On Wednesday, January 10, 2018 at 4:24:54 PM UTC-5, Tim Hollebeek wrote: > As you know, BR 3.2.5 requires CAs to verify the authenticity of a request > for an OV certificate through a Reliable Method of Communication (RMOC). > Email can be a RMOC, but in these cases, the email address was a constructed > email address as in BR 3.2.2.4.4. Despite the fact that these addresses are > standardized in RFC 2142 or elsewhere, we do not believe this meets the > standard of "verified using a source other than the Applicant > Representative."
I agree. The intention for the constructed email from BR 3.2.2.4.4 was supposed to be to "confirm the Applicant's control over the FQDN" and not to perform the BR 3.2.5 requirement "to verify the authenticity of the Applicant Representative’s certificate request." I also don't think a CA should use the information from 3.2.2.4.2 (Email, Fax, SMS, or Postal Mail) or 3.2.2.4.3 (phone number) to get the BR 3.2.5 authorization. The issue is the CA may end up using the same data to perform both 3.2.2.4 and 3.2.5 and will not mitigate the risk that the attacker controls the WHOIS data. It would be more secure if the CA used two separate methods of communication for 3.2.2.4 and 3.2.5. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
