That's an excellent idea. I would like to spend some time in discussing extended validation vetting. I feel that extended validated is not vetted to enough to acceptable standards.
James On Fri, Feb 2, 2018 at 7:21 PM, Wayne Thayer via Public <[email protected] > wrote: > Gerv and I, with support from Tim as chair of the Validation Working > Group, would like to dedicate the entire first day (Tuesday) of the > upcoming meeting hosted by Amazon to a “Validation Summit” where security > experts help us to review all of the existing domain validation methods. > Doing this would push other WG meetings in to time slots on Wednesday or > Thursday. I believe there would still be adequate time available for these > WG meetings. > > Given the recent issues discovered with BR 3.2.2.4 methods 1, 5, 9, and > 10, a more comprehensive, proactive review of all the BR methods of domain > validation is urgently needed. It has been pointed out that this has never > been done - the methods as they currently exist are just documentation of > existing practices. These methods should be analyzed by experts under an > adversarial threat model to identify and address risks and deficiencies. > > Our proposed agenda for the day is: > 1. Discuss the intent of 3.2.2.4. Is proving ownership enough, or is > domain control and/or owner consent required? > 2. For each of the 10 current methods: > a. Introduce the method and discuss what it is intended to validate > b. Describe in detail how CAs typically implement the method > c. Model and analyze threats to the method > d. Discuss improvements to the method > e. Decide if the method needs to be improved or discarded, or is > acceptable as-is. > 3. Time permitting, perform the same analysis on IP address validation > methods described in section 3.2.2.5 > 4. Wrap-up - summarize conclusions and action items > > We plan to extend an invitation to deeply technical and security minded > folks who are familiar with the CA industry and typical CA processes to > sign the IPR agreement, become Interested Parties, and attend this portion > of the meeting. Given that the meeting is one month from now, we need to > move quickly to recruit these experts. > > Are there any objections to this proposal? I will interpret silence as > consent. (And if you think this is a great idea, feel free to tell us!) > > If you know someone who has the expertise to contribute to this exercise, > please consider recruiting him or her to become an Interested Party and > attend this meeting. > > Finally, please consider if your company would sponsor a researcher to > attend the meeting in person. My assumption is that at least some of the > folks we’d benefit from having in the room will be deterred from attending > because they’ll have to cover their own travel expenses. > > Thanks, > > Wayne > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
