[cabf_validation] *Please review ASAP* Updated domain validation draft

142 views
Skip to first unread message

kirk...@trendmicro.com

unread,
Aug 27, 2015, 2:49:15 PM8/27/15
to valid...@cabforum.org

I attach an updated Domain Validation draft revision, dated today (Aug. 27) in track changes mode from the Aug. 26 draft we discussed this morning.

 

I added a new Method 10 (line M) to cover the cases where the CA is also the Registrar.  Wayne, can you edit?

 

Jeremy, you said you had additional Authorized Ports to propose – please send to this list today if possible.

 

The definition for Random Value (line Z) has changed as we discussed, so we can use the term everywhere.  Per our discussion, we only specify minimum entropy for two cases – automated processes, and practical demonstration in the DNS record.  Otherwise, the Random Value can be a value specified by the CA that is unknown to the Applicant.  Isn’t that what we decided?

 

For everyone else – please review and see if this is ready to forward to the Forum members TOMORROW for first discussion next Thursday.  Meaning, please provide your comments today or tomorrow morning at the latest.

TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
New Domain Validation Draft 8-27-2015.docx

Doug Beattie

unread,
Aug 27, 2015, 3:33:52 PM8/27/15
to kirk...@trendmicro.com, valid...@cabforum.org

Hi Kirk,

 

Good updates.

 

Should #4 also be updated to use Random Value?

 

Z) the use of Random Value is now used in more places than just 6 and 7, so the info in the right column needs to be updated

 

Nit-pick: If the FQDN starts with a wildcard character, then the CA MUST remove all wildcard labels from the left most portion of requested FQDN, if any

 

If you want to send out a version with tracking, that’s OK, but I think you should definitely send out a clean version for people to review and comment on.

Rick Andrews

unread,
Aug 27, 2015, 5:53:51 PM8/27/15
to kirk...@trendmicro.com, valid...@cabforum.org

Thanks for pulling this together, Kirk (and whoever helped you, if you had help). I added a couple of comments/questions.

 

-Rick

 

From: validatio...@cabforum.org [mailto:validatio...@cabforum.org] On Behalf Of kirk...@trendmicro.com
Sent: Thursday, August 27, 2015 11:49 AM
To: valid...@cabforum.org
Subject: [cabf_validation] *Please review ASAP* Updated domain validation draft
Importance: High

 

I attach an updated Domain Validation draft revision, dated today (Aug. 27) in track changes mode from the Aug. 26 draft we discussed this morning.

New Domain Validation Draft 8-27-2015_Rick.docx

kirk...@trendmicro.com

unread,
Aug 27, 2015, 8:13:17 PM8/27/15
to Doug Beattie, valid...@cabforum.org

Thanks, Doug, I made all the changes.  And yes, I will send out only a clean version to the Public list, probably tomorrow.

kirk...@trendmicro.com

unread,
Aug 27, 2015, 8:29:57 PM8/27/15
to Rick Andrews, valid...@cabforum.org

Rick, I think I saw only two comments or changes.

 

I will change “Domain Validation” to “Validation of Domain Ownership or Control” for the new title of 3.2.2.4 as you suggest.

 

The other comment I saw was about CNAME for Method 8.  On the call today, CNAME was raised, and someone said the issue is “covered” by the new definition of Authorization Domain Name (see below).  Do you agree?

 

Were there any other issues you raised?

 

Authorization Domain Name: The Domain Name used to obtain authorization for certificate issuance for a given FQDN.  The CA may use the FQDN returned from a DNS CNAME lookup as the FQDN for the purposes of domain validation.  If the FQDN starts with a wildcard character, then the CA MUST remove all wildcard labels from the left most portion of requested FQDN.  The CA may prune zero or more labels from left to right until encountering a Base Domain Name and may use any one of the intermediate values for the purpose of domain validation.

 

From: Rick Andrews [mailto:Rick_A...@symantec.com]
Sent: Thursday, August 27, 2015 2:54 PM
To: Kirk Hall (RD-US); valid...@cabforum.org

Rick Andrews

unread,
Aug 28, 2015, 12:41:57 PM8/28/15
to kirk...@trendmicro.com, valid...@cabforum.org

Kirk, I saw that mention of CNAME, but I didn’t think it covered my concern. The new method 8 (K) says “Having the Applicant demonstrate control over the requested FQDN by the CA confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the requested FQDN in accordance with section 3.2.2.5;  or”. So the new method isn’t tied to the definition of Authorization Domain Name.

 

How about if method 8 said “Having the Applicant demonstrate control over the requested FQDN by the CA confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the Authorization Domain Name in accordance with section 3.2.2.5;  or”

 

That would make it similar to the other uses of Authorization Domain Name in the doc.

 

-Rick

kirk...@trendmicro.com

unread,
Aug 28, 2015, 1:05:45 PM8/28/15
to Rick Andrews, valid...@cabforum.org

I like it and will add now.  Thanks.

Reply all
Reply to author
Forward
0 new messages