Re: [cabfpub] Allocating Time for Review of All Domain Validation Methods at F2F Meeting

[James Burton via Public]

The VWG is a closed group and it is hard to engage properly when you don't
know what's going on. I feel that the VWG should spend more time getting
opinions from people such as myself whether by Phone, Skype, F2F or etc. It
will bring new ideas to the table which might not have been thought of
before. To be honest, I talk a lot better than I write and could spend at
least a whole week going through the EV guidelines with someone from the
VWG and point out vetting issues and etc.

James

On Fri, Feb 2, 2018 at 7:51 PM, Wayne Thayer  wrote:

> On Fri, Feb 2, 2018 at 12:44 PM, Ryan Sleevi  wrote:
>
>> Note that Interested Parties cannot participate in meetings, whether F2F
>> or Phone, unless explicitly invited, nor participate on the Wiki or Members
>> mail list.
>>
>> Agreed. The intent is for the Chair to extend meeting invitations to the
> Interested Parties, in full compliance with our bylaws.
>
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Allocating Time for Review of All Domain Validation Methods at F2F Meeting

[Wayne Thayer via Public]

On Fri, Feb 2, 2018 at 12:44 PM, Ryan Sleevi  wrote:

> Note that Interested Parties cannot participate in meetings, whether F2F
> or Phone, unless explicitly invited, nor participate on the Wiki or Members
> mail list.
>
> Agreed. The intent is for the Chair to extend meeting invitations to the
Interested Parties, in full compliance with our bylaws.
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Allocating Time for Review of All Domain Validation Methods at F2F Meeting

[Wayne Thayer via Public]

On Fri, Feb 2, 2018 at 12:38 PM, James Burton  wrote:

> I would like to spend some time in discussing extended validation vetting.
> I feel that extended validated is not vetted to enough to acceptable
> standards.
>
I want to be careful about trying to accomplish too much at this meeting.
The Validation Working Group has an effort underway to look for EV
improvements in the wake of the "Stripe Inc., Kentucky US" demonstration
and I agree that it is important work. However, given how fundamental
domain validation is to the issuance process, we need to give it top
priority.

Wayne
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Allocating Time for Review of All Domain Validation Methods at F2F Meeting

[Ryan Sleevi via Public]

Note that Interested Parties cannot participate in meetings, whether F2F or
Phone, unless explicitly invited, nor participate on the Wiki or Members
mail list.

On Fri, Feb 2, 2018 at 2:38 PM, James Burton via Public  wrote:

> That's an excellent idea.
>
> I would like to spend some time in discussing extended validation vetting.
> I feel that extended validated is not vetted to enough to acceptable
> standards.
>
> James
>
>
> On Fri, Feb 2, 2018 at 7:21 PM, Wayne Thayer via Public <
> public@cabforum.org> wrote:
>
>> Gerv and I, with support from Tim as chair of the Validation Working
>> Group, would like to dedicate the entire first day (Tuesday) of the
>> upcoming meeting hosted by Amazon to a “Validation Summit” where security
>> experts help us to review all of the existing domain validation methods.
>> Doing this would push other WG meetings in to time slots on Wednesday or
>> Thursday. I believe there would still be adequate time available for these
>> WG meetings.
>>
>> Given the recent issues discovered with BR 3.2.2.4 methods 1, 5, 9, and
>> 10, a more comprehensive, proactive review of all the BR methods of domain
>> validation is urgently needed. It has been pointed out that this has never
>> been done - the methods as they currently exist are just documentation of
>> existing practices. These methods should be analyzed by experts under an
>> adversarial threat model to identify and address risks and deficiencies.
>>
>> Our proposed agenda for the day is:
>> 1. Discuss the intent of 3.2.2.4. Is proving ownership enough, or is
>> domain control and/or owner consent required?
>> 2. For each of the 10 current methods:
>> a. Introduce the method and discuss what it is intended to validate
>> b. Describe in detail how CAs typically implement the method
>> c. Model and analyze threats to the method
>> d. Discuss improvements to the method
>> e. Decide if the method needs to be improved or discarded, or is
>> acceptable as-is.
>> 3. Time permitting, perform the same analysis on IP address validation
>> methods described in section 3.2.2.5
>> 4. Wrap-up - summarize conclusions and action items
>>
>> We plan to extend an invitation to deeply technical and security minded
>> folks who are familiar with the CA industry and typical CA processes to
>> sign the IPR agreement, become Interested Parties, and attend this portion
>> of the meeting. Given that the meeting is one month from now, we need to
>> move quickly to recruit these experts.
>>
>> Are there any objections to this proposal? I will interpret silence as
>> consent. (And if you think this is a great idea, feel free to tell us!)
>>
>> If you know someone who has the expertise to contribute to this exercise,
>> please consider recruiting him or her to become an Interested Party and
>> attend this meeting.
>>
>> Finally, please consider if your company would sponsor a researcher to
>> attend the meeting in person. My assumption is that at least some of the
>> folks we’d benefit from having in the room will be deterred from attending
>> because they’ll have to cover their own travel expenses.
>>
>> Thanks,
>>
>> Wayne
>>
>> ___
>> Public mailing list
>> Public@cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
>>
>
> ___
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Allocating Time for Review of All Domain Validation Methods at F2F Meeting

[James Burton via Public]

That's an excellent idea.

