On 01/06/2018 21:01, Wayne Thayer wrote:
On Fri, Jun 1, 2018 at 5:06 PM Jakob Bohm via dev-security-policy <
[email protected]> wrote:
Please contact the CA again, and inform them that BR 4.9.1.1 #6 requires
the CA (not some reseller) to revoke the certificate within 24 hours if:
The CA is made aware of any circumstance indicating that use of a
Fully-Qualified Domain Name or IP address in the Certificate is no
longer legally permitted (e.g. a court or arbitrator has revoked a
Domain Name Registrant’s right to use the Domain Name, a relevant
licensing or services agreement between the Domain Name Registrant
and the Applicant has terminated, or the Domain Name Registrant has
failed to renew the Domain Name);
While CAs are not required to discover such situations themselves, they
must revoke once made aware of the situation (in this case by you
telling them).
At least, this is how I read the rules.
This issue has come up in several CAB Forum discussions such as [1]. In
practice, I believe that the requirement Jakob quoted is rarely invoked
because (despite the examples), the language is too vague and narrow. It
can also be quite difficult for a CA to verify that the revocation request
is coming from the legitimate domain name registrant [1], making it less
likely the CA will take action.
Note that as I read it, all they need to do is to check that the whois
has changed since the date of issuance/validation, thus making any
validation to the former domain owner probably outdated (it could of
cause happen that the legit owner has made a technical change such as a
new phone number). Though the "Registered" date or "Creation Date"
being after the validation date would be pretty strong evidence, even if
no other fields are visible.
Where whois is not visible (such as the unfortunate way that some
registrars have handled GDPR), the person requesting revocation under
the existing 4.9.1.1 #6 would have to provide documentation that domain
ownership was changed. Again, no proof of their own identity, simply
proof that an ownership change happened between validation and
revocation request.
This isn't conditional on the original validation involving a whois
lookup, or the CA having any record of the name of the domain owner.
It's a simply a "domain ownership changed => old certificates should be
voided on request".
I've made a couple of attempts to fix this, resulting in the current
language proposed for ballot 213 [2]:
The CA obtains evidence that the validation of domain authorization or
control for any Fully-Qualified Domain Name or IP address in the
Certificate should not be relied upon.
I'd prefer a more prescriptive requirement that CAs allow anyone to revoke
by proving that they control the domain name using one of the BR 3.2.2.4
methods, but this is a problem because most CAs don't support every domain
validation method and many domains are configured such that some validation
methods can't be used.
- Wayne
[1] https://cabforum.org/pipermail/public/2018-January/012824.html
[2] https://cabforum.org/pipermail/public/2018-May/013380.html
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
