<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:wf_segoe-ui_normal;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’ll note that if you object to #6 on those grounds, you also object to #10, which is basically “do #6 via TLS, with fewer requirements around where the value
must be placed.”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">In fact I’m starting to think that #10 should be eliminated and rolled into #6, simply by noting in #6 that for the purposes of #6, TLS with an untrusted server
certificate can be used in place of HTTP.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">-Tim<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Anoosh Saboori<br>
<b>Sent:</b> Wednesday, May 06, 2015 7:46 PM<br>
<b>To:</b> Ryan Sleevi<br>
<b>Cc:</b> public@cabforum.org<br>
<b>Subject:</b> Re: [cabfpub] Domain validation<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi Ryan,</span><span style="font-size:11.5pt;font-family:wf_segoe-ui_normal;color:#212121"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="font-size:11.5pt;font-family:wf_segoe-ui_normal;color:#212121"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">What you stated below partly is the main reason for us not supporting #6 . Another example is Azure tenant who is assigned “example.clouapp.net”.
While the tenant can pass the test in #6 by inserting nonce in “example.cloudapp.net/.well-known/certificate”, they are not the real owner for that domain name, Azure is.</span><span style="font-size:11.5pt;font-family:wf_segoe-ui_normal;color:#212121"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.5pt;font-family:wf_segoe-ui_normal;color:#212121"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I also agree with your statement in regards to IP addresses. </span><span style="font-size:11.5pt;font-family:wf_segoe-ui_normal;color:#212121"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.5pt;font-family:wf_segoe-ui_normal;color:#212121"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Anoosh</span><span style="font-size:11.5pt;font-family:wf_segoe-ui_normal;color:#212121"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.5pt;font-family:wf_segoe-ui_normal;color:#212121"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<div>
<div class="MsoNormal" align="center" style="text-align:center;background:white">
<span style="font-family:"Calibri","sans-serif";color:black">
<hr size="2" width="98%" align="center">
</span></div>
<div id="divRplyFwdMsg">
<p class="MsoNormal" style="background:white"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black"> Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>><br>
<b>Sent:</b> Wednesday, May 6, 2015 3:49 PM<br>
<b>To:</b> Anoosh Saboori<br>
<b>Cc:</b> Eddy Nigg; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Domain validation</span><span style="font-family:"Calibri","sans-serif";color:black">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri","sans-serif";color:black"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri","sans-serif";color:black">On Wed, May 6, 2015 at 3:37 PM, Anoosh Saboori <<a href="mailto:ansaboor@microsoft.com" target="_blank" title="mailto:ansaboor@microsoft.com
Cmd+Click or tap to follow the link">ansaboor@microsoft.com</a>>
wrote:<o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Reviving this older thread. It seems that both:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">1.</span><span style="font-size:7.0pt;color:#1F497D">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Forum has concerns around relying only on whois database or email address since the whois database might not be accurate
</span><span style="font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p style="background:white"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2.</span><span style="font-size:7.0pt;color:#1F497D">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">MS still has concerns for #6 not being at par with the rest of validation mechanism proposed
</span><span style="font-family:"Calibri","sans-serif";color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.25in;background:white">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So, can we get to a point where both concerns are addressed by modifying the requirement as: “#6 continues to be accepted, only if other validation methods failed to work. CAs then
keep documentation on why they decided to accept #6. “</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="color:black"><o:p> </o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri","sans-serif";color:black">I'm still not sure why Microsoft doesn't feel that #6 is not on-par with the rest. It would be very helpful if you could elaborate what properties you
feel that the other methods offer that #6 does not. In digging through your past replies, it only seems that you've highlighted it's "not as strong" - but you haven't clarified what property is absent. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri","sans-serif";color:black">If I understand by reading between the lines, your concern is that method #6 allows verification to happen by any attacker who can gain filesystem-level
access, whereas the other methods require some level of password compromise (e.g. email, methods 1/2/4 from the original message), remote code execution (e.g. TLS bindings, method 11 from the original message), or has compromised the domain management (methods
7/8 from the original message). Is that correct?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri","sans-serif";color:black">I'm surprised that Microsoft hasn't highlighted Item 9 (IP address validation) as similarly weaker in guarantees. For example, in a shared hosting service,
<a href="http://scanmail.trustwave.com/?c=4062&d=-afK1aJC190ZIBtTTWDRZJ2ezKF8D9uNVuJuGOy9jA&s=5&u=http%3a%2f%2ffoo%2ecom">
foo.com</a> and <a href="http://scanmail.trustwave.com/?c=4062&d=-afK1aJC190ZIBtTTWDRZJ2ezKF8D9uNVrI5HuDs3Q&s=5&u=http%3a%2f%2fbar%2ecom">
bar.com</a> may both be hosted on the same IP, and use SNI (for HTTPS) and the Host: header (for HTTP) to disambiguate which host the client wishes to talk to. As presently worded, it seems like
<a href="http://scanmail.trustwave.com/?c=4062&d=-afK1aJC190ZIBtTTWDRZJ2ezKF8D9uNVrI5HuDs3Q&s=5&u=http%3a%2f%2fbar%2ecom">
bar.com</a> MAY be able to apply for a certificate for <a href="http://scanmail.trustwave.com/?c=4062&d=-afK1aJC190ZIBtTTWDRZJ2ezKF8D9uNVuJuGOy9jA&s=5&u=http%3a%2f%2ffoo%2ecom">
foo.com</a>.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-family:"Calibri","sans-serif";color:black">Now, I know that's not the intent, but that strikes me as an area that needs further clarification about what "controls an IP address" means (e.g. does
it mean looking in the appropriate RIR for that Netblock and confirming the applicant through a Reliable Means of Communication?)<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information
contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.<br>
</font>
</body>
</html>