<div dir="ltr">Right, and I'm not sure that (2) sufficiently establishes that <a href="http://example.com">example.com</a> is authorizing the request, given wildcards.<div><br></div><div>I think this would be a similar concern with, say, following HTTP open redirects and saying a "200 OK" code authorizes the request - wellllll, not really.</div><div><br></div><div>I'm curious if you could expand more why you believe other methods would permit a cert to be issued in the presence of this Wildcard DNS.</div><div><br></div><div>As a concrete example:</div><div><a href="http://example.com">example.com</a> A [my host]</div><div>*.<a href="http://example.com">example.com</a> CNAME <a href="http://example.net">example.net</a></div><div><a href="http://shop.example.com">shop.example.com</a> CNAME <a href="http://paymentprovider.example.org">paymentprovider.example.org</a></div><div><br></div><div>Under this scenario, could you explain what ways that the [<rnd>.<a href="http://example.com">example.com</a>] would be able to issue a cert for either <a href="http://example.com">example.com</a> or <a href="http://shop.example.com">shop.example.com</a> ? Perhaps I'm just missing the implications of the existing validation methods.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 2, 2016 at 3:33 PM, Jeremy Rowley <span dir="ltr"><<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Yes. Those are the two steps I am proposing.<br>
<span class="im HOEnZb"><br>
-----Original Message-----<br>
From: Peter Bowen [mailto:<a href="mailto:pzb@amzn.com">pzb@amzn.com</a>]<br>
</span><span class="im HOEnZb">Sent: Friday, September 2, 2016 4:31 PM<br>
To: Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>><br>
</span><div class="HOEnZb"><div class="h5">Cc: Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>>; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
Subject: Re: [cabfpub] CNAME-based validation<br>
<br>
I think you are talking about two different things.<br>
<br>
Ryan is concerned that a customer has an existing record that is “*.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> CNAME <a href="http://vanityblogs.example.net" rel="noreferrer" target="_blank">vanityblogs.example.net</a>”. If you say “if you can make a record show up at _<a href="http://309654fddb59444d8efd6d2cc98881d5.example.com" rel="noreferrer" target="_blank">309654fddb59444d8efd6d2cc9888<wbr>1d5.example.com</a> you are validated” that is bad. Instead, you are proposing a two prong validation test:<br>
<br>
1) Confirm control of <a href="http://vanityblogs.example.net" rel="noreferrer" target="_blank">vanityblogs.example.net</a>.<br>
2) Make _<a href="http://309654fddb59444d8efd6d2cc98881d5.example.com" rel="noreferrer" target="_blank">309654fddb59444d8efd6d2cc9888<wbr>1d5.example.com</a> point to <a href="http://vanityblogs.example.net" rel="noreferrer" target="_blank">vanityblogs.example.net</a>.<br>
<br>
You are proposing that passing these both would confirm control of <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>, right? And this would allow getting a certificate for <a href="http://shop.example.com" rel="noreferrer" target="_blank">shop.example.com</a>, correct?<br>
<br>
Thanks,<br>
Peter<br>
<br>
> On Sep 2, 2016, at 3:25 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>> wrote:<br>
><br>
> We are talking about the same thing (wildcard DNS records).<br>
><br>
> Examples:<br>
><br>
> <a href="http://sleevi.example.com" rel="noreferrer" target="_blank">sleevi.example.com</a> CNAME <a href="http://vdomain.com" rel="noreferrer" target="_blank">vdomain.com</a><br>
> *.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> CNAME <a href="http://vdomain.com" rel="noreferrer" target="_blank">vdomain.com</a><br>
> <rnd>.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> CNAME <a href="http://vdomain.com" rel="noreferrer" target="_blank">vdomain.com</a><br>
><br>
> The BRs permit verification of each of these by establishing control over <a href="http://vdomain.com" rel="noreferrer" target="_blank">vdomain.com</a> (under the definition of authorization domain name).<br>
><br>
> If *.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> can be verified this way, what is different between verifying *.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> and <rnd>.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> to verify all sub domains of <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>? All the RND does is make it so the website doesn’t have to point to <a href="http://vdomain.com" rel="noreferrer" target="_blank">vdomain.com</a>.<br>
