info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
RAs and the BRs
233 views
Skip to first unread message
Jeremy Rowley
Apr 18, 2018, 12:22:12 AM4/18/18
to mozilla-dev-security-policy
There is a way to get zero-validation certs, totally legit, under the BRs.
Currently, the BRs permit pretty much free delegation of Registration
Authorities for everything except domain verification. Without RA audit
requirements or even a requirement that the CA monitor/control the RA, the
cynical-side of me doubts whether the verification is enforced without the
CA first receiving a third-party complaint. Section 1.32 permits free RA
delegation if the verification requirements are met by the process as a
whole and that a contract exist between the delegated third party to do the
following:"(1) Meet the qualification requirements of Section 5.3.1, when
applicable to the delegated function; (2) Retain documentation in accordance
with Section 5.5.2; (3) Abide by the other provisions of these Requirements
that are applicable to the delegated function; and (4) Comply with (a) the
CA's Certificate Policy/Certification Practice Statement or (b) the
Delegated Third Party's practice statement that the CA has verified complies
with these Requirements.". Essentially, as long as there is a) a contract
between the CA and RA, and b) the CA is performing domain verification (and
c) no one complains), the RA is free to do whatever the RA deems
appropriate, permitting the CA to circumvent the BRs and audit oversight.
There's no requirement that the CA audit the RA's role in the verification
process or that the RA provide any reporting to the CA or auditors.
Combined with method 1, there is no obligation the CA actually do anything
to vet the customer or obtain any evidence that the customer even exists.
As you all know, method 1 requires only that the CA confirm the WHOIS
information matches the applicant. As long as the WHOIS information matches,
problem solved. As noted above, the RA is not actually required to do any
validation (just say that they do) so if the RA passes over the WHOIS name
as the verified information, the cert will issue without a second glance.
I realize that method 1 and method 5 are going away (for good reason), but
that doesn't happen until August. I'd be interested in seeing whether
someone can get a cert in this manner from a CA that supports RAs.
Jeremy
Currently, the BRs permit pretty much free delegation of Registration
Authorities for everything except domain verification. Without RA audit
requirements or even a requirement that the CA monitor/control the RA, the
cynical-side of me doubts whether the verification is enforced without the
CA first receiving a third-party complaint. Section 1.32 permits free RA
delegation if the verification requirements are met by the process as a
whole and that a contract exist between the delegated third party to do the
following:"(1) Meet the qualification requirements of Section 5.3.1, when
applicable to the delegated function; (2) Retain documentation in accordance
with Section 5.5.2; (3) Abide by the other provisions of these Requirements
that are applicable to the delegated function; and (4) Comply with (a) the
CA's Certificate Policy/Certification Practice Statement or (b) the
Delegated Third Party's practice statement that the CA has verified complies
with these Requirements.". Essentially, as long as there is a) a contract
between the CA and RA, and b) the CA is performing domain verification (and
c) no one complains), the RA is free to do whatever the RA deems
appropriate, permitting the CA to circumvent the BRs and audit oversight.
There's no requirement that the CA audit the RA's role in the verification
process or that the RA provide any reporting to the CA or auditors.
Combined with method 1, there is no obligation the CA actually do anything
to vet the customer or obtain any evidence that the customer even exists.
As you all know, method 1 requires only that the CA confirm the WHOIS
information matches the applicant. As long as the WHOIS information matches,
problem solved. As noted above, the RA is not actually required to do any
validation (just say that they do) so if the RA passes over the WHOIS name
as the verified information, the cert will issue without a second glance.
I realize that method 1 and method 5 are going away (for good reason), but
that doesn't happen until August. I'd be interested in seeing whether
someone can get a cert in this manner from a CA that supports RAs.
Jeremy
Wayne Thayer
Apr 18, 2018, 3:18:39 PM4/18/18
to Jeremy Rowley, mozilla-dev-security-policy
On Tue, Apr 17, 2018 at 9:21 PM, Jeremy Rowley via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> There is a way to get zero-validation certs, totally legit, under the BRs.
