On Tue, Apr 17, 2018 at 9:21 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> There is a way to get zero-validation certs, totally legit, under the BRs. > Currently, the BRs permit pretty much free delegation of Registration > Authorities for everything except domain verification. Without RA audit > requirements or even a requirement that the CA monitor/control the RA, the > cynical-side of me doubts whether the verification is enforced without the > CA first receiving a third-party complaint. Section 1.32 permits free RA > delegation if the verification requirements are met by the process as a > whole and that a contract exist between the delegated third party to do the > following:"(1) Meet the qualification requirements of Section 5.3.1, when > applicable to the delegated function; (2) Retain documentation in > accordance > with Section 5.5.2; (3) Abide by the other provisions of these Requirements > that are applicable to the delegated function; and (4) Comply with (a) the > CA's Certificate Policy/Certification Practice Statement or (b) the > Delegated Third Party's practice statement that the CA has verified > complies > with these Requirements.". Essentially, as long as there is a) a contract > between the CA and RA, and b) the CA is performing domain verification (and > c) no one complains), the RA is free to do whatever the RA deems > appropriate, permitting the CA to circumvent the BRs and audit oversight. > There's no requirement that the CA audit the RA's role in the verification > process or that the RA provide any reporting to the CA or auditors. > > BR section 1.3.2 defines a Registration Authority as a Delegated Third Party. Section 8.7 says: Except for Delegated Third Parties that undergo an annual audit that meets the criteria specified in Section 8.1, the CA SHALL strictly control the service quality of Certificates issued or containing information verified by a Delegated Third Party by having a Validation Specialist employed by the CA perform ongoing quarterly audits against a randomly selected sample of at least the greater of one certificate or three percent of the Certificates verified by the Delegated Third Party in the period beginning immediately after the last sample was taken. The CA SHALL review each Delegated Third Party’s practices and procedures to ensure that the Delegated Third Party is in compliance with these Requirements and the relevant Certificate Policy and/or Certification Practice Statement. The CA SHALL internally audit each Delegated Third Party’s compliance with these Requirements on an annual basis. The WebTrust BR audit criteria include a number of controls related to CA oversight of Delegated Third Parties, including 6.6: The CA maintains controls to provide reasonable assurance that the CA internally audits each Delegated Third Party’s compliance with the Baseline Requirements on an annual basis. > > > Combined with method 1, there is no obligation the CA actually do anything > to vet the customer or obtain any evidence that the customer even exists. > As you all know, method 1 requires only that the CA confirm the WHOIS > information matches the applicant. As long as the WHOIS information > matches, > problem solved. As noted above, the RA is not actually required to do any > validation (just say that they do) so if the RA passes over the WHOIS name > as the verified information, the cert will issue without a second glance. > > > > I realize that method 1 and method 5 are going away (for good reason), but > that doesn't happen until August. I'd be interested in seeing whether > someone can get a cert in this manner from a CA that supports RAs. > > > > Jeremy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
