> On Jan 23, 2018, at 14:36, Bruce Morton <[email protected]> > wrote: > > Hi Jonathan, > > Please note that the domain validation methods under BR 3.2.2.4 are > introduced as follows: "This section defines the permitted processes and > procedures for validating the Applicant's ownership *or* control of the > domain." There is no requirement of proving both domain ownership and > control, and proving only domain control has its own security vulnerabilities.
The method you’ve described does not establish domain ownership either. All it establishes it that you asked for an attacker-controlled name at a phone number from a potentially attacker-controlled third-party database record that matches some fields in the WHOIS data. > Finally we do 3.2.5, the authorization to issue check. We do not use the > information from WHOIS to perform this check. The reason is most information > is provided by the Registrant, so using it would be considered allowing > self-validation. This information may be OK to use to show domain control, > but should not be used for authorization to issue. As such, we call the > Applicant, which also owns the domain to confirm authorization to issue. You > say that the Applicant Authorization Contact does not control the domain and > you are probably right. Actually, we think that the Applicant Technical > Contact controls the domain. We don't want to contact the Applicant Technical > Contact as again, this would be self-verification. Also, in many cases, the > Applicant Technical Contact is a contractor or hoster and should not verify > authorization to issue. We use a phone number found in a QIIS to contact the > Applicant. This verifies that the Applicant Authorization Contact is employed > by the Applicant and the CA relies on their authority. There are a lot of assumptions being made here that don’t fit the adversarial threat model of the WebPKI. Just because someone is routable via an arbitrary phone number does not indicate that they are the domain owner or even employed by the entity that you believe is associated with the phone number. Jonathan _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
