CA policy documents listing now-prohibited domain validation methods

146 views
Skip to first unread message

Corey Bonnell

unread,
May 3, 2021, 11:52:22 AMMay 3
to dev-secur...@mozilla.org

Hello,

During a recent review of domain validation practices across the industry, it has become apparent that CP/CPSs of several CAs have not been updated to reflect changes to allowed domain validation methods over the past two years.

Given that CAs must accurately document and exhaustively list the domain validation methods used in their processes [1], I encourage CAs to review their policy documents to ensure that they are compliant with the current Baseline Requirements. Special attention should be paid to changes surrounding ballots SC14 [2], SC25 [3], and SC33 [4], where several domain validation methods were prohibited and replacement methods defined.

 

Thanks,

Corey

 

[1] https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Baseline_Requirements

[2] https://cabforum.org/2019/02/01/ballot-sc14-updated-phone-validation-methods/

[3] https://cabforum.org/2020/02/01/ballot-sc25-define-new-http-domain-validation-methods-v2/

[4] https://cabforum.org/2020/08/14/ballot-sc33-tls-using-alpn-method/

 

 

Ryan Sleevi

unread,
May 3, 2021, 2:28:09 PMMay 3
to Corey Bonnell, dev-secur...@mozilla.org
On Mon, May 3, 2021 at 11:52 AM 'Corey Bonnell' via dev-secur...@mozilla.org <dev-secur...@mozilla.org> wrote:

Hello,

During a recent review of domain validation practices across the industry, it has become apparent that CP/CPSs of several CAs have not been updated to reflect changes to allowed domain validation methods over the past two years.

Given that CAs must accurately document and exhaustively list the domain validation methods used in their processes [1], I encourage CAs to review their policy documents to ensure that they are compliant with the current Baseline Requirements. Special attention should be paid to changes surrounding ballots SC14 [2], SC25 [3], and SC33 [4], where several domain validation methods were prohibited and replacement methods defined.

 

Thanks,

Corey


Thanks for raising this, Corey. 

This is a worrying trend that has shown up in several CA incident reports over the past several years.

A small sampling:
Related, we see a similar trend with problem reporting disclosures, which were also something of the "Update your CPS", and which had CAs integrated lessons from those incidents, could and should have prevented the above.
Given that CAs can and should be monitoring for issues affecting any CA in the ecosystem, to help benefit from the incident reporting process and to ensure their own systems are robust, it's especially troubling that there are newer incidents of this still occuring. This is further troubling, given that Mozilla's BR Self-Assessment explicitly states expectations around such disclosures.

Note that if any CAs find there is an oversight with respect to disclosure, an incident report to be filed.

Reply all
Reply to author
Forward
0 new messages