><br>
> Jeremy<br>
><br>
> From: <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@<wbr>cabforum.org</a>]<br>
> On Behalf Of Ryan Sleevi<br>
> Sent: Friday, September 2, 2016 4:05 PM<br>
> To: Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>><br>
> Cc: <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
> Subject: Re: [cabfpub] CNAME-based validation<br>
><br>
> Jeremy,<br>
><br>
> Perhaps it wasn't clear, I wasn't speaking of wildcard certificates, but wildcard DNS rules, in which all requests for a given subdomain return a preconfigured record type. While for TXT and CAA records this is quite uncommon, it's exceedingly common to have CNAME records.<br>
><br>
> That is, both <rnd>.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> and <a href="http://sleevi.example.com" rel="noreferrer" target="_blank">sleevi.example.com</a> may both CNAME to <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>, by virtue of of the host putting a rule of "*.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> 3600 CNAME <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>"<br>
><br>
> I am attempting to assert that placing the <rnd> in the subdomain is insufficient proof of authorization, and is meaningfully and tangibly different than the proof of control demonstrated in 3.2.2.4.7.<br>
><br>
> As I read your wording, it suggests the following:<br>
> CA looks up <rnd>.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
> <rnd>.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> points to <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> CA sees it previously issued a<br>
> certificate for <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> using one of the other methods CA issues<br>
> certificate for <rnd>.<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
><br>
> That concerns me.<br>
><br>
> Peter's rewording suggests the inverse:<br>
> CA looks up _<a href="http://certvalidation.example.com" rel="noreferrer" target="_blank">certvalidation.example.com</a> _<a href="http://certvalidation.example.com" rel="noreferrer" target="_blank">certvalidation.example.com</a><br>
> points (CNAMEs) to <rnd>.validation.[nameofca].<wbr>com CA issues<br>
> certificate for <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
><br>
> This is much less concerning.<br>
><br>
> Could you help clarify which you intend, and for what names/purposes?<br>
><br>
><br>
> On Fri, Sep 2, 2016 at 2:52 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>> wrote:<br>
> Wildcard domains are already allowed. We can verify Wildcard DNS because a CNAME for *.<a href="http://domain.com" rel="noreferrer" target="_blank">domain.com</a> is pointing to a record previously verified. This verification method is permitted under the definition of Authorization Domain Name (where the FQDN returned by a CNAME lookup can be used to verify the requested FQDN). Although <rnd>.<a href="http://domain.com" rel="noreferrer" target="_blank">domain.com</a> isn’t necessarily distinguishable from *.<a href="http://domain.com" rel="noreferrer" target="_blank">domain.com</a>, the validation ends up being the same because either its considered an Authorized Domain Name (under the definition) or it was validated as a random value in this new method.<br>
><br>
> For example:<br>
><br>
> *.<a href="http://domain.com" rel="noreferrer" target="_blank">domain.com</a> -> <a href="http://dcv.example.com" rel="noreferrer" target="_blank">dcv.example.com</a> (validated under the Authorized Domain<br>
> Name section) <rnd>.<a href="http://domain.com" rel="noreferrer" target="_blank">domain.com</a> -><a href="http://validation.example.com" rel="noreferrer" target="_blank">validation.example.com</a> (validated<br>
> under this new section)<br>
><br>
> Because each is validated properly, tracking which exact section was used in the validation isn’t necessary.<br>
><br>
> Jeremy<br>
><br>
> From: Ryan Sleevi [mailto:<a href="mailto:sleevi@google.com">sleevi@google.com</a>]<br>
> Sent: Friday, September 2, 2016 3:28 PM<br>
> To: Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>><br>
> Cc: <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>
> Subject: Re: [cabfpub] CNAME-based validation<br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> Public mailing list<br>
> <a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
> <a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br>
</div></div></blockquote></div><br></div>