<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.im
{mso-style-name:im;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1671371007;
mso-list-type:hybrid;
mso-list-template-ids:-1902893430 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Here’s the steps:<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><span style='mso-list:Ignore'>1)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>CA verifies example.net using any one of the methods permitted<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><span style='mso-list:Ignore'>2)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>CA receives request for shop.example.com<o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt'><span style='mso-list:Ignore'>3)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>CA retrieves CNAME for shop.example.com (permitted under Authorization Domain Name definition: “</span><span style='font-size:11.0pt;color:black;background:white'>The CA may use the FQDN returned from a DNS CNAME lookup as the FQDN for the purposes of domain validation”)</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt'><span style='mso-list:Ignore'>4)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt'>CNAME causes resolution to example.net. <o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span style='font-size:11.0pt'><span style='mso-list:Ignore'>5)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:11.0pt'>Example.net is verified under step 1, permitting issuance of the certificate <o:p></o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoListParagraph><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></a></p><span style='mso-bookmark:_MailEndCompose'></span><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Friday, September 2, 2016 5:12 PM<br><b>To:</b> Jeremy Rowley <jeremy.rowley@digicert.com><br><b>Cc:</b> Peter Bowen <pzb@amzn.com>; public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] CNAME-based validation<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Right, and I'm not sure that (2) sufficiently establishes that <a href="http://example.com">example.com</a> is authorizing the request, given wildcards.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I think this would be a similar concern with, say, following HTTP open redirects and saying a "200 OK" code authorizes the request - wellllll, not really.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm curious if you could expand more why you believe other methods would permit a cert to be issued in the presence of this Wildcard DNS.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>As a concrete example:<o:p></o:p></p></div><div><p class=MsoNormal><a href="http://example.com">example.com</a> A [my host]<o:p></o:p></p></div><div><p class=MsoNormal>*.<a href="http://example.com">example.com</a> CNAME <a href="http://example.net">example.net</a><o:p></o:p></p></div><div><p class=MsoNormal><a href="http://shop.example.com">shop.example.com</a> CNAME <a href="http://paymentprovider.example.org">paymentprovider.example.org</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Under this scenario, could you explain what ways that the [<rnd>.<a href="http://example.com">example.com</a>] would be able to issue a cert for either <a href="http://example.com">example.com</a> or <a href="http://shop.example.com">shop.example.com</a> ? Perhaps I'm just missing the implications of the existing validation methods.<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><div><p class=MsoNormal>On Fri, Sep 2, 2016 at 3:33 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><p class=MsoNormal>Yes. Those are the two steps I am proposing.<br><br><span class=im>-----Original Message-----</span><br><span class=im>From: Peter Bowen [mailto:<a href="mailto:pzb@amzn.com">pzb@amzn.com</a>]</span><br><span class=im>Sent: Friday, September 2, 2016 4:31 PM</span><br><span class=im>To: Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>></span><o:p></o:p></p><div><div><p class=MsoNormal style='margin-bottom:12.0pt'>Cc: Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>>; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>Subject: Re: [cabfpub] CNAME-based validation<br><br>I think you are talking about two different things.<br><br>Ryan is concerned that a customer has an existing record that is “*.<a href="http://example.com" target="_blank">example.com</a> CNAME <a href="http://vanityblogs.example.net" target="_blank">vanityblogs.example.net</a>”. If you say “if you can make a record show up at _<a href="http://309654fddb59444d8efd6d2cc98881d5.example.com" target="_blank">309654fddb59444d8efd6d2cc98881d5.example.com</a> you are validated” that is bad. Instead, you are proposing a two prong validation test:<br><br>1) Confirm control of <a href="http://vanityblogs.example.net" target="_blank">vanityblogs.example.net</a>.<br>2) Make _<a href="http://309654fddb59444d8efd6d2cc98881d5.example.com" target="_blank">309654fddb59444d8efd6d2cc98881d5.example.com</a> point to <a href="http://vanityblogs.example.net" target="_blank">vanityblogs.example.net</a>.<br><br>You are proposing that passing these both would confirm control of <a href="http://example.com" target="_blank">example.com</a>, right? And this would allow getting a certificate for <a href="http://shop.example.com" target="_blank">shop.example.com</a>, correct?<br><br>Thanks,<br>Peter<br><br>> On Sep 2, 2016, at 3:25 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>> wrote:<br>><br>> We are talking about the same thing (wildcard DNS records).