[cabf_validation] Using 3.2.2.4.2/.3 for future domains

Peter Bowen pzb at amzn.com
Sat Mar 17 12:29:15 MST 2018 


> On Mar 17, 2018, at 11:52 AM, Ryan Sleevi <sleevi at google.com> wrote:
> 
> 
> 
> On Sat, Mar 17, 2018 at 1:46 PM, Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com>> wrote:
> 
> 
>> On Mar 17, 2018, at 7:43 AM, Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com>> wrote:
>> 
>> 
>> 
>> On Fri, Mar 16, 2018 at 4:11 PM, Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com>> wrote:
>> 
>> I wasn’t asking about validation methods, I was asking about delegation of rights.  When a corporation appoints an officer (who can sign for the company, or put another way has a delegation from the corporation), it is persistent.  If I give someone power of attorney for financial matters, it isn’t only valid for bank accounts which existed at the time the PoA was signed.   If someone has the right to sell a domain, cancel a domain, or transfer a domain (all things which can be done by delegating the right to manage any domain with a given registrant entity), why should they not have the right to approve certificates for the domain?
>> 
>> I understand the appeal of the analogy, but it's not entirely apt. As described, this is the notion of someone granting themselves PoA (and without necessarily even having to disclose this) in perpetuity.
> 
> No, this is Person A granting Person B power of attorney.  Or it is Example Corp appointing Person B as an officer of Example Corp.  I am not a lawyer, but to my knowledge these are generally done in perpetuity and are not publicly disclosed.  
> 
> I disagree with this framing, based on what has been described as both practiced and discussed by CAs. It has consistently been proposed that CAs, under the framework of .1, called the Applicant (based on a QGIS) and asked specifically for the Applicant Representative, without determining that the Applicant Representative was actually authorized to represent the Applicant, save for self-attestation.
> 
> The proposal here, in effect, is to similarly make that grant, in which the Subscriber for one domain (Domain W) is to make a self-assertion that they are authorized for all future domains that may reference or imply being related to the Subscriber.


I think you have confused different proposals.  I was not talking about the Applicant/Subscriber, as defined in the BRs. 

Consider the following example:

The USPTO says “Example Technology Inc, +1-206-166-1000” is the owner of a trademark.  You contact them at that phone number to discuss licensing their trademark and they tell you that Dewey, Chetham, and Howe LLP is their agent for trademark licensing.  Now you contact DCH and work on negotiating a licensing deal.  If the deal ends up covering multiple trademarks all owned by "Example Technology Inc, +1-206-266-1000", you don’t call back Example Technology for each additional trademark to confirm DCH is the agent for that mark as well.

It should be no different for certificates — a Registrant (a legal entity or natural person) can delegate to someone else on a persistent basis.  This could be someone completely independent from the Applicant/Subscriber; it might be a paralegal in their corporate legal group.

I don’t see why this is controversial; this kind of delegation is done every day for all types of contracts.  I’ll bet you accepted this delegation when you got your current job offer — did you ask your employer for a Certificate of Incumbency to confirm the signer was an officer of the corporation?  If you did, how did you authenticate the CoI?

>> Fundamentally, this is a problem with an 'ownership' model of domains, as it attempts to intentionally evade the notion of whether the Applicant Representative is authorized. The discussions during the F2F were very illustrative of this, and the creativity CAs apply to try to reach the Applicant and allow the Applicant to self-attest their authorization.
>> 
>> Let's set aside the ownership question for a second, though, because it's clear that how CAs have interpreted "domain ownership" is fundamentally at odds with a basic level of security - both for users and "victim" domain holders (even if it helps a subset of domain holders). 
> 
> I’m confused by this statement.  The BRs require that the CA verify that the "Applicant had the right to use the Domain Name(s)”.  The strongest evidence of right to use would appear to be that the domain owner/holder/registrant, or their delegated representative, explicitly indicates the applicant as the right to use.  Do you disagree?
> 
> Except this is not explicit indication for the non-enumerated domains.
>  
> 
>> Consider the use of .7, in which we already permit (by virtue of CNAME) an expression of delegation to a separate entity via DNS. If the entire concern is that the respondant in WHOIS is not the PKI approver (preventing .2 and .3), and that the domain operator "for reasons" cannot configure one of the mailboxes (.4), would the expression of a domain record that allowed for a designated approver suffice? This could be established for all new/additional domains, can be verified technically, can be checked, and is "no worse" than setting a mailbox under .2/.4 or a CNAME under .7 to delegate to a PKI approver. Does this meet the needs?
>> 
>> Or consider during the F2F, there was a discussion of expanding .12 in a way that the DNS Owner could put in a "challenge token" (of sorts) into WHOIS, which allowed them to uniquely and unambiguously link back to the notion of a CA account. Would such a link - in which the CA validated the existence (under the proposed ".13" rules, to be fleshed out) of this random token - suitably replace the need to do an organization-identity link? I think so.
>> 
>> However, if the proposal of the .1 supporters is that they should not have to consult DNS to verify an explicit authorization to delegate - such as a DNS record or (additional) WHOIS configuration - and instead rely on the mere existence of information that ICANN requires of domain holders - then that will remain unacceptable, as it's a fundamentally weak proposition.
> 
> I cannot speak for others, but my assertion is that the BRs are clear.  The Applicant needs _either_ “control” or “right to use” (see §9.6.1(1) ).  The latter is a legal concept.  Are you suggesting that the BRs should be changed to require control (and potentially make it clear that control is the only test; the certificate does not assert that it is authorized control)?
> 
> Without a technical validation, I do not believe the CA can reasonably assert the Applicant has either "control" or "right to use". That is, the notion of "ownership" as proposed is an assumption, not a demonstration, of control/right to use, and it is similarly an assumption that the Applicant Representative is authorized by the domain holder.
> 
> Further, I'm stating that the proposals to date do not meet a reasonable/equivalent model for 9.6.2(2), as compared to the other methods, and that is why it remains problematic. 

I’m assuming you mean §9.6.1(2).  My interpretation is that §9.6.1(2) does not apply to DV certificates — it only applies when a legal entity, natural person, or device is named in the subject; we know it is valid to have a DV certificate with an empty Subject.

> So yes, I disagree that a model of "right to use" and "authorization" based on assumptions and inferences such as "ownership" or "legal entity" is a sufficient level of assurance for the most critical portion of a certificate, the domain name. I do not disagree that these can be components, and particularly necessary components for models such as OV/EV, but they are not sufficient for the assertion of a domain name within a certificate.

I think this is the core disagreement.  You are rejecting contract law and effectively asserting that possession is ten-tenths of the law.

Thanks,
Peter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180317/a258e60e/attachment.html>

More information about the Validation mailing list