[cabf_validation] Fwd: RE: Outline of Method 1 Replacement

Adriano Santoni adriano.santoni at staff.aruba.it
Thu Mar 15 01:08:43 MST 2018 

Hi, see below >>


Il 15/03/2018 08:31, Mads Egil Henriksveen ha scritto:
>
> Hi
>
> Regarding the EVG requirements, I have not identified the specific 
> sections yet. This is simply to indicate that it should be possible to 
> use this specific method for OV in some situations (and not only for EV).
>
> If the Domain Name Registrant is not the Applicant, I think we should 
> use another method. If we allow for the Domain Name Registrant to be 
> the Applicant’s Parent, Subsidiary etc we need to add some additional 
> controls to manage the complexity related to corporate structures. 
> This complicates the use of this method and introduces additional 
> risks for social engineering etc.
>
 >> I do not see much complexity in that. In most of the cases we handle 
in our experience, involving small, medium and large private and public 
organizations, either applicants have no objections to proving their 
affiliation with the domain registrant (or vice versa) or the 
information is easily found in reliable information sources. And in the 
few cases when affiliation is unproven or doubt, the certificate request 
is rejected - quite simply.
>
> Regards
>
> Mads
>
> *From:*Validation <validation-bounces at cabforum.org> *On Behalf Of 
> *Adriano Santoni via Validation
> *Sent:* mandag 12. mars 2018 12:10
> *To:* validation at cabforum.org
> *Subject:* Re: [cabf_validation] Fwd: RE: Outline of Method 1 Replacement
>
> Hi,
>
> see my comments in-line >>
>
> Il 12/03/2018 10:34, Dimitris Zacharopoulos via Validation ha scritto:
>
>     Posting on behalf of Mads until his posting rights are fixed.
>
>
>     Dimitris.
>
>     -------- Forwarded Message --------
>
>     *Subject: *
>
>     	
>
>     RE: [cabf_validation] Outline of Method 1 Replacement
>
>     *Date: *
>
>     	
>
>     Sun, 11 Mar 2018 12:11:24 +0000
>
>     *From: *
>
>     	
>
>     Mads Egil Henriksveen <Mads.Henriksveen at buypass.no>
>     <mailto:Mads.Henriksveen at buypass.no>
>
>     *To: *
>
>     	
>
>     Wayne Thayer <wthayer at mozilla.com> <mailto:wthayer at mozilla.com>,
>     CA/Browser Forum Validation WG List <validation at cabforum.org>
>     <mailto:validation at cabforum.org>, Jonathan Rudenberg
>     <jonathan at titanous.com> <mailto:jonathan at titanous.com>
>
>
>
>
>     As one of the CAs using this method I can confirm that the main
>     objective for us is to avoid an excessive step. If the Applicant
>     is validated according to EV, the authorization to issue is
>     verified similarly and it is “beyond reasonable doubt” that the
>     Applicant is the Domain Name Registrant, we don’t see that adding
>     .2/.3 should be necessary.
>
> >> I agree. In our case, and I am sure the same holds for many other 
> CAs, there are many situations where the Applicant's ownership of a 
> domain can be ascertained beyond any reasonable doubt by examining 
> WHOIS records and cross-checking with the Applicant over a reliable 
> communication channel or possibly face-to-face (in front of a CA 
> salesperson), without any need to technically interact with the 
> domain's HTTP server or DNS server or to send emails to the domain's 
> administrator. The fact (which is unquestionable) that in certain 
> countries and/or with certain request channels the above is not always 
> true, does not seem a good reason to abolish this method.
>
>     To achieve this, we could require that this method is to be used
>     for a) EV only or for b) EV and OV if the validation of Applicant
>     identity and the authorization to issue is verified according to EVG.
>
> >> Could you specify the exact EVG sections that would apply in this 
> scenario, in the OV case ?
>
>     We should also consider to remove the possibility of allowing the
>     Applicant to include the Applicant's Parent Company, Subsidiary
>     Company, or Affiliate when using this specific method.
>
> >> I am unclear why are you suggesting this... could you please elaborate?
>
>     One additional improvement we might consider is to require that
>     the Applicant’s identity (and similar for Domain Name Registrant)
>     should include a registration number or other disambiguating
>     information. As discussed during the validation summit this would
>     be useful for Norwegian organizations and domains in our national
>     TLD-registry and presumably for organizations and ccTLDs in other
>     European countries as well.
>
> >> I agree, and I would also require the Registrant's full address in 
> the whois record for this latter to be acceptable.
>
>     The outlined method with or without any combination of the above
>     options will be useful for Buypass, but it would we good to hear
>     what other CAs think about this.
>
> >> I agree.
>
>     And I suggest we change the title of the new method to ‘3.2.2.4.13
>     Validating the Applicant as a *Domain Name Registrant’.*
>
> >> As there can only be one registrant at any given time, I would 
> rather say "_the_ Domain Name Registrant".
>
>     Regards
>
>     Mads
>
>     *From:*Validation <validation-bounces at cabforum.org>
>     <mailto:validation-bounces at cabforum.org> *On Behalf Of *Wayne
>     Thayer via Validation
>     *Sent:* fredag 9. mars 2018 20:23
>     *To:* Jonathan Rudenberg <jonathan at titanous.com>
>     <mailto:jonathan at titanous.com>
>     *Cc:* CA/Browser Forum Validation WG List
>     <validation at cabforum.org> <mailto:validation at cabforum.org>
>     *Subject:* Re: [cabf_validation] Outline of Method 1 Replacement
>
>     On Fri, Mar 9, 2018 at 11:53 AM, Jonathan Rudenberg
>     <jonathan at titanous.com <mailto:jonathan at titanous.com>> wrote:
>
>
>         Is there a compelling reason to bring back a new version of
>         this method?
>
>     Yes, we're asking the same question.
>
>         It seems like any modification that adds the appropriate
>         security properties would bring it very close to 3.2.2.4.2 /
>         3.2.2.4.3. Based on my understanding of the use of this method
>         in the wild, it makes more sense to me for CAs to switch to .2
>         and .3 for domain ownership authorization and then do
>         necessary additional subject validation with 3.2.2.1 or EVGL
>         11.8.3.
>
>     The obvious example to me is when the CA is already performing EV
>     validation, in which case this could save a step. There are also
>     cases where having a contractual relationship could make this
>     method appealing to a CA. In general, while I see your point, I'm
>     trying not to make assumptions.
>
>     Thanks,
>
>     Wayne
>
>
>
>
>     _______________________________________________
>
>     Validation mailing list
>
>     Validation at cabforum.org <mailto:Validation at cabforum.org>
>
>     https://cabforum.org/mailman/listinfo/validation
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180315/b6039703/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4025 bytes
Desc: Firma crittografica S/MIME
URL: <http://cabforum.org/pipermail/validation/attachments/20180315/b6039703/attachment-0001.p7s>

More information about the Validation mailing list