<br>><br>> Examples:<br>><br>> <a href="http://sleevi.example.com" target="_blank">sleevi.example.com</a> CNAME <a href="http://vdomain.com" target="_blank">vdomain.com</a><br>> *.<a href="http://example.com" target="_blank">example.com</a> CNAME <a href="http://vdomain.com" target="_blank">vdomain.com</a><br>> <rnd>.<a href="http://example.com" target="_blank">example.com</a> CNAME <a href="http://vdomain.com" target="_blank">vdomain.com</a><br>><br>> The BRs permit verification of each of these by establishing control over <a href="http://vdomain.com" target="_blank">vdomain.com</a> (under the definition of authorization domain name).<br>><br>> If *.<a href="http://example.com" target="_blank">example.com</a> can be verified this way, what is different between verifying *.<a href="http://example.com" target="_blank">example.com</a> and <rnd>.<a href="http://example.com" target="_blank">example.com</a> to verify all sub domains of <a href="http://example.com" target="_blank">example.com</a>? All the RND does is make it so the website doesn’t have to point to <a href="http://vdomain.com" target="_blank">vdomain.com</a>.<br>><br>> Jeremy<br>><br>> From: <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>]<br>> On Behalf Of Ryan Sleevi<br>> Sent: Friday, September 2, 2016 4:05 PM<br>> To: Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>><br>> Cc: <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>> Subject: Re: [cabfpub] CNAME-based validation<br>><br>> Jeremy,<br>><br>> Perhaps it wasn't clear, I wasn't speaking of wildcard certificates, but wildcard DNS rules, in which all requests for a given subdomain return a preconfigured record type. While for TXT and CAA records this is quite uncommon, it's exceedingly common to have CNAME records.<br>><br>> That is, both <rnd>.<a href="http://example.com" target="_blank">example.com</a> and <a href="http://sleevi.example.com" target="_blank">sleevi.example.com</a> may both CNAME to <a href="http://example.com" target="_blank">example.com</a>, by virtue of of the host putting a rule of "*.<a href="http://example.com" target="_blank">example.com</a> 3600 CNAME <a href="http://example.com" target="_blank">example.com</a>"<br>><br>> I am attempting to assert that placing the <rnd> in the subdomain is insufficient proof of authorization, and is meaningfully and tangibly different than the proof of control demonstrated in 3.2.2.4.7.<br>><br>> As I read your wording, it suggests the following:<br>> CA looks up <rnd>.<a href="http://example.com" target="_blank">example.com</a><br>> <rnd>.<a href="http://example.com" target="_blank">example.com</a> points to <a href="http://example.com" target="_blank">example.com</a> CA sees it previously issued a<br>> certificate for <a href="http://example.com" target="_blank">example.com</a> using one of the other methods CA issues<br>> certificate for <rnd>.<a href="http://example.com" target="_blank">example.com</a><br>><br>> That concerns me.<br>><br>> Peter's rewording suggests the inverse:<br>> CA looks up _<a href="http://certvalidation.example.com" target="_blank">certvalidation.example.com</a> _<a href="http://certvalidation.example.com" target="_blank">certvalidation.example.com</a><br>> points (CNAMEs) to <rnd>.validation.[nameofca].com CA issues<br>> certificate for <a href="http://example.com" target="_blank">example.com</a><br>><br>> This is much less concerning.<br>><br>> Could you help clarify which you intend, and for what names/purposes?<br>><br>><br>> On Fri, Sep 2, 2016 at 2:52 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>> wrote:<br>> Wildcard domains are already allowed. We can verify Wildcard DNS because a CNAME for *.<a href="http://domain.com" target="_blank">domain.com</a> is pointing to a record previously verified. This verification method is permitted under the definition of Authorization Domain Name (where the FQDN returned by a CNAME lookup can be used to verify the requested FQDN). Although <rnd>.<a href="http://domain.com" target="_blank">domain.com</a> isn’t necessarily distinguishable from *.<a href="http://domain.com" target="_blank">domain.com</a>, the validation ends up being the same because either its considered an Authorized Domain Name (under the definition) or it was validated as a random value in this new method.<br>><br>> For example:<br>><br>> *.<a href="http://domain.com" target="_blank">domain.com</a> -> <a href="http://dcv.example.com" target="_blank">dcv.example.com</a> (validated under the Authorized Domain<br>> Name section) <rnd>.<a href="http://domain.com" target="_blank">domain.com</a> -><a href="http://validation.example.com" target="_blank">validation.example.com</a> (validated<br>> under this new section)<br>><br>> Because each is validated properly, tracking which exact section was used in the validation isn’t necessary.<br>><br>> Jeremy<br>><br>> From: Ryan Sleevi [mailto:<a href="mailto:sleevi@google.com">sleevi@google.com</a>]<br>> Sent: Friday, September 2, 2016 3:28 PM<br>> To: Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com">jeremy.rowley@digicert.com</a>><br>> Cc: <a href="mailto:public@cabforum.org">public@cabforum.org</a><br>> Subject: Re: [cabfpub] CNAME-based validation<br>><br>><br>> _______________________________________________<br>> Public mailing list<br>> <a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>> <a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>