I would like to spend some time in discussing extended validation vetting.
I feel that extended validated is not vetted to enough to acceptable
standards.

James


On Fri, Feb 2, 2018 at 7:21 PM, Wayne Thayer via Public  wrote:

> Gerv and I, with support from Tim as chair of the Validation Working
> Group, would like to dedicate the entire first day (Tuesday) of the
> upcoming meeting hosted by Amazon to a “Validation Summit” where security
> experts help us to review all of the existing domain validation methods.
> Doing this would push other WG meetings in to time slots on Wednesday or
> Thursday. I believe there would still be adequate time available for these
> WG meetings.
>
> Given the recent issues discovered with BR 3.2.2.4 methods 1, 5, 9, and
> 10, a more comprehensive, proactive review of all the BR methods of domain
> validation is urgently needed. It has been pointed out that this has never
> been done - the methods as they currently exist are just documentation of
> existing practices. These methods should be analyzed by experts under an
> adversarial threat model to identify and address risks and deficiencies.
>
> Our proposed agenda for the day is:
> 1. Discuss the intent of 3.2.2.4. Is proving ownership enough, or is
> domain control and/or owner consent required?
> 2. For each of the 10 current methods:
> a. Introduce the method and discuss what it is intended to validate
> b. Describe in detail how CAs typically implement the method
> c. Model and analyze threats to the method
> d. Discuss improvements to the method
> e. Decide if the method needs to be improved or discarded, or is
> acceptable as-is.
> 3. Time permitting, perform the same analysis on IP address validation
> methods described in section 3.2.2.5
> 4. Wrap-up - summarize conclusions and action items
>
> We plan to extend an invitation to deeply technical and security minded
> folks who are familiar with the CA industry and typical CA processes to
> sign the IPR agreement, become Interested Parties, and attend this portion
> of the meeting. Given that the meeting is one month from now, we need to
> move quickly to recruit these experts.
>
> Are there any objections to this proposal? I will interpret silence as
> consent. (And if you think this is a great idea, feel free to tell us!)
>
> If you know someone who has the expertise to contribute to this exercise,
> please consider recruiting him or her to become an Interested Party and
> attend this meeting.
>
> Finally, please consider if your company would sponsor a researcher to
> attend the meeting in person. My assumption is that at least some of the
> folks we’d benefit from having in the room will be deterred from attending
> because they’ll have to cover their own travel expenses.
>
> Thanks,
>
> Wayne
>
> ___
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Re: [cabfpub] Allocating Time for Review of All Domain Validation Methods at F2F Meeting

[Doug Beattie via Public]

Wayne,

I think this is an excellent idea!

I’d recommend we not wait until the meeting and that the VWG sets up a 
framework and collaboration site/document/wiki/repository where security 
experts can start evaluating and documenting the pros and cons of the various 
methods.

Doug

From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Wayne Thayer via 
Public
Sent: Friday, February 2, 2018 2:21 PM
To: CA/Browser Forum Public Discussion List 
Subject: [cabfpub] Allocating Time for Review of All Domain Validation Methods 
at F2F Meeting

Gerv and I, with support from Tim as chair of the Validation Working Group, 
would like to dedicate the entire first day (Tuesday) of the upcoming meeting 
hosted by Amazon to a “Validation Summit” where security experts help us to 
review all of the existing domain validation methods. Doing this would push 
other WG meetings in to time slots on Wednesday or Thursday. I believe there 
would still be adequate time available for these WG meetings.

Given the recent issues discovered with BR 3.2.2.4 methods 1, 5, 9, and 10, a 
more comprehensive, proactive review of all the BR methods of domain validation 
is urgently needed. It has been pointed out that this has never been done - the 
methods as they currently exist are just documentation of existing practices. 
These methods should be analyzed by experts under an adversarial threat model 
to identify and address risks and deficiencies.

Our proposed agenda for the day is:
1. Discuss the intent of 3.2.2.4. Is proving ownership enough, or is domain 
control and/or owner consent required?
2. For each of the 10 current methods:
a. Introduce the method and discuss what it is intended to validate
b. Describe in detail how CAs typically implement the method
c. Model and analyze threats to the method
d. Discuss improvements to the method
e. Decide if the method needs to be improved or discarded, or is acceptable 
as-is.
3. Time permitting, perform the same analysis on IP address validation methods 
described in section 3.2.2.5
4. Wrap-up - summarize conclusions and action items

We plan to extend an invitation to deeply technical and security minded folks 
who are familiar with the CA industry and typical CA processes to sign the IPR 
agreement, become Interested Parties, and attend this portion of the meeting. 
Given that the meeting is one month from now, we need to move quickly to 
recruit these experts.

Are there any objections to this proposal? I will interpret silence as consent. 
(And if you think this is a great idea, feel free to tell us!)

If you know someone who has the expertise to contribute to this exercise, 
please consider recruiting him or her to become an Interested Party and attend 
this meeting.

Finally, please consider if your company would sponsor a researcher to attend 
the meeting in person. My assumption is that at least some of the folks we’d 
benefit from having in the room will be deterred from attending because they’ll 
have to cover their own travel expenses.

Thanks,

Wayne
___
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public