(Moving this discussion to the validation subcommittee mailing list) Hi Aaron
I find your proposal for clarifying that the use of a third-party DNS Resolver is forbidden in Section 3.2.2.4 to address what I have been missing in the BRs. I would also like to follow up your statement related to that CAs might unknowingly use DTPs for domain validations, by using third-party email providers (e.g. Mailchimp and Sendgrid). I suggest we discuss whether using cloud-based email services for domain validation in general is problematic. And if that is problematic, if only on-premises SMTP servers should be accepted. Another topic I would like to address is the use of WHOIS-lookups for domain validations. In the BR, I find the following definitions: Domain Contact: The Domain Name Registrant, technical contact, or administrative contact (or the equivalent under a ccTLD) as listed in the WHOIS record of the Base Domain Name or in a DNS SOA record, or as obtained through direct contact with the Domain Name Registrar. WHOIS: Information retrieved directly from the Domain Name Registrar or registry operator via the protocol defined in RFC 3912, the Registry Data Access Protocol defined in RFC 7482, or an HTTPS website. The registry operator is the authoritative source and therefore acceptable. I assume that the Domain Name Registrar must be the registrar responsible for registering the actual domain, but this is not very clear. CAs may use the WHOIS protocol and the RDAP protocol for such lookups directly against those actors, but is using an HTTPS website unproblematic? Some examples for .com domains would be nice. In BR 3.2.2.4.2 we find ‘The Random Value MUST be sent to an email address identified as a Domain Contact’. In addition, we find ‘The CA may send the email to more than one recipient provided that every recipient is identified by the Domain Name Registrar as representing the Domain Name Registrant’. Does this mean that this is only allowed if the Domain Contacts are provided by the Domain Name Registrar, and is this intentional? Regards Mads From: Public <[email protected]> On Behalf Of Aaron Gable via Public Sent: Thursday, January 11, 2024 5:54 PM To: Dimitris Zacharopoulos (HARICA) <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Highlight repeated non-acceptable practices, clarify requirements and discuss about DTPs For the sake of discussion, here's a concrete proposal for how to easily clarify that use of a public (third-party) DNS resolver is forbidden: Add to Section 3.2.2.4, immediately after the two numbered sentences: "All DNS queries conducted in the course of validation MUST be made from the CA to authoritative nameservers, i.e. without the use of recursive resolvers operated by third parties." This proposal does not address the possibility that we could establish a lightweight audit scheme that third-party recursive resolvers could satisfy to be allowed. It also does not address the possibility that CAs are unknowingly using delegated third parties for other aspects of domain validation, such as Mailchimp / Sendgrid for sending emails. But it's a starting point to kick off discussion. Thanks, Aaron On Wed, Dec 27, 2023 at 11:09 PM Dimitris Zacharopoulos (HARICA) via Public <[email protected]<mailto:[email protected]>> wrote: Dear Members, While monitoring a specific recent bugzilla incident, I realized that it is very easy to unintentionally misinterpret some parts within the Forum Guidelines that can lead to compliance problems. I think it is our obligation as a Forum to monitor compliance issues reported by CAs or independent researchers and in case of repeated incidents, suggest clarification language in the Forum's Guidelines. Nobody wants more incidents, but a repeated pattern doesn't necessarily mean negligence on the CA's part. It could very well be that the Guidelines are not well written in some areas. In that regard, I would strongly encourage our Certificate Consumer Members, that continuously review and monitor incidents, to search for common patterns and try to locate the language in the Forum Guidelines that might be somewhat unclear, and work on improving those parts. Even if the language seems "clear enough", for cases that have caused multiple incidents by multiple CAs, it might be worth to add NOTES or NOTICES to highlight non-acceptable practices that have been misunderstood my multiple CAs. The Delegated Third Party concept is understandably very open and not very well defined. I recommend all WGs to try and clarify how DTPs could be used in the certificate lifecycle process, including Domain/Identity/Email Validation but also in the supporting infrastructure services like compute, storage, network, backup, WHOIS, DNS, Email, regular post, SMS, and more. Perhaps this is a task for the Network Security Working Group but some elements are specific to other WGs. My recommendation to all WGs is that when we see repeated patterns of practices that, by consensus, are not acceptable and do not meet the spirit and language of the Guidelines, try to highlight them in a type of "practices clarification" ballot series. Best wishes for a Happy New Year to all! Dimitris. CA/B Forum Chair _______________________________________________ Public mailing list [email protected]<mailto:[email protected]> https://lists.cabforum.org/mailman/listinfo/public
_______________________________________________ Validation mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/validation
