[cabf_validation] Method 7, when the CA is involved

Wed Jan 5 18:27:41 UTC 2022

Hey Ryan,

I’d be interested in your opinion on the Amazon AWS process.  While they are not a CA, they aren’t the subscriber either and they facilitate automated domain validation much like Tim outlined below.

https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html

Should this also be prohibited?

Doug

From: Validation <validation-bounces at cabforum.org> On Behalf Of Ryan Sleevi via Validation
Sent: Wednesday, January 5, 2022 12:58 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Validation SC List <validation at cabforum.org>
Subject: Re: [cabf_validation] Method 7, when the CA is involved

On Thu, Dec 2, 2021 at 3:41 PM Tim Hollebeek via Validation <validation at cabforum.org <mailto:validation at cabforum.org> > wrote:

As discussed on the November 18th validation subcommittee call, 

I offered to write some text that would clarify the importance 

of binding the request to the customer when doing method 7, 

for CAs that allow DNS delegation to a domain they control.

For the purposes of starting the discussion, what about adding

the following text to the end of Method 7 (3.2.2.4.7), before

the ubiquitous Note:

---

CAs MAY operate domains for the purpose of assisting customers

with this validation, and MAY instruct customers to add a CNAME

redirect from an Authorization Domain Name to such a domain.

If the CA does so, the CA SHALL ensure that each domain name is

used for a unique Applicant, and not shared across multiple

Applicants.

---

This at least fixes the urgent problem, which is that some CAs

might currently be doing this in insecure ways.

Just catching up on this post-break: I thought it was understood that CAs weren't allowed to do what's described above, as it stands in the current BRs.

The reason being that 3.2.2.4.7 requires the CA confirms the Applicant's control (the entity that operates the device, per 1.6.1), and the CA doing so would not be a demonstration of the Applicant's control.

Is this controversial / not well understood? Would people feel equally comfortable if a customer PBX system simply re-routed an extension back to a CA? Or, similarly, put the CA as the contact in 3.2.2.4.14?

The issue here is the entity performing the demonstration of control is also the entity that is "promoted" to the Subscriber upon issuance. A model where the CA demonstrated control would be the same as the CA becoming the Subscriber, right?

Is the argument that the CA is being designated an Applicant Representative? Doesn't that require explicitly natural (not legal) persons, and thus similarly limit such automation?

Maybe it'd be easier to help me understand how it's authorized if someone works from an assumption that "This is forbidden", and then works through the clauses that make it permissible.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20220105/01a9bcfd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8404 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20220105/01a9bcfd/attachment-0001.p7s>