<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
p.msochpdefault, li.msochpdefault, div.msochpdefault
{mso-style-name:msochpdefault;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Calibri","sans-serif";}
span.htmlpreformattedchar0
{mso-style-name:htmlpreformattedchar;
font-family:Consolas;}
span.emailstyle19
{mso-style-name:emailstyle19;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.spelle
{mso-style-name:spelle;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Can someone with temporary control over a web site modify WHOIS records?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> Jeremy Rowley [mailto:jeremy.rowley@digicert.com]
<br>
<b>Sent:</b> Thursday, April 16, 2015 8:10 AM<br>
<b>To:</b> Jeremy Rowley; Anoosh Saboori<br>
<b>Cc:</b> public@cabforum.org<br>
<b>Subject:</b> RE: [cabfpub] Domain validation<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I think #6 is sufficiently strong as it uses the /.well-known/certificate directory. It’s at least on par with validation via WHOIS<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Jeremy Rowley<br>
<b>Sent:</b> Thursday, April 16, 2015 9:00 AM<br>
<b>To:</b> Anoosh Saboori<br>
<b>Cc:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Domain validation<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">No a lawyer cannot send the domain authorization document. The definition was not modified.<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
Anoosh Saboori <<a href="mailto:ansaboor@microsoft.com">ansaboor@microsoft.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Sorry for late chime in, since I was out for few weeks and thanks Jeremy for sending this out. I have two questions:
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">1.</span><span style="font-size:7.0pt;color:#1F497D">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Regarding #5 below, it is not clear to me what constitutes as “Domain Authorization Document”? Can a lawyer send this document?
</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2.</span><span style="font-size:7.0pt;color:#1F497D">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">#6 does not seems to be at par with the rest of items which require checking
<span class="spelle">CName</span> record, DNS record changes, control over IP, … Anybody with a temporary control a web site can pass this test. Can we make this requirement stronger, maybe by combing it with one of the other bullets?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Anoosh</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
</span><a href="mailto:public-bounces@cabforum.org"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">public-bounces@cabforum.org</span></a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> [</span><a href="mailto:public-bounces@cabforum.org"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">mailto:public-bounces@cabforum.org</span></a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">]
<b>On Behalf Of </b></span><a href="mailto:robin@comodo.com"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">robin@comodo.com</span></a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><br>
<b>Sent:</b> Wednesday, April 15, 2015 5:38 PM<br>
<b>To:</b> Jeremy Rowley; </span><a href="mailto:public@cabforum.org"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">public@cabforum.org</span></a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><br>
<b>Subject:</b> Re: [cabfpub] Domain validation</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">Hi Jeremy, I have an amendment to offer too. I will get it out overnight and then endorse if it is acceptable. Sorry, I didn't mean to do this at the last minute.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">Robin</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">Sent from my phone.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
<div id="htc_header">
<p class="MsoNormal"><span style="font-family:"Calibri","sans-serif"">----- Reply message -----<br>
From: "Jeremy Rowley" <</span><a href="mailto:jeremy.rowley@digicert.com"><span style="font-family:"Calibri","sans-serif"">jeremy.rowley@digicert.com</span></a><span style="font-family:"Calibri","sans-serif"">><br>
To: "</span><a href="mailto:public@cabforum.org"><span style="font-family:"Calibri","sans-serif"">public@cabforum.org</span></a><span style="font-family:"Calibri","sans-serif"">" <</span><a href="mailto:public@cabforum.org"><span style="font-family:"Calibri","sans-serif"">public@cabforum.org</span></a><span style="font-family:"Calibri","sans-serif"">><br>
Subject: [cabfpub] Domain validation<br>
