1)You are wrong about Domain Validation: CAs do NOT “validate requester owns the domain” as you wrongly claim. CAs only check if the requester has “control” of the domain. This “requester” could be the hacker who is controlling the domain and they would still get a certificate.
I’m not sure what you’re trying to say with this. Yes, that’s the organization I was referring to, and the linked excerpt comes from their EV guidelines, section 2.1.3.
well but it also is about HOW you check the “domain control” I personally would say either over administrative email addresses (postmaster etc), DNS (if you can mess with DNS you can also change the mailsever) or the email address listed in the whois.
I personally think that just uploading an HTML text or whatever file isnt that good
yes but getting control of the DNS is harder than MITM’ing an HTTP connection, especially if the DNS is nicely secured (I have 2 Factor auth in place for that.
my point is that web should not be done since it’s pretty low.
DNS or admin/whois email addresses are in my opinion the best ways because from what I know DNS Servers generally have fewer people who can access those from the inside than the web server, most probably because the DNS servers are also important for email delivery and other stuff you may have in the DNS.
at ISP and State level DNS have been known to be re-routed.
If you are talking a specific attack just to your enterprise and how you can protect yourself and your enterprise, then I concur. however, then the security is as good as the path that your email servers take. Again they can be hacked and traffic for it could be re-routed depending what kind of mail server you are dealing with.
and that’s one point where DANE plus a 2step auth DNS Server (e.g. cloudflare which can be used as pure DNS Server, I do that) would really shine.
in that case even if the DNS would be rerouted. if you know that a place has DNSSec that suddenly doesnt have it when accessing it from a different location (there are enough webservices for that) you can know something is wrong.
and in that case a self-signed (or creted by an own CA) TLSA cert is actually a better kind of auth for that.
why? simple. without the TLSA part the cert doesnt have any trust anchor and unlike CAs the DNSSec has a much stricter trust model, meaning that even if the chinese gov would have something against me, they cant force a chinese CA or the maintainer of the chinese TLD dnssec key (assuming they have dnssec) to manipulate my site because they CANT.
with DNSSec everything binds to ONE root key, and you can only create DNSSec’ed stuff for the same level or below ON THE SAME BRANCH.
and in case they would try to cut off the DNSSec data the TLSA cert wouldnt make any sense (because no TLSA/DANE without DNSSec) to the browsers because they dont trust that, and only then they could get a CA in their legislation to do stuff.
Well the news recently seems to be Comodo trying to undermine Let’s Encrypt by applying for the same name as a trademark … after they have already become established
A bit underhanded dont you think ? I thought they posed no threat to you ?
Why are ( or why were ( if its true that you are no longer persuing this course ) ) you doing this ?
W33d3r I split your post from the other topic and merged it with this one. Please notice that Comodo is not pursuing to use the Let’s Encrypt brand name:
No, its not finished until Melih fesses up to why he started trying to claim the name for the trademarks when he knew full well that someone else was using it.
An open source project designed for the betterment of the internet was being attacked by Comodo … Yes the Express Abandonment is now filed …
But melih is avoiding answering why he did it in the first place
An apology for making a bad judgement call publicly would be good and pave the way for trust to come back to Comodore - Because right now the company has lost a huge amount of that in the eyes of the public.
This company is supposed to be about trust isn’t it ?
The topic has just been watered down with technical babble so far by the CEO
The questions people want answered throughout the topic have just been studiously avoided.
@Eric - Thank you for moving the post, I did a search before posting but was not aware of this topic.
We applied before the product was launched. This is when the project was looking for funds and there was a chance that it wouldn’t launch.
When it launched we decided to abandon the application. We meant no harm and there was no harm done to anyone.
I don’t believe encryption without authentication blindly makes internet a safer place. (see the other topic on this).
Sponsors of LE, imo, are using LE to subsidize their certificate costs by getting others donating/sponsoring LE.
A Charity is designed to help social causes etc…LE IS NOT A CHARITY…
SO a $10 an end user donates to LE might actually end up subsidizing likes of Akamai, Cisco, OVH who needs millions of certificates themselves and now have found a way to get the end users to subsidize it. All this while running unmanaged certificates who are NOT revoked in a timely manner, hurting consumers! (do you want certificates staying unrevoked although its being used by phishers and malware people?)
You are wrong with your statement that “CA is to validate identities, nothing more, nothing less”: You are half reading the documents provided without realizing there is another standards document…read “4” please…
EV Guidelines just refer back to the Baseline Requirements which state [emphasis mine]:
4.9.1.1 Reasons for Revoking a Subscriber Certificate
The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs:
The Subscriber requests in writing that the CA revoke the Certificate;
The Subscriber notifies the CA that the original certificate request was not authorized and does not retroactively grant authorization;
The CA obtains evidence that the Subscriber’s Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise or no longer complies with the requirements of Sections 6.1.5 and 6.1.6; 4. The CA obtains evidence that the Certificate was misused;
The CA is made aware that a Subscriber has violated one or more of its material obligations under the Subscriber Agreement or Terms of Use;
The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name);
The CA is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully-Qualified Domain Name;
The CA is made aware of a material change in the information contained in the Certificate;
The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement;
The CA determines that any of the information appearing in the Certificate is inaccurate or misleading;
The CA ceases operations for any reason and has not made arrangements for another CA to provide revocation support for the Certificate;
The CA’s right to issue Certificates under these Requirements expires or is revoked or terminated, unless the CA has made arrangements to continue maintaining the CRL/OCSP Repository;
The CA is made aware of a possible compromise of the Private Key of the Subordinate CA used for issuing the Certificate;
Revocation is required by the CA’s Certificate Policy and/or Certification Practice Statement; or
The technical content or format of the Certificate presents an unacceptable risk to Application Software Suppliers or Relying Parties (e.g. the CA/Browser Forum might determine that a deprecated cryptographic/signature algorithm or key size presents an unacceptable risk and that such Certificates should be revoked and replaced by CAs within a given period of time).
90 days free, if thats a new and never have been invention why claiming the name of them as a trademark, just because they didnt? Why not going to a court and saying, 90 days is our invention? If that was a ground.
I just wondered about this justification.
And what about sandbox? Antivirus? Cloud scan?
Just to put it in perspective.
I asked 2 questions. Based on the post sequence i quoted.
Why going for the name, and not for the “unique invention” of “90 days”? If that was a property?
And why then using well known names of things to advertise the own product?
Like
What is the reasonable justification between claiming “90” but using “sandbox”? For example.
And then you refer to mustard and meals… Which is at least as much reasoning as 90, though.
So i think my questions are answered.