Re: BR11.1 Authorization by Domain Name Registrant

14 views
Skip to first unread message

Ian G

unread,
Apr 25, 2011, 7:05:43 PM4/25/11
to mozilla-dev-s...@lists.mozilla.org, Tom Ritter
On 21/04/11 1:32 AM, Tom Ritter wrote:
> While reading the Baseline Requirements, I noticed that this section contains specific requirements for the different confirmation methods - via Registrar, via email, when a proxy registration has been used. And it states that confirmation MUST be done to ensure "the Applicant either had the right to use, or had control of, the Fully-Qualified Domain Name(s) and/or IP address(es) listed in the Certificate, or was authorized by a person having such right or control".
>
> But the method of confirmation is not laid out in a requirement. The three mentioned (registrar, email, and proxy) are mentioned in the context of "If the CA uses this method", without mandating that _one_ of these methods must be used; leaving open to the possibility of using another method (without requirements spelled out). For example, a CA could get the telephone number from the WHOIS, call it, and confirm information on the CSR and use that as verification.
>
> Am I misunderstanding things, or is this vagueness intentional?


Yes, it's almost certainly intentional. The thing is, the high level
document should state the high level requirement, and leave
implementation to the CA.

When we state how the implementation is done in a high level document,
we generally block things we don't understand. If we are subject to
group-think (as we are) we end up stopping innovation and things outside
our view.

What is left over is how the requirement is tested. This is typically
left to the audit process. People have (quite rightly) grumbled that
this doesn't work very well (for whatever reason), but the answer is
definately not to tighten the screws on the high level document.

iang

Stephen Davidson

unread,
Apr 25, 2011, 9:00:41 PM4/25/11
to Ian G, Tom Ritter, mozilla-dev-s...@lists.mozilla.org
On Apr 25, 2011, at 8:05 PM, "Ian G" <ia...@iang.org> wrote:

> Yes, it's almost certainly intentional. The thing is, the high level document should state the high level requirement, and leave implementation to the CA.

There are a number of US patents covering aspects of domain validation for SSL certificates. The BR has to tread a fine line between laying out good practice and requiring CAs to follow a process that might intrude on a patented process.

Ian G

unread,
Apr 27, 2011, 4:17:34 PM4/27/11
to mozilla-dev-s...@lists.mozilla.org


I'm really surprised that there's been no more commentary on this. Are
we to conclude that the CAB Forum is working to protect the interests of
competitive parties jousting in a patent battle?

There appears to be no disclosure requirements, and no licensing
requirements. Does this mean that CAB Forum members (c.f. jurisdiction)
at risk of submarine patents? Are these torpedoe documents?

iang

Jeremy Rowley

unread,
Apr 27, 2011, 4:22:16 PM4/27/11
to Ian G, mozilla-dev-s...@lists.mozilla.org
The CAB Forum is currently working towards an IPR. Hopefully this will be
in place prior to adoption of the BR.

Jeremy

iang
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply all
Reply to author
Forward
0 new messages