Gerv and I have made, and the CA/Browser Forum has accepted a proposal to convene a "Validation Summit" on Tuesday March 6th during the next regularly scheduled CA/Browser Forum face-to-face meeting that will be held in the Washington DC area.
The intent of this summit is to perform an analysis of each of the "blessed 10" domain validation methods, identify weaknesses, and determine if each method needs to be improved or deprecated. You can find a proposed agenda at [1]. The CA/Browser Forum has agreed to invite security experts who have specialized knowledge of threat analysis and CA operations to participate, and I would like to extend that invitation to members of the Mozilla security community. It would be particularly helpful to have participants who have experience in the following areas: 1. Real-world experience with the validation procedures as they are currently practiced by public CAs 2. Experience with threat modeling, analyzing a variety of protocols, or other methods for rigorously analyzing processes and procedures for potential vulnerabilities 3. Deep technical expertise related to how validation-related technologies perform and/or fail in the real world (DNS, WHOIS, Domain Registrars, Reverse IP lookup, and so on) 4. Technical challenges that prevent various validation methods from being usable by a significant fraction of certificate applicants, and thus drive users towards less desirable methods 5. Automation of validation protocols (i.e. ACME) Those putting their names forward should be prepared to adhere to the Code of Conduct [2] and to participate in a constructive discussion that remains focused on the topic at hand. If you would like to participate, you will be required to become an Interested Party [3] and sign the CA/Browser Forum IPR Agreement. [4] (Note: if your company is already a CA/Browser Forum member, please check with your representative) If you intend to meet these requirements and attend the summit as an Interested Party, please email me (wthayer-at-mozilla-dot-com) so that I can get you added to the list of attendees and provide more information. We do expect to have a remote attendance option available; however, given the size of the group, please be aware that it can be difficult to participate even when the audio quality is good. If you would like to attend in-person but require travel/accommodation sponsorship, please mention that in your email to me, along with a ballpark figure for costs (estimate the hotel as $122 per night). Wayne [1] https://cabforum.org/pipermail/public/2018-February/012908.html [2] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-Bylaws-v.-1.7.pdf (Exhibit C) [3] https://cabforum.org/current-work [3] https://cabforum.org/ipr-policy/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy