The CA/Browser forum has concrete guidelines on address, email, domain verification outlined here.
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.6.pdf All public CAs should follow these, or face blacklisting. CAs don’t want to risk being the next Symantec. " 3.2.2.1. Identity If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address is the Applicant’s address of existence or operation. The CA SHALL verify the identity and address of the Applicant using documentation provided by, or through communication with, at least one of the following: 1. A government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition; 2. A third party database that is periodically updated and considered a Reliable Data Source; 3. A site visit by the CA or a third party who is acting as an agent for the CA; or 4. An Attestation Letter. The CA MAY use the same documentation or communication described in 1 through 4 above to verify both the Applicant’s identity and address. Alternatively, the CA MAY verify the address of the Applicant (but not the identity of the Applicant) using a utility bill, bank statement, credit card statement, government-issued tax document, or other form of identification that the CA determines to be reliable. " " 3.2.2.3. Verification of Country If the subject:countryName field is present, then the CA SHALL verify the country associated with the Subject using one of the following: (a) the IP Address range assignment by country for either (i) the web site’s IP address, as indicated by the DNS record for the web site or (ii) the Applicant’s IP address; (b) the ccTLD of the requested Domain Name; (c) information provided by the Domain Name Registrar; or (d) a method identified in Section 3.2.2.1. The CA SHOULD implement a process to screen proxy servers in order to prevent reliance upon IP addresses assigned in countries other than where the Applicant is actually located. " There is also a bunch of stuff in there about emails including: " 3.2.2.4.4 Constructed Email to Domain Contact Confirm the Applicant's control over the FQDN by (i) sending an email to one or more addresses created by using 'admin', 'administrator', 'webmaster', 'hostmaster', or 'postmaster' as the local part, followed by the at-sign ("@"), followed by an Authorization Domain Name, (ii) including a Random Value in the email, and (iii) receiving a confirming response utilizing the Random Value. " -----Original Message----- From: Emu <emu-boun...@ietf.org> On Behalf Of Michael Richardson Sent: 13 November 2019 23:27 To: emu@ietf.org Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS On 2019-11-13 7:40 a.m., Alan DeKok wrote: > On Nov 12, 2019, at 3:13 PM, Cappalli, Tim (Aruba) <t...@hpe.com> wrote: >> How does a public CA prove ownership of an SSID? > Do public CAs *always* verify addresses and/or telephone numbers, which are > normally included in certificates? They are? I've rarely seen it. I think that if it's in the certificate, then they have verified them. I can remember in the bad old days providing CAs with notorized articles of incorporation, etc. I haven't done that this decade though, and I haven't seen that kind of info. CAs won't include anything they can't verify. > Do public CAs verify that email addresses in the certificate work? yes, they do by sending a challenge to it. > Do public CAs verify that the OIDs in the certificate match the intended > use-cases? Most won't include OIDs. > Is there a global registry of SSIDs which the public CA could use to verify > the SSID? No, SSIDs are a local matter. One could (and I do), use FQDNs as the SSID. That's the only way I can see this working. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
