Hi Daniel,

We appreciate your additional input into determining the exact scope of
this problem.

On 31/03/17 19:37, Daniel Baxter (Aractus) wrote:
> With all due respect this reply is the most ridiculous load of
> nonsense I've ever read.

However, please keep the tone civil. If it's nonsense, demonstrate why
that's so rather than asserting it.

> Yeah OK, I got a few things wrong on my blog post, I can fix that
> shortly. 

We would appreciate it if you would let us know what the updates are.

> Firstly you claim email accounts should be secure - um since WHEN?

Regardless of the wisdom of this assertion, it is true that many CAs
rely on the (relative) security of email when doing domain validation.
Symantec is not alone in this respect. It's probably not productive to
have an argument at this point over whether email-based domain
validation is a good idea or not.

> Next, you say that URLs in emails should be treated like a password.
> Um - SINCE WHEN? And furthermore, if it should be treated as a
> password, if that's your claim, WHY ARE THEY BEING SENT IN PLAINTEXT
> IN THE EMAIL? You can't have it both ways - if you want customers to
> treat that as they do a password, you need to treat it with the same
> care, and put it behind an authentication.

This leads to a chicken-and-egg problem. To use email for domain
validation, you need to send something in the email which the domain
owner does not already know, and then use that to validate that the
person wanting the certificate is able to receive the email. It doesn't
matter whether it's a token or the username and password to a web interface.

> Again, stop passing the buck. You need to assume that not every email
> account in the world is secure! Also, it's a breach of s.6.1.2:
> https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.2.pdf
>  No party other than subscriber shall archive the private key. I.e.
> it should be impossible to retrieve from an email in the first
> place.

Do you have evidence that private keys were retrievable? Can you provide
steps to reproduce?

> How does that matter? Chris was able to do it, and if he was able to
> then your investigation should have uncovered the vulnerability. The

It would be great if Chris were available to drop in and corroborate
this. I may reach out to him.

dev-security-policy mailing list

Reply via email to