On Sun, March 22, 2015 4:18 pm, Kathleen Wilson wrote:
> After reading this:
>
> https://raymii.org/s/blog/How_I_got_a_valid_SSL_certificate_for_my_ISPs_main_website.html
>
> I'm thinking we need to update our wiki page:
>
>
> https://wiki.mozilla.org/CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs
> ~~~
> For domain-validated SSL certificates, many CAs use an email
> challenge-response mechanism to verify that the SSL certificate
> subscriber owns/controls the domain to be included in the certificate.
> Some CAs allow applicants to select an address from a predetermined list
> to be used for this verification.
>
> Offering too many options for the email address prefix increases the
> risk of issuing a certificate to a subscriber who does not own/control
> the domain. Therefore, the list of email address prefixes should be
> limited.
>
> Mozilla's recommendation is to limit the set of verification addresses
> to the following.
>
> admin@domain
> administrator@domain
> webmaster@domain
> hostmaster@domain
> postmaster@domain
> Plus any address listed in the technical or administrative contact
> field of the domain's WHOIS record, regardless of the addresses' domains.
> ~~~
>
> What do you all think?
>
> Kathleen
>
> (Note this is also in Baseline Requirements section 11.1.1)
Hi Kathleen,
I'm slightly concerned with the wording, because it seems to reinforce the
notion that this is a Mozilla policy-specific requirement, rather than the
Baseline Requirements, as you note. It also reinforces the notion of
"Domain-validated" SSL certs, which are simply a marketing term that CAs
have created for BR-complying certs that don't contain organizational
information (which the BRs list as optional, but, if present, must comply
to certain requirements)
The other thing with your proposed wording is that it doesn't handle the
FQDN pruning permitted by 11.1.1 p4. That is, if I apply for
ryan.sleevi.example.com, then a CA is allowed to use {whitelisted
address}@ryan.sleevi.example.com, {whitelisted
address}@sleevi.example.com, or {whitelisted address}@example.com during
the application (as indeed, ryan.sleevi.example.com and sleevi.example.com
may not have MX records)
Because of this, perhaps it might be simpler to word
~~~
Mozilla's Root Inclusion Policy requires that CAs conform to the Baseline
Requirements in the issuance and management of publicly trusted SSL
certificates. This includes the Baseline Requirements' restrictions and
requirements on the use of email as a way of validating and authenticating
certificate requests.
CAs are expected to conform to Section 11.1.1, which restricts the email
addresses that may be used to authenticate the subscriber to information
listed in the "registrant", "technical", or "administrative" WHOIS records
and a selected whitelist of local addresses, which includes local-parts of
"admin", "administrator", "webmaster", "hostmaster", and "postmaster".
A CA that authorizes requests by contacting any other email addresses is
deemed to be non-compliant with Mozilla's Inclusion Policy, non-conforming
to the Baseline Requirements, and may have action taken upon it as
described in "Maintaining Confidence in Included Root Certificates".
CAs are also reminded that this policy extends to any certificates that
are technically capable of issuing SSL certificates and that are not
technically constrained; subordinate CAs that fail to enforce these
requirements reflect upon the issuing CA that certified it.
~~~
Or something to that nature.
I'm totally on board with spelling it out, but the fact is, this is a
Baseline Requirements requirement, and is perhaps the most basic. Any CA
not following this raises serious red flags for the rest of 11.1.1 (the
single most important requirement of the BRs), and raises serious
questions as to the competence of the CA.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