Date: Wed, Apr 15, 2015 7:28 PM</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<pre>With removal of the opinion letters, I think this is ready for a ballot. Are there two endorsers?<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>Amendment to Section 11.1.1 of CA/Browser Forum Baseline Requirements to clarify acceptable methods of validating domain control:<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>1) Add the following definitions:<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>Base Domain: The portion of an applied-for FQDN that is the first domain name node left of a registry-controlled or public suffix plus the registry-controlled or public suffix (e.g. "domain.co.uk" or "domain.com").<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>Random Value: A value specified by a CA to the Applicant that exhibits 128 bits of entropy.<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>2) Section 11.1.1 of the CA/Browser Forum's Baseline Requirements is amended as follows:<o:p></o:p></pre>
<pre>...<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>11.1.1 Authorization by Domain Name Registrant<o:p></o:p></pre>
<pre>For each Fully-Qualified Domain Name listed in a Certificate, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant either is the Domain Name Registrant or has control over the FQDN by:<o:p></o:p></pre>
<pre>1. Confirming the Applicant as the Domain Name Registrant directly with the Domain Name Registrar through a Reliable Method of Communication, for example using information provided through WHOIS; or<o:p></o:p></pre>
<pre>2. Confirming authorization of the Certificate's issuance directly with the Domain Name Registrant using a Reliable Method of Communication that is (i) obtained from the Domain Name Registrar or (ii) listed as the "registrant", "technical", or "administrative" contact for the WHOIS record of the Base Domain; or<o:p></o:p></pre>
<pre>4. Confirming authorization for the Certificate's issuance through an email address created by pre-pending 'admin', 'administrator', 'webmaster', 'hostmaster', or 'postmaster' in the local part, followed by the at-sign ("@"), followed by the Domain Name, which may be formed by pruning zero or more components from the requested FQDN; or<o:p></o:p></pre>
<pre>5. Relying upon a Domain Authorization Document that meets the requirements listed below; or<o:p></o:p></pre>
<pre>6. Having the Applicant demonstrate control over the FQDN or Base Domain by adding a file containing a Random Value to the "/.well-known/certificate" directory at either the FQDN or the Base Domain in accordance with RFC 5785; or<o:p></o:p></pre>
<pre>7. Having the Applicant demonstrate control over the FQDN or Base Domain by the Applicant making a change to information in a DNS record for the FQDN or Base Domain where the change is a Random Value; or<o:p></o:p></pre>
<pre>8. Having the Applicant demonstrate control over the requested FQDN by the CA confirming, in accordance with section 11.1.1, the Applicant's controls the FQDN (or Base Domain of the FQDN) returned from a DNS lookup for CNAME records for the requested FQDN; or<o:p></o:p></pre>
<pre>9. Having the Applicant demonstrate control over the requested FQDN by the CA confirming, in accordance with section 11.1.2, that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the requested FQDN; or<o:p></o:p></pre>
<pre>10. Having the Applicant demonstrate control over the FQDN by providing a TLS service on a host found in DNS for the FQDN and having the CA (i) initiate a TLS connection with the host and (ii) verify a Random Value that is a in a format recognized as a valid TLS response.<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>Note: For purposes of determining the appropriate domain name level or Domain Namespace, the registerable Domain Name is the second-level domain for generic top-level domains (gTLD) such as .com, .net, or .org, or, if the Fully Qualified Domain Name contains a 2 letter Country Code Top-Level Domain (ccTLD), then the domain level is whatever is allowed for registration according to the rules of that ccTLD. If the CA relies upon a Domain Authorization Document to confirm the Applicant's control over a FQDN, then the Domain Authorization Document MUST substantiate that the communication came from either the Domain Name Registrant (including any private, anonymous, or proxy registration service) or the Domain Name Registrar listed in the WHOIS. The CA MUST verify that the Domain Authorization Document was either (i) dated on or after the certificate request date or (ii) used by the CA to verify a previously issued certificate and that the Domain Name's WHOIS record has not been modified since the previous certificate's issuance.<o:p></o:p></pre>
<pre>Note: FQDNs may be listed in Subscriber Certificates using dNSNames in the subjectAltName extension or in Subordinate CA Certificates via dNSNames in permittedSubtrees within the Name Constraints extension.<o:p></o:p></pre>
<pre>Note: For the purpose of verifying a wildcard FQDN, the CA MUST verify either the Base Domain of the wildcard FQDN or the entire Domain Name Label to the right of the wildcard character.<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
</div>
</div>
</div>
</body>
</html>