[cabf_validation] Pre pre ballot for updated validation method #3 (Phone)
Doug Beattie
doug.beattie at globalsign.com
Thu May 10 13:18:07 MST 2018
As discussed on the call today, I think we're getting ready to ballot this updated method.
https://docs.google.com/document/d/1aJiOzYVTpoAPVWDucnp20cTO2PR_cRsHncvkhlrcR10/edit#
Please provide me any comments, or make a comment directly on the above page.
When should this be effective? In order to support an orderly transition, I recommend adding this as a new Domain Validation method and then set an end date for method 3, likely 3-6 months from the effective date. Please comment on the timeline for removing the existing method 3.
I'm looking for 2 endorsers.
----------------------------------------
For ease of review, here is the current section of the above Google Doc:
Method 3 - Phone Contact with Domain Contact :
Current Ballot Text:
Confirming the Applicant's control over the FQDN by calling the Domain Name Registrant's phone number and obtaining a response confirming the Applicant's request for validation of the FQDN. The CA MUST place the call to a phone number identified by the Domain Name Registrar as the Domain Contact.
Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs, provided that the phone number is identified by the Domain Registrar as a valid contact method for every Base Domain Name being verified using the phone call.
Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names.
Potential Risks
Risk
Mitigation
Discussion
This is more of a limitation than a risk, but using only the Domain Name Registrant's phone number is overly restrictive.
Change "Domain Name Registrant" to "Domain Contact"
We should allow the phone call to be placed to a Domain Contact (includes the registrant).
It's not clear how phone transfers should be handled, and this weakness could be exploited.
Prohibit transfers except to a specified Domain Contact (CA must ask to be transferred to them by name). Use of un-named contacts (like IT Department) cannot be used.
Consider not allowing any transfers except to a Domain Contact, otherwise "anyone" could approve the domain.
It's not clear how voicemail messages can be used (or not) with this method.
If voicemail is reached, allow a Random Value to be left. The Applicant can convey this back to the CA within 30 days to approve the domain
The challenge-response via a person is more clear (are you Mr. Domain Contact and do you approve this domain), but with voicemail you do not have this exchange.
In order for the individual listening to the voicemail to properly "authenticate" themselves to the CA when returning the call (or sending an email), they must provide proof that they listened to the voicemail.
Recommend that the CA leave a Random Value on the voicemail which can be conveyed back to the CA to approval the domain.
While the Applicant is asking for a FQDN to be validated, the validation is actually being done for the Base Domain Name.
Recommend changing:
...confirming the Applicant's request for validation of the Base Domain Name FQDN
Does the "note" provide any value, or should this be deleted .
TBD
Recommended Updates
1. The phone call and response should confirm the validation of the Base Domain Name, not the FQDN.
2. There is an inconsistency between Domain Name Registrant and Domain Contact, so we should say the call can be made to a "Domain Contact" vs. "Domain Name Registrant".
3. Don't permit transfers except to a Domain Contact.
4. If voicemail is reached, allow Random Number to be left. It must be returned to the CA within 30 days.
5. Should we remove the note? TBD
Recommended new method
Confirming the Applicant's control over the FQDN by calling the Domain Name Registrant's Domain Contact's phone number and obtaining a response confirming the Applicant's request for validation of the Base Domain Name FQDN. The CA MUST place the call to a phone number identified by the Domain Name Registrar as the Domain Contact.
Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs Base Domain Names, provided that the phone number is identified by the Domain Registrar as a valid contact method for every Base Domain Name being verified using the phone call.
In the event that someone other than a Domain Contact is reached, the CA MAY request to be transferred to a Domain Contact. In the event of reaching voicemail, a Random Value shall be left and the Domain contact may return that to the CA via Phone, Email, Fax, or SMS to approve the domain within 30 days of the voicemail.
Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN Base Domain Name. This method is suitable for validating Wildcard Domain Names.
Doug Beattie
Vice President of Product Management
GlobalSign
Two International Drive | Suite 150 | Portsmouth, NH 03801
Email: doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>
www.globalsign.com<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.globalsign.com_&d=AwMFAg&c=qRq7a-87GiVVW7v8KD1gdQ&r=yL2kJgSsccUq5VcaUHiaiErHSMoqqBV4kmZtle8pI0U&m=7LSnl4Q_Qu_BEe5I_P8WSvWs0evmNYHNhThvhJlrvzE&s=8HjQZHbWrcD_ik5cm6C2gK7iPzU_KT9tF7RSZfrF1c0&e=>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 29168 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180510/f2416cec/attachment-0001.bin>
More information about the Validation
mailing list