The role of Identity in TLS certificates Buypass CA Who should be represented in the “O” field?

Summary from Ryan S – nov 2015 Buypass CA Recognize we don't have consensus yet for what the O field should present as Recognize that the VWG proposals provide many wonderful security benefits that we shouldn't let them get hungup on resolving 1) Take a pass at the BRs, in their entirety, to find places where the language may be inconsistent with respect to the (unresolved) status quo, and update that language to reflect the present reality Longer term, if this is a topic members are passionate about, which I think we have evidence that some CAs are, work to build consensus as to those goals

Who should be represented in the ”O” field? Buypass CA None – ”Identity is not important” A (well) defined set of entities satisfying some requirements All entities that are allowed according to the current BR/EVG Kirk Hall, author of the content and logical operator of the kirk.example.com origin Example.com, provider of hosting services for Kirk Hall CDN Corp, a CDN that provides SSL/TLS front-end services for example.com, which does not offer them directly Marketing Inc, the firm responsible for designing and maintaining the website on behalf of Kirk Hall Payments LLC, the payment processing firm responsible for handling orders and financial details on kirk.example.com DNS Org, the company who operates the DNS services on behalf of Kirk Hall Mail Corp, the organization who handles the MX records that kirk.example.com responds to

Summary from Phenix Ownership Control Authorization Buypass CA Ownership The Applicant is the owner of the Domain, the Domain Registrant Control The Applicant controls the Domain Authorization The Applicant is authorised to use the Domain

Summary from Phenix – and VWG Buypass CA Ownership The Applicant is the owner of the Domain, the Domain Registrant 3.2.2.4.1 Validating the Applicant as Domain Contact 3.2.2.4.2 Email, Fax, SMS, or Postal Mail to Domain Contact 3.2.2.4.3 Phone Contact with Domain Contact Control The Applicant controls the Domain 3.2.2.4.4 Constructed Email to Domain Contact 3.2.2.4.6 Agreed-Upon Change to Website 3.2.2.4.7 DNS Change 3.2.2.4.8 IP Address 3.2.2.4.9 Test certificate 3.2.2.4.10 TLS Using a Random Number Authorization The Applicant is authorised to use the Domain 3.2.2.4.5 Domain Authorization Document

Who should be in the O-field? Buypass CA Kirk Hall, author of the content and logical operator of the kirk.example.com origin Controls the Content of the Domain (Content Owner) - OK Example.com, provider of hosting services for Kirk Hall The Domain Registrant - OK CDN Corp, a CDN that provides SSL/TLS front-end services for example.com, which does not offer them directly Controls what? Why should they be represented in the O-field? Marketing Inc, the firm responsible for designing and maintaining the website on behalf of Kirk Hall Controls the Content on behalf of the Content Owner. Why should they be represented in the O-field? Payments LLC, the payment processing firm responsible for handling orders and financial details on kirk.example.com N/A by current requirements - OK DNS Org, the company who operates the DNS services on behalf of Kirk Hall Controls the DNS – Why should they be in the O-field? Mail Corp, the organization who handles the MX records that kirk.example.com responds to Controls the email service – Why should they be in the O-field? Other Other entities authorized (by Domain Contact) to use the Domain – Examples?

Next steps Decide on who should be in the O-field (and who should not) Buypass CA Decide on who should be in the O-field (and who should not) Define different categories of entities Domain Owner, Content Owner Etc….. Define acceptable methods for verification for each category E.g by ownership, by control using method A, B or C