> Currently, the BRs permit pretty much free delegation of Registration
> Authorities for everything except domain verification. Without RA audit
> requirements or even a requirement that the CA monitor/control the RA, the
> cynical-side of me doubts whether the verification is enforced without the
> CA first receiving a third-party complaint. Section 1.32 permits free RA
> delegation if the verification requirements are met by the process as a
> whole and that a contract exist between the delegated third party to do the
> following:"(1) Meet the qualification requirements of Section 5.3.1, when
> applicable to the delegated function; (2) Retain documentation in
> accordance
> with Section 5.5.2; (3) Abide by the other provisions of these Requirements
> that are applicable to the delegated function; and (4) Comply with (a) the
> CA's Certificate Policy/Certification Practice Statement or (b) the
> Delegated Third Party's practice statement that the CA has verified
> complies
> with these Requirements.". Essentially, as long as there is a) a contract
> between the CA and RA, and b) the CA is performing domain verification (and
> c) no one complains), the RA is free to do whatever the RA deems
> appropriate, permitting the CA to circumvent the BRs and audit oversight.
> There's no requirement that the CA audit the RA's role in the verification
> process or that the RA provide any reporting to the CA or auditors.
>
> BR section 1.3.2 defines a Registration Authority as a Delegated Third
dev-secur...@lists.mozilla.org> wrote:
> There is a way to get zero-validation certs, totally legit, under the BRs.
> Currently, the BRs permit pretty much free delegation of Registration
> Authorities for everything except domain verification. Without RA audit
> requirements or even a requirement that the CA monitor/control the RA, the
> cynical-side of me doubts whether the verification is enforced without the
> CA first receiving a third-party complaint. Section 1.32 permits free RA
> delegation if the verification requirements are met by the process as a
> whole and that a contract exist between the delegated third party to do the
> following:"(1) Meet the qualification requirements of Section 5.3.1, when
> applicable to the delegated function; (2) Retain documentation in
> accordance
> with Section 5.5.2; (3) Abide by the other provisions of these Requirements
> that are applicable to the delegated function; and (4) Comply with (a) the
> CA's Certificate Policy/Certification Practice Statement or (b) the
> Delegated Third Party's practice statement that the CA has verified
> complies
> with these Requirements.". Essentially, as long as there is a) a contract
> between the CA and RA, and b) the CA is performing domain verification (and
> c) no one complains), the RA is free to do whatever the RA deems
> appropriate, permitting the CA to circumvent the BRs and audit oversight.
> There's no requirement that the CA audit the RA's role in the verification
> process or that the RA provide any reporting to the CA or auditors.
>
Party. Section 8.7 says:
Except for Delegated Third Parties that undergo an annual audit that meets
the criteria specified in Section 8.1, the CA SHALL strictly control the
service quality of Certificates issued or containing information verified
by a Delegated Third Party by having a Validation Specialist employed by
the CA perform ongoing quarterly audits against a randomly selected sample
of at least the greater of one certificate or three percent of the
Certificates verified by the Delegated Third Party in the period beginning
immediately after the last sample was taken. The CA SHALL review each
Delegated Third Party’s practices and procedures to ensure that the
Delegated Third Party is in compliance with these Requirements and the
relevant Certificate Policy and/or Certification Practice Statement.
The CA SHALL internally audit each Delegated Third Party’s compliance with
these Requirements on an annual basis.
The WebTrust BR audit criteria include a number of controls related to CA
oversight of Delegated Third Parties, including 6.6:
The CA maintains controls to provide reasonable assurance that the CA
internally audits each Delegated Third Party’s compliance with the Baseline
Requirements on an annual basis.
Jeremy Rowley
Apr 23, 2018, 8:58:07 PM4/23/18
to Wayne Thayer, mozilla-dev-security-policy
A reasonable control can include contractual controls, thus 6.6 is solved simply via contract with the CA. Section 8.7 does give some control (and I missed that when going through this the first time), but the audit criteria is only that the CA reviews a 3% sample. As long as I documented that I review the RA practices and did the 3% review (regardless of the results), then the CA escapes oversight on its validation process.
From: Wayne Thayer <wth...@mozilla.com>
Sent: Wednesday, April 18, 2018 1:18 PM
To: Jeremy Rowley <jeremy...@digicert.com>
Cc: mozilla-dev-security-policy <mozilla-dev-s...@lists.mozilla.org>
Subject: Re: RAs and the BRs
From: Wayne Thayer <wth...@mozilla.com>
Sent: Wednesday, April 18, 2018 1:18 PM
To: Jeremy Rowley <jeremy...@digicert.com>
Cc: mozilla-dev-security-policy <mozilla-dev-s...@lists.mozilla.org>
Subject: Re: RAs and the BRs
0 new messages