On Thu, 28 Feb 2019 05:52:14 +0000
Jeremy Rowley via dev-security-policy
> 4. The validation agent specified the approval scope as id-addr.arpa
I assume this is a typo by you not the agent, for in-addr.arpa ?
Meanwhile, and without prejudice to the report itself once made:
> 2. The system marked the WHOIS as unavailable for automated parsing
> (generally, this happens if we are being throttled or the WHOIS info
> is behind a CAPTCHA), which allows a validation agent to manually
> upload a WHOIS document
This is a potentially large hole in issuance checks based on WHOIS.
Operationally the approach taken ("We can't get it to work, press on")
makes sense, but if we take a step back there's obvious potential for
nasty security surprises like this one.
There has to be something we can do here, I will spitball something in
a next paragraph just to have something to start with, but to me if it
turns out we can't improve on basically "sometimes it doesn't work so
we just shrug and move on" we need to start thinking about deprecating
this approach altogether. Not just for DigiCert, for everybody.
- Spitball: What if the CA/B went to the registries, at least the big
ones, and said we need this, strictly for this defined purpose, give
us either reliable WHOIS, or RDAP, or direct database access or
_something_ we can automate to do these checks ? The nature of CA/B
may mean that it's not appropriate to negotiate paying for this
(pressuring suppliers to all agree to offer members the same rates is
just as much a problem as all agreeing what you'll charge customers)
but it should be able to co-ordinate making sure members get access,
and that it isn't opened up to dubious data resellers that the
registries don't want rifling through their database.
My argument to the registries would be that this is a service for their
customers. Unlike the data resellers, either the registry customer, or
some agent of theirs is asking you to authenticate their registration,
so giving you access makes sense as part of what the registry does for
its customers anyway.
> 7. During the review, no one noticed that the WHOIS document did not
> match the verification email nor did anyone notice that the email
> used for verification was actually a constructed email instead of the
> WHOIS admin email
So, reviews are good, but this review was not very effective. Valuable
to consider in the final report why not and how that can be improved.
Just to be clear though, are you sure "no one noticed" ? It can happen
that in review processes somebody does notice the issue, but they
are persuaded or persuade themselves that it's fine. A British railway
incident occurred when the person transcribing a document effectively
"moved" a railway crossing. Manual reviewers did see it, and so did the
controllers responsible for managing the crossing, but both persuaded
themselves that the movement must be a correction and approved it.
With the crossing now shown in the wrong place, instructions authorising
use of the crossing were no longer protected by the controller's view
of the movement of trains, this resulted in a "near miss" and thanks to
the victim's persistence in demanding it be properly investigated
fortunately accident investigators visited the crossing, found the
mistake and had things corrected before anyone died.