Please post Server Cert ballot discussion to the Server Certificate group, not the Public list of the entire Forum.
Regards, Rich From: Public <[email protected]> On Behalf Of Doug Beattie via Public Sent: Wednesday, October 10, 2018 1:42 PM To: CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Pre-ballot for Ballot SC5: Improve Phone Validation Methods I'd like to get some discussion started on this approach for tightening down the Phone Validation method and adding a new method. Please take a look and comment, then we can discuss Tuesday at the Face 2 Face meeting. Modify Method 3 to: * Identify where the phone number comes from. The current method 3 says that the number is one that is identified by the Domain Name Registrar as the Domain Contact, but we have a defined term that is better "Domain Contact". "The Domain Name Registrant, technical contact, or administrative contract (or the equivalent under a ccTLD) as listed in the WHOIS record of the Base Domain Name or in a DNS SOA record, or as obtained through direct contact with the Domain Name Registrar.". * Clarify how to handle transfers and voicemail. * Clarify that this process verifies an ADN (not FQDN) Add Section 3.2.2.4.15: Domain Contact Phone published in a DNS CAA Record Add Section 3.2.2.4.16 Domain Contact Phone published in a DNS TXT record Modify Appendix B: DNS Contact Types (based on Ballot SC4) to include the definition of Phone numbers. Unfortunately, until ballot SC4 is finalized, I'm in a bit of a holding pattern on this update. I think we should try to do this as one Ballot, but perhaps having one that just modified method 3 would permit a more rapid approval. Let me know your thoughts on that. Please comment this week if you have the time. Doug From: Doug Beattie Sent: Friday, August 17, 2018 9:01 AM To: 'CA/Browser Forum Public Discussion List' <[email protected] <mailto:[email protected]> > Subject: Pre-ballot for Ballot SC5: Improve Phone Validation Methods Since this is dependent on the CAA and TXT approach defined in ballot SC4 which is in process, this isn't yet a complete ballot, but we wanted to get input on the basic set of changes being proposed in parallel with SC4 discussions Redlined version attached. Ballot SC5: Improve Phone Validation Methods Purpose of Ballot: As discussed during the Validation Summit, Method 3 of the Baseline Requirements could use some improvements to close off some potential bad practices that might lead to security risks. This ballot builds on "Ballot SC4 - email and CAA CONTACT" to introduce 2 new validation methods for Phone number validation with the source of the phone number being a CAA record and a DNS TXT record. This Ballot tightens up the rules around phone validation in order to make sure domain authorization or control is verified with a person who is authorized to do so. This ballot changes Method 3, but if we need to create a new method and sunset Method 3, we can do that. The following motion has been proposed by Tim Hollebeek of DigiCert and endorsed by Bruce Morton of Entrust and Doug Beattie of GlobalSign. --- MOTION BEGINS --- This ballot modifies the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" as follows, based on Version 1.X.X: Modify 3.2.2.4.3 Phone Contact with Domain Contact to read as follows: Confirm the Applicant's control over the FQDN by calling the Domain Contact's phone number and receive a confirming response to validate the ADN. Each phone call MAY confirm control of multiple ADNs provided that the same Domain Contact phone number is listed for each ADN being verified and they provide a confirming response for each ADN. In the event that someone other than a Domain Contact is reached, the CA MAY request to be transferred to the Domain Contact. In the event of reaching voicemail, the CA may leave the Random Value and the ADN(s) being validated. The Domain Contact may return the Random Number to the CA via Phone, Email, Fax, or SMS to approve the request within 30 days of the voicemail. Add Section 3.2.2.4.15: Domain Contact Phone published in a DNS CAA Record Confirm the Applicant's control over the FQDN by calling the phone number identified as a CAA Contact property record as defined in Appendix B and receive a confirming response to validate the ADN. Each phone call MAY confirm control of multiple ADNs, provided that the same phone number is listed for each ADN being verified and they provide a confirming response for each ADN. The CA may not be transferred or request to be transferred as this phone number has been specifically listed for the purposes of Domain Validation. In the event of reaching voicemail, the CA may leave the Random Value and the ADN(s) being validated. The CAA Contact may return the Random Number to the CA via Phone, Email, Fax, or SMS to approve the request within 30 days of the voicemail. Add Section 3.2.2.4.16 Domain Contact Phone published in a DNS TXT record Confirm the Applicant's control over the FQDN by calling the phone number identified as a DNS domain-authorization-phone TXT phone number as defined in Appendix B and receive a confirming response to validate the ADN. Each phone call MAY confirm control of multiple ADNs, provided that the same phone number is listed for each ADN being verified and they provide a confirming response for each ADN. The CA may not be transferred or request to be transferred as this phone number has been specifically listed for the purposes of Domain Validation. In the event of reaching voicemail, the CA may leave the Random Value and the ADN(s) being validated. The CAA Contact may return the Random Number to the CA via Phone, Email, Fax, or SMS to approve the request within 30 days of the voicemail. Modify Appendix B: DNS Contact Types When Ballot SC4 is finalized, this ballot will add Phone number to the permitted CAA and DNS TXT record Contact types. --- MOTION ENDS --- A comparison of the changes can be found at: TBD The procedure for approval of this ballot is as follows: Discussion (7+ days) Start Time: TBD End Time: TBD Vote for approval (7 days) Start Time: TBD End Time: TBD
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
