On Thu, Jun 1, 2017 at 6:52 AM, Gervase Markham via dev-security-policy < [email protected]> wrote:
> Hi Doug, > > On 01/06/17 10:54, Doug Beattie wrote: > > Can you give some examples of validation functions that need to be > enforced by multifactor authentication? There are some that I don't think > can be done using multi-factor authentication, such as domain validation > via email (the link to confirm the domain can't be protected by > multi-factor auth). > > This is a good point; I think we've been unclear here. The aim was to > target CA or RA employees sitting at computers and logging in to perform > validation functions such as entering data. It wasn't designed to > require email domain validation link-clicking to be multi-factor, or for > that matter to require someone logging into their account with their CA > to say "please re-issue my certificate for this already-validated > domain" to require multi-factor. > > Does anyone have suggestions as to how we can word this provision to > make this distinction? Do you think it's a valid reading to suggest that the e-mail confirmation link is, in fact, performing a validation function? That is, I can appreciate the tortured reading that results in this - and I can appreciate the desire for greater clarity - but I'm not sure it's worth expending significant effort on. In the worst case, a CA who reads it like Doug suggests will result in a more secure system (vis-a-vis the discussion in the CA/Browser Forum regarding email scanning devices that 'click' on links). The reason why I don't think it's a valid reasoning is that if we accept that this provision in the policy could be read to cover such emails, then we're implicitly agreeing that the act of clicking that email is performing a validation function pursuant to 3.2.2.4 of the Baseline Requirements. Ergo, every customer of that CA who uses that method is acting as a Delegated Third Party, performing the validation functions of 3.2.2.4 - since, by logical extension, they're performing the validation function of 3.2.2.4 on their account - and all the attendant mess that it entails. So while I can appreciate the question, and I can appreciate why it's raised, I would think that if someone who wanted to make that interpretation extended the argument through its logical conclusion, it would naturally reveal itself as an invalid interpretation - or, ideally, one in which other CAs will question, and we can point back to this thread. Put differently, I think it's absolutely fantastic that Doug has raised this question, and I think all CAs should raise any such questions of interpretation on the list, so they can be explored, answered, and clarified - as you have - but I'm not sure that it should be incumbent on the policy to clarify it, especially if the (mis)interpretation results in greater rigor, rather than less :) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
