There is a way to get zero-validation certs, totally legit, under the BRs. Currently, the BRs permit pretty much free delegation of Registration Authorities for everything except domain verification. Without RA audit requirements or even a requirement that the CA monitor/control the RA, the cynical-side of me doubts whether the verification is enforced without the CA first receiving a third-party complaint. Section 1.32 permits free RA delegation if the verification requirements are met by the process as a whole and that a contract exist between the delegated third party to do the following:"(1) Meet the qualification requirements of Section 5.3.1, when applicable to the delegated function; (2) Retain documentation in accordance with Section 5.5.2; (3) Abide by the other provisions of these Requirements that are applicable to the delegated function; and (4) Comply with (a) the CA's Certificate Policy/Certification Practice Statement or (b) the Delegated Third Party's practice statement that the CA has verified complies with these Requirements.". Essentially, as long as there is a) a contract between the CA and RA, and b) the CA is performing domain verification (and c) no one complains), the RA is free to do whatever the RA deems appropriate, permitting the CA to circumvent the BRs and audit oversight. There's no requirement that the CA audit the RA's role in the verification process or that the RA provide any reporting to the CA or auditors.
Combined with method 1, there is no obligation the CA actually do anything to vet the customer or obtain any evidence that the customer even exists. As you all know, method 1 requires only that the CA confirm the WHOIS information matches the applicant. As long as the WHOIS information matches, problem solved. As noted above, the RA is not actually required to do any validation (just say that they do) so if the RA passes over the WHOIS name as the verified information, the cert will issue without a second glance. I realize that method 1 and method 5 are going away (for good reason), but that doesn't happen until August. I'd be interested in seeing whether someone can get a cert in this manner from a CA that supports RAs. Jeremy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
