CA policy documents listing now-prohibited domain validation methods

[Corey Bonnell]

Hello,

During a recent review of domain validation practices across the industry, it has become apparent that CP/CPSs of several CAs have not been updated to reflect changes to allowed domain validation methods over the past two years.

Given that CAs must accurately document and exhaustively list the domain validation methods used in their processes [1], I encourage CAs to review their policy documents to ensure that they are compliant with the current Baseline Requirements. Special attention should be paid to changes surrounding ballots SC14 [2], SC25 [3], and SC33 [4], where several domain validation methods were prohibited and replacement methods defined.

 

Thanks,

Corey

 

[1] https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Baseline_Requirements

[2] https://cabforum.org/2019/02/01/ballot-sc14-updated-phone-validation-methods/

[3] https://cabforum.org/2020/02/01/ballot-sc25-define-new-http-domain-validation-methods-v2/

[4] https://cabforum.org/2020/08/14/ballot-sc33-tls-using-alpn-method/

 

 

[Ryan Sleevi]

On Mon, May 3, 2021 at 11:52 AM 'Corey Bonnell' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:

Hello,

During a recent review of domain validation practices across the industry, it has become apparent that CP/CPSs of several CAs have not been updated to reflect changes to allowed domain validation methods over the past two years.

Given that CAs must accurately document and exhaustively list the domain validation methods used in their processes [1], I encourage CAs to review their policy documents to ensure that they are compliant with the current Baseline Requirements. Special attention should be paid to changes surrounding ballots SC14 [2], SC25 [3], and SC33 [4], where several domain validation methods were prohibited and replacement methods defined.

 

Thanks,

Corey

Thanks for raising this, Corey. 

This is a worrying trend that has shown up in several CA incident reports over the past several years.

A small sampling:

• 2021-04-22 - Google Trust Services: Forbidden Domain Validation Method 3.2.2.4.10
  
• 2021-04-17 - KIR S.A.: CP/CPS contains noncompliant DV method, does not specify CAA domains
  
• 2021-04-15 - SECOM: CP/CPS does not clearly specify domain validation methods
  
• 2021-02-19 - Microsoft PKI Services: Policy Documentation, Failure to update Domain Validation Method
• 2021-01-22 - Camerfirma: CP/CPS of Intesa Sanpaolo Sub-CA is Non-Compliant
• 2019-04-25 - Certinomis: Use of Domain Validation Method 3.2.2.4.5 after August 1, 2018
• 2019-04-15 - Government of Spain FNMT: Findings in 2019 Audit Statement, including domain validation methods, CAA, etc.

Related, we see a similar trend with problem reporting disclosures, which were also something of the "Update your CPS", and which had CAs integrated lessons from those incidents, could and should have prevented the above.

• 2020-01-21 - PKIoverheid: TSP CPS lacks problem reporting instructions
• 2019-11-15 - PKIoverheid: KPN CPS lacks problem reporting instructions
• 2019-11-15 - DigiCert: Verizon CPS lacks problem reporting instructions

Given that CAs can and should be monitoring for issues affecting any CA in the ecosystem, to help benefit from the incident reporting process and to ensure their own systems are robust, it's especially troubling that there are newer incidents of this still occuring. This is further troubling, given that Mozilla's BR Self-Assessment explicitly states expectations around such disclosures.

Note that if any CAs find there is an oversight with respect to disclosure, an incident report to be filed.