I completely agree that identifying what is being validated is a
prerequisite to effective discussion of the strength of validation methods.

Numbers 3 and 4 are the criteria that seem most debatable to me:

> 3) the Subject is either the Applicant or a device under the control and
operation of the Applicant, and

This is similar to #1, but limits the wording to "device" rather than IP
address or domain name. However, for a DV certificate, I may maintain DNS
control but no other operational control. I wouldn't expect "device" to
cover only DNS records.

> 4) that the natural person or human sponsor who was either the Applicant,
employed by the Applicant, or an authorized agent who had express authority
to represent the Applicant was authorized to request the Certificate on
behalf of the Subject, and

A CA will never be able to consistently reach into an arbitrary
organization and its internal policies and validate whether the person was
truly "authorized" to request this certificate. While this might be a
desirable property that some CAs or organizations wish to achieve for some
kinds of certificates, it seems clearly out of scope for "Baseline
Requirements" for all publicly trusted certificates.

In general, a narrower definition of what is being validated will help
Browsers and CAs arrive at a more straightforwardly measurable set of
validation methods. Trying to validate several categories at once, or
allowing either of several categories to be sufficient, will likely
continue to lead to confusion and surprises.

-- Eric

On Sun, Feb 4, 2018 at 2:19 PM, Peter Bowen via Public <public@cabforum.org>
wrote:

> There has been a lot of discussion of which validation methods are
> acceptable and meet the bar for issuance of a certificate but I've not seen
> anyone clearly state the requirements for issuance. I think it is important
> we agree on what is being certified before we try to fix the validation
> process any further. Without doing so, there is no way to reasonably judge
> the effectiveness of any method.
>
> Section 9.6.1 of the BRs is the closest I could find to spelling out
> exactly what is being certified. Reading that, it looks like the following
> is true:
>
> The issuer named in the certificate, as of the issuance date, certified
> that:
>
> 1) the Applicant either had the right to use, or had control of, the
> Domain Name(s) and IP address(es) listed in the Certificate’s subject field
> and subjectAltName extension or, in the case of Domain Names, was delegated
> such right or control by someone who had such right to use or control, and
>
> 2) the natural person, device, system, unit, or Legal Entity identified in
> the Certificate as the Subject authorized the issuance of the Certificate,
> and
>
> 3) the Subject is either the Applicant or a device under the control and
> operation of the Applicant, and
>
> 4) that the natural person or human sponsor who was either the Applicant,
> employed by the Applicant, or an authorized agent who had express authority
> to represent the Applicant was authorized to request the Certificate on
> behalf of the Subject, and
>
> 5) the issuer verified the accuracy of all of the information contained in
> the Certificate (with the exception of the subject:organizationalUnitName
> attribute), and
>
> 6) the issuer followed procedures to reduce the likelihood that the
> information contained in the Certificate’s subject:organizationalUnitName
> attribute is misleading
>
>
> There may be other things certified, but these six things are required for
> all certificates, as I read the BRs.  Do others agree?  Should this list be
> longer or shorter?
>
> Thanks,
> Peter
>
> _______________________________________________
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Reply via email to