Fair enough – we can all file away Peter’s list for future use.  But in my 
mind, the second example is equivalent to a Certificate Problem Report that is 
requesting revocation, and I think each CA can develop its own methods for how 
to handle that – I don’t think we need mandatory provisions in the BRs.

From: Rick Andrews [mailto:rick_andr...@symantec.com]
Sent: Thursday, October 13, 2016 4:45 PM
To: Kirk Hall <kirk.h...@entrust.com>
Cc: public@cabforum.org
Subject: RE: [cabfpub] Recourse for domain owners who discover unknown 
certificates issued to their domain

Kirk, in my years with VeriSign and Symantec, I also can’t recall a domain 
owner asking for more info about a cert that we had issued, but

a)      The request probably would not have come to or through me

b)      It’s a lot more likely to happen today because of CT

The first example you gave is (in my opinion) relatively easy to resolve. The 
more challenging one is the second. I’m trying to see if we can agree that, for 
example, the CA should not necessarily give out details about the subscriber to 
the requester. Peter suggested a list of things that the requester should and 
should not expect to get. I agree with most of that but need to re-read it more 
carefully.

-Rick

From: Kirk Hall [mailto:kirk.h...@entrust.com]
Sent: Wednesday, October 12, 2016 6:14 PM
To: Rick Andrews <rick_andr...@symantec.com<mailto:rick_andr...@symantec.com>>; 
Ryan Sleevi <sle...@google.com<mailto:sle...@google.com>>
Cc: public@cabforum.org<mailto:public@cabforum.org>
Subject: RE: [cabfpub] Recourse for domain owners who discover unknown 
certificates issued to their domain

In roughly 15 years of involvement with 4 CAs, I don’t recall any domain owner 
asking for more information about a cert we had issued that the domain owner 
(presumably) didn’t recognize.  I suppose if Foo Corp. is actually your 
customer, and Anne Jones of Foo Corp. (whom you can verify) asks “Did we order 
this server2.foo.com cert?  No one remembers that”, it would be ok for the CA 
to look in its systems and see what it can find.

If someone from Foo Corp. contacts the CA and says “Foo Corp. is not a customer 
of your CA – why did you issue a cert for server2.foo.com?”, the CA would 
likely treat that as a Certificate Problem Report under BR 4.9.2, investigate 
according to the CA’s own procedures, and revoke if justified.

I’m reluctant to create new requirements for how the CA responds to questions 
about an unrecognized cert until we know more whether this situation is likely 
to occur.  It seems to me the current BRs already cover problem reports and 
revocation requests from third parties.

From: Rick Andrews [mailto:rick_andr...@symantec.com]
Sent: Wednesday, October 12, 2016 5:56 PM
To: Ryan Sleevi <sle...@google.com<mailto:sle...@google.com>>; Kirk Hall 
<kirk.h...@entrust.com<mailto:kirk.h...@entrust.com>>
Cc: public@cabforum.org<mailto:public@cabforum.org>
Subject: RE: [cabfpub] Recourse for domain owners who discover unknown 
certificates issued to their domain

Ryan, as I stated in my initial post, this is not about redaction. I’d prefer 
to keep that out of the discussion, and focus on a use case where a domain 
owner learns about a fully-disclosed certificate (maybe they see it on a 
public-facing website) and wants to learn more about it.

-Rick

From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Ryan Sleevi via 
Public
Sent: Tuesday, October 11, 2016 6:35 PM
To: Kirk Hall <kirk.h...@entrust.com<mailto:kirk.h...@entrust.com>>
Cc: public@cabforum.org<mailto:public@cabforum.org>
Subject: Re: [cabfpub] Recourse for domain owners who discover unknown 
certificates issued to their domain

Kirk,

The point is to remove the degree of "CA discretion" that you suggest, to 
ensure there's a normalized, reasonable, and reliable set of options for domain 
holders. As Rick noted in the introduction, this is certainly one of the 
concerns with allowing redaction.

For example, it would be undesirable for a CA to allow redacted certificates, 
and then say "No, we won't revoke, because that's what our privacy policy 
says." The concern is related to CA's interpretation of those sections, and 
ensuring that we avoid any areas for CAs to interpret in a way conflicting with 
community norms.

So I don't believe the current sections provide sufficient recourse - 
especially as discussed in the discussions Rick linked to.

On Tue, Oct 11, 2016 at 6:22 PM, Kirk Hall via Public 
<public@cabforum.org<mailto:public@cabforum.org>> wrote:

As I read through the string, remember that we all have a Privacy Policy (BR 
9.4 covers this, although we presently have no BR stipulations on privacy 
policies).  So whatever we decide to do in responding to information requests 
from claimed domain owners will have to comply with our individual Privacy 
Policies (which may need to be modified).



