[cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft
pzb at amzn.com
Fri Apr 28 07:56:31 MST 2017
> On Apr 28, 2017, at 7:06 AM, Gervase Markham via Public <public at cabforum.org> wrote:
> On 27/04/17 19:52, Kirk Hall wrote:
>> Please humor me (and the rest of the members, and the public
>> following this list). In one or two paragraphs, can you summarize
>> your reasons?
> I think that has been effectively done elsewhere in this thread. Fixing
> audits to reliably include DTPs is very difficult. Taking the most
> security-critical part and forbidding it from being done by third
> parties solves the problem for that security-critical part. And no CA
> has claimed (enterprise RAs aside) that they use this capability. So
> eliminating it should be uncontroversial.
I would suggest a simpler approach — simply remove Delegated Third Party from the BRs altogether. That removes the carve-out allowing the CA to shift blame.
My concern over being super-specific on defining who can do certain this by employer is that it heavily constrains companies. A few example:
- Amazon has security guards at our buildings, both offices and data centers. Our core business competence is not training security guards. So our physical security team contracts with a company who does have that as their core competence to provide the guard force. The BRs section 5 says “the Certificate Management Process MUST include physical security and environmental controls”, so we have a third party involved in our BR compliance.
- Even if we limit this to just domain validation, third parties still come in to play. Sending and receiving email is rather complicated on today’s Internet. You have to understand SPF, DKIM, DMARC, FBLs, and lots of other stuff. Many organizations use third party email platforms to help with sending and receiving. For example, I note that Mozilla uses Google’s mail service and I know we use Amazon Simple Email Service to send emails. There is no question that email is part of the domain validation process for many CAs. So these again are third parties involved in domain validation.
- Even if we limit the discussion further, it is very common that employers do not span borders. For example, the independent auditors’ report on Mozilla Foundation notes that the Foundation has a subsidiary, Mozilla Corporation, which in turn has its own subsidiaries in Canada, Europe, and China. Each of these is a different legal entity. Some organizations have multiple legal entities per country. So I’m very hesitant to put in rules about one’s employer. I’ve already run into this when considering whether I could use a Verified Legal Opinion to validate the existence of my own company. The EVGs say "in-house legal practitioner employed by the Applicant” — it turns out none of the lawyers I work with are employed by _my_ employer. They are employed by companies that are Affiliates of my employer. The same problem would come up if there was a requirement that employees of the trust store owner review audit reports — you would presumably be off the list Gerv, as you don’t work for MoFo or MoCo, but rather a different Affiliated company.
Given all this, I recommend we just remove DTP from the BRs and leave it to the CAs and auditors to ensure that they can make the appropriate management assertion and opinion that covers all the operations.
I do think we need to leave a carve out for a constrained RA who can be authorized to perform the actions required in the first two paragraphs in BR section 3.2.5. As was pointed out on the last validation working group call, we don’t need or want CAs calling the customer every time they request a certificate to confirm that they really did request it. If the customer has established a reliable authentication mechanism with the CA, then it seems reasonable to allow the CA to rely upon that to confirm the request authenticity. Under the BRs, this means the become an constrained RA.
Do you think that the path of simply removing DTP is a viable path?
More information about the Public