I'm suggesting that the we are being asked to review the CPS to ensure that it conforms to the Mozilla CA policy. The processes to verify ownership or control do conform to the current version of the policy. If you think that this is bad policy, then it is something that should be addressed as part of policy revision.
As this is a public comment period, it is of course fine to raise these (or any other[1]) issues, however I don't think it is appropriate to treat these as an issue the CA needs to resolve as they are conforming to the Mozilla CA policy. Thanks, Peter [1] as long as the Community Participation Guidelines are followed On Fri, Jan 29, 2016 at 6:47 PM, Peter Kurrasch <[email protected]> wrote: > Thanks for the update on the code signing situation within CABF. Last I > knew about it, it was on the path towards adoption so it's good to know > that's no longer the case. > > Regarding the processes to verify ownership and control, I hope you're not > suggesting we should continue to allow provably insecure procedures because > the BR says it's OK to use them? > > > *From: *Peter Bowen > *Sent: *Friday, January 29, 2016 8:08 PM > > Peter, > > I obviously do not represent ComSign, but several of the items in your > list are not really specific to the CPS and instead are more comments on > the Mozilla policies. > > On Fri, Jan 29, 2016 at 4:24 PM, Peter Kurrasch <[email protected]> wrote: > >> * There is a BR from CABF that covers code signing. I must admit I don't >> know the status of it but this CPS should at least acknowledge it and say >> if ComSign will adhere to it. >> > > There is not a BR from the CA/Browser Forum. A subset of the members of > the CABF drafted a BR, but it failed to be adopted as a Forum Guideline > when brought to a vote of the whole Forum. Concerns were raised on several > fronts, including some specific requirements. Therefore I don't think it > is necessary or appropriate for a CA to commit to adhere (or not adhere) to > a document that is still under development. > > Additionally, Mozilla has determined that Code Signing is out of scope for > the Mozilla CA program. Therefore, as I understand it, whether a CA issues > certificates for code signing or not, and the terms under which is does so, > should not be in scope for review of their CPS in this forum. > > >> * Section 3.2.8.1.1. is provably insecure and should not be used to >> verify ownership or control of a domain. A WHOIS record might contain an >> email address of a proxy and is, therefore, unreliable. The "magic" email >> address names might be directed to an unauthorized person and, therefore, >> also unreliable. >> > > The process described in 3.2.8.1.1 is the process that was included in the > Mozilla CA policy (https://wiki.mozilla.org/CA:CertInclusionPolicyV2.0) > and is now included in the CABF BRs. It is an approved process to verify > ownership or control of a domain. > > >> * Section 3.2.8.1.3. is also provably insecure and should not be used. >> Changing a website proves nothing and if I'm trying to exploit an existing >> domain for nefarious purposes I probably have control over the website >> anyway. >> > > The process described in 3.2,8.1.3 is an implementation of section 3.2.2.4 > (6) of the CABF BRs. It appears to be an approved process to verify > ownership or control. > > Thanks, > Peter > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