WebTrust for CAs has this general statement: “The Certification Authority must 
disclose its key and certificate life cycle management business and information 
privacy practices” and Requirement 6.6 on Certificate Revocation says “The CA 
maintains controls to provide reasonable assurance that certificates are 
revoked, based on authorized and validated certificate revocation requests 
within the time frame in accordance with the CA’s disclosed business practices.“



We already have some BR provisions 4.9.2 through 4.9.5 on who can request 
revocation, and the process the CA is required to follow.  See below.  Does 
this adequately cover your straw man situations below?  Don’t many of your 
situations fit within the language for reporting Certificate Problem Reports?  
(“I see this cert you issued for a domain I own – I don’t remember or recognize 
it.”)  I think it may be best for the CA to set up its own internal procedures 
for how it will respond to this type of Report, and then make sure the 
Subscriber Agreement and Privacy Policy allow what the CA wants to do.



4.9.2. Who Can Request Revocation



The Subscriber, RA, or Issuing CA can initiate revocation. Additionally, 
Subscribers, Relying Parties,

Application Software Suppliers, and other third parties may submit Certificate 
Problem Reports informing the

issuing CA of reasonable cause to revoke the certificate.



4.9.3. Procedure for Revocation Request



The CA SHALL provide a process for Subscribers to request revocation of their 
own Certificates. The process

MUST be described in the CA’s Certificate Policy or Certification Practice 
Statement. The CA SHALL maintain a

continuous 24x7 ability to accept and respond to revocation requests and 
related inquiries.



The CA SHALL provide Subscribers, Relying Parties, Application Software 
Suppliers, and other third parties with

clear instructions for reporting suspected Private Key Compromise, Certificate 
misuse, or other types of fraud,

compromise, misuse, inappropriate conduct, or any other matter related to 
Certificates. The CA SHALL publicly

disclose the instructions through a readily accessible online means.



4.9.4. Revocation Request Grace Period



No stipulation.



4.9.5. Time within which CA Must Process the Revocation Request



The CA SHALL begin investigation of a Certificate Problem Report within 
twenty-four hours of receipt, and decide

whether revocation or other appropriate action is warranted based on at least 
the following criteria:

1. The nature of the alleged problem;

2. The number of Certificate Problem Reports received about a particular 
Certificate or Subscriber;

3. The entity making the complaint (for example, a complaint from a law 
enforcement official that a Web site is

engaged in illegal activities should carry more weight than a complaint from a 
consumer alleging that she didn’t

receive the goods she ordered); and

4. Relevant legislation.



-----Original Message-----
From: Public 
[mailto:public-boun...@cabforum.org<mailto:public-boun...@cabforum.org>] On 
Behalf Of Peter Bowen via Public
Sent: Monday, October 10, 2016 8:35 PM
To: Rick Andrews <rick_andr...@symantec.com<mailto:rick_andr...@symantec.com>>
Cc: public@cabforum.org<mailto:public@cabforum.org>
Subject: Re: [cabfpub] Recourse for domain owners who discover unknown 
certificates issued to their domain





> On Oct 10, 2016, at 5:31 PM, public@cabforum.org<mailto:public@cabforum.org> 
> wrote:

>

> During the discussions about CT name redaction ([1], [2]), it became

> clear that there is no formal policy regarding what actions a CA

> should take if a domain owner approached the CA to get information

> about a certificate issued by the CA for a domain owned by the domain

> owner. We'd like to start a discussion to craft such a policy. Note

> that this is not specific to name redaction. A domain owner might

> discover a non-redacted certificate in a CT log or public web crawl,

> and if the owner doesn't recognize the certificate, they should be

> able to get detailed information from the CA so that the domain owner

> can determine if the cert was properly issued, and request revocation if it 
> was not.



Rick,



Before we discuss how we authenticate the domain registrant, I think need to 
discuss what a CA must do when so asked by a domain registrant.



As a straw man, I’m going to suggest that an authenticated domain registrant 
can do the following:



- Require revocation of a certificate containing a FQDN or Wildcard DN under 
their registered domain by providing the CA the issuer DN and serial number of 
the certificate



- Require revocation of all certificates containing a FQDN or Wildcard DN under 
their registered domain or a portion of the namespace under their registered 
domain



- Authorize the issuance of certificates containing a FQDN or Wildcard DN under 
their registered domain



- Require the CA to only allow certain named people or email addresses to 
authorize future issuance



The registrant cannot:



- Require the CA to provide a list of all certificates containing a FQDN or 
Wildcard DN under their registered domain



- Require the CA to provide details on the applicant/subscriber for a 
certificate containing a FQDN or Wildcard DN under their registered domain



- Require the CA to provide an unredacted version of a redacted certificate 
containing a FQDN or Wildcard DN under their registered domain



To come up with this list, I considered the situation where domain foo.example 
is registered to Alice (potentially using a proxy as the registrant).  Mallory 
is a nefarious individual and wants to bring harm to Alice or Alice’s 
organization.  Mallory manages to take over foo.example (either due to Alice 
letting it expire or via domain transfer fraud) and then proceeds to contact 
CAs to get info about foo.example and Alice.  What should a CA be required to 
release?



Thanks,

Peter



_______________________________________________

Public mailing list

Public@cabforum.org<mailto:Public@cabforum.org>

https://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public@cabforum.org<mailto:Public@cabforum.org>
https://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Reply via email to