see your point, I'm trying not to make assumptions.

Thanks,

Wayne




_______________________________________________

Validation mailing list

Validation at cabforum.org<mailto:Validation at cabforum.org>

https://cabforum.org/mailman/listinfo/validation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180315/45c4038f/attachment-0001.html>


More information about the Validation mailing list