On Tue, Jan 23, 2018 at 05:03:37PM +0000, Tim Hollebeek wrote: > No, the BRs codify requirements, not security goals. The Mozilla root program > requires all CAs to comply with the baseline requirements at all times. > > Something similar to PCI/DSS compensating controls existed as Method 11 in > the BRs previously. It was removed last year in favor of explicit > requirements. > > It is not acceptable to validate domains with a method that does not comply > with one of the ten approved methods. Any certificates issued based on such > validations are mississued and should be revoked.
The 10 methods are woefully underspecified for security. There is NO way anyone can evaluate actual security of the validation methods. There is at least one method that definitely allow practices with no compensating controls that are deemed too insecure elsewhere in security even with compensating controls. Then there at least two methods that are argued to be insecure in their strongest forms. Many methods that can easily be read in all sorts of weird ways. And sometimes those weird ways are so bizarre I can not fathom the logic. Then there are methods where there are major disagreements on what those actually allow or not. Oh, and the method very similar to the propose one (involving static CNAME as persistent authentication) is being used in the wild. And due to fundamential nature of DNS, even static zone can result variable results for names under the zone. -Ilari _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme