On Wed, Dec 9, 2015 at 8:36 PM, Peter Kurrasch <[email protected]> wrote:
> Thanks for the info, Kathleen. Originally my concern was mostly with
> domain registrant proxies (if that's the preferred term?) but after
> reviewing BR v1.3.1 I'm afraid my concerns have grown. All of the items
> listed under section 3.2.2.4 have problems but some are worse than others
> (and there probably is no ideal solution anyway).
>
> 4) Using WHOIS data as spelled out in item 3 is probably the most reliable
> mechanism since it is probably the least likely (amongst the other methods
> in section 3.2.2.4) to be falsified. That doesn't mean it can't be
> falsified, of course. However, if we set that aside there is still the
> matter of dealing with registrant proxies. If such a proxy is used, the
> information in whois cannot be relied upon to validate that the cert
> applicant is the actual domain owner.
>
> Any thoughts? Did I overlook something?
>
Peter,
I think there is a key thing you overlooked. There is no requirement that
the certificate applicant is the domain owner. The Mozilla policy states
that the applicant can be authorized by the registrant. This is the case
of "proxy" registration; the registrant is the proxy entity.
The CA/Browser Forum is currently working to revise 3.2.2.4 to remove the
#7 option ("any other") and include new methods to allow the CA to
demonstrate they received authorization to issue the certificate. The
latest draft was posted to their public mailing list last week:
https://cabforum.org/pipermail/public/2016-February/006830.html
I'm happy to receive any comments directly if you are not a working group
member.
Thanks,
Peter
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
