There have been previous discussions about this very issue at CA/Browser Forum Validation Working Group meetings (see also draft Ballot 225). I think it is widely recognized that the rules around QIISs are far too weak and in need of improvement.
I actually recently asked Kirk to add an item on the agenda for the upcoming Face to Face meeting in Shanghai where we intend to push for the elimination of the ability to rely upon unofficial information sources, especially Dun & Bradstreet, for the reasons you cite. It isn't a reliable information source. -Tim > -----Original Message----- > From: dev-security-policy <[email protected]> On > Behalf Of Ian Carroll via dev-security-policy > Sent: Wednesday, September 26, 2018 4:53 PM > To: [email protected] > Subject: Concerns with Dun & Bradstreet as a QIIS > > Hi, > > In April and May of this year, I attempted to change the address listed in Dun > & Bradstreet of my (Kentucky-incorporated) company "Stripe, Inc" to an > address in Toledo, Ohio that did not exist (185 Berry Street Toledo Ohio). I was > wondering the extent of validation Dun & Bradstreet would do on the data. > > To my surprise, they accepted my change request a couple days later. This is > concerning, of course, because D&B is a QIIS backing most EV certificate > requests in the United States. > > After this worked, I realized this was probably worth exploring more, so I took > my "Cloudflare, Inc" company (also incorporated in Kentucky) and requested > that Dun & Bradstreet change its address to "102 Townsend St San Francisco > CA". You might notice that this is the same address as the real Cloudflare, but > with the street number incremented by one. > > D&B accepted that change request as well. This meant I controlled a DUNS > number that would resolve to a very similar address to CF, with my phone > number on it. > > I ordered two EV certificates from Comodo (order #s 136665865 and > 141269115) with these fake DUNS numbers. I successfully completed the > validation and callback process for the Cloudflare order, and Comodo was > about to issue the certificate, but both of my orders were silently deleted > before they were about to be issued. > > Comodo would not give me any information about why they (silently) rejected > my orders, but Dun & Bradstreet banned my account shortly after, so it is safe > to say they reported me after they realized something went wrong. > > I think this is a strong indictment of D&B as a QIIS. The definition of a QIIS, in > my opinion, is incredibly lax, but "which is generally recognized as a > dependable source of such information" is hard to meet here. > > I am also, frankly, annoyed that Comodo seems to have silently discovered > that D&B was unreliable and then ignored it without reporting it further. I > myself have been meaning to send this for a while, given I did this in May, but > various things have made it difficult for me to find the time. > > Let me know if I can provide any further information. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://clicktime.symantec.com/a/1/c3r2Ter8o50ppUH1pIlJlwoc7bmoCICI5nzl > tycPf2k=?d=5ni4BvuKRPoeQ16JRlwwiqHkXFkBGUNLawHjFKnYSsf_1- > W_uIoVE7PpGy6jmRBVcHjzciQQk9w61dUl2ViqRl9bL4r7h1J9S9DnsSgtX6UGfDf > Rw3t__-hkOfmQMNa6AXM-enLMWQTxBynJj7o6Tlz6Akz4f- > aW0KhOd4ZuAiOOxDs_WV7pO1wwY7wj9jCQ6GrgFJ7Zp3yZiiRnOGTKdbrRkzd9 > r7KzcqXr_4GkkZJ2Z78_8- > Jmhw1XhrraBB_UID6gaAWdIrWxgcU4BJ4fj_Y5rGvyNW8yslAxFPRAz74O5WScx > _QY7Z1ADHevtAXEsTB9FzRWQunaRP-OX8BfZHBtyGCEeZbV8b_s- > eJ79m1giXYdCU-v98Yt1xsAk9pA1A- > ythvQuBnksHG3tYf2auSXR0dbNaCDK46t6yIVXAQ%3D&u=https%3A%2F%2Flist > s.mozilla.org%2Flistinfo%2Fdev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
