<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.m-6109138572561859140msolistparagraph, li.m-6109138572561859140msolistparagraph, div.m-6109138572561859140msolistparagraph
{mso-style-name:m_-6109138572561859140msolistparagraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Sorry – I thought we resolved those concerns with the second random number? Which concern is still unresolved?<o:p></o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></a></p><span style='mso-bookmark:_MailEndCompose'></span><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Monday, September 12, 2016 3:53 PM<br><b>To:</b> Jeremy Rowley <jeremy.rowley@digicert.com><br><b>Cc:</b> public@cabforum.org<br><b>Subject:</b> [MmmSPAM] Re: [cabfpub] CNAME-based validation<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Jeremy,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>While you seek endorsers, I will suggest that, as worded, I believe we'd need to vote against this ballot.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I do hope you give consideration to the concerns raised, and why the Random Value in the "thing to be resolved" is going to be problematic for us.<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Mon, Sep 12, 2016 at 2:11 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Everyone - thanks for your input on this. Here’s the proposed ballot based on the discussion:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p><div style='border:none;border-bottom:solid windowtext 1.0pt;padding:0in 0in 1.0pt 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Motion Begins:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Add the following definition: <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Validation Sub Domain: A Domain Name created directly under an FQDN by appending a Random Value or Request Token as the left-most label of the FQDN.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>DNS Validation Name: A Domain Name created directly under a FQDN by appending “_pki” as the left-most label of the FQDN.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Add the following as Section 3.2.2.4.11:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Confirming the Applicant’s control over the requested FQDN by:<o:p></o:p></p><p class=m-6109138572561859140msolistparagraph>(1)<span style='font-size:7.0pt'> </span>Creating a Validation Sub Domain of the requested FQDN;<o:p></o:p></p><p class=m-6109138572561859140msolistparagraph>(2)<span style='font-size:7.0pt'> </span>Verifying creation of a CNAME record for the created Validation Sub Domain that points the Validation Sub Domain to a FQDN verified by the CA using one of methods permitted under Section 3.2.2.4; <o:p></o:p></p><p class=m-6109138572561859140msolistparagraph>(3)<span style='font-size:7.0pt'> </span>Creating a second Validation Sub Domain of the Requested FQDN using a Request Token or Random Value that was not used in the first Validation Sub Domain; and<o:p></o:p></p><p class=m-6109138572561859140msolistparagraph>(4)<span style='font-size:7.0pt'> </span>Verifying that the second Validation Sub Domain does not resolve to the FQDN verified by the CA under step 2.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Add the following as Section 3.2.2.4.12:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Confirming the Applicant’s control over the requested FQDN by:<o:p></o:p></p><p class=m-6109138572561859140msolistparagraph>(1)<span style='font-size:7.0pt'> </span>Creating a DNS Validation Name of the requested FQDN; <o:p></o:p></p><p class=m-6109138572561859140msolistparagraph>(2)<span style='font-size:7.0pt'> </span>Creating a Validation Sub Domain of a Domain Name verified using one of the methods permitted under Section 3.2.2.4;<o:p></o:p></p><p class=m-6109138572561859140msolistparagraph>(3)<span style='font-size:7.0pt'> </span>Verifying creation of a CNAME record for the DNS Validation Name that points the DNS Validation Name to the Validation Sub Domain.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Looking for comments/endorsers. Thanks!<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Jeremy<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a name="m_-6109138572561859140__MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span></a><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a> [mailto:<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>] <b>On Behalf Of </b>Ryan Sleevi<br><b>Sent:</b> Thursday, September 8, 2016 4:48 PM<br><b>To:</b> Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>><br><b>Cc:</b> <a href="mailto:rsleevi@chromium.org" target="_blank">rsleevi@chromium.org</a>; Peter Bowen <<a href="mailto:pzb@amzn.com" target="_blank">pzb@amzn.com</a>>; <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br><b>Subject:</b> [MmmSPAM] Re: [cabfpub] CNAME-based validation</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Thu, Sep 8, 2016 at 3:25 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>The one short-coming of this approach over using multiple random values to detect wildcard domains is that the process makes obtaining multiple certificates from different CAs difficult. If a customer wants to use both DigiCert and another CA, the customer would have to order each one in separate intervals as _<a href="http://pki.domain.com" target="_blank">pki.domain.com</a> can only have a single CNAME record. Using two random values, the customer can have multiple CAs simultaneously issue certificates. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>CA1:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><rnd_CA1>.<a href="http://domain.com" target="_blank">domain.com</a> CNAME <rnd2_CA1>.<a href="http://validation.com" target="_blank">validation.com</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>CA2:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><rnd_CA2>.<a href="http://domain.com" target="_blank">domain.com</a> CNAME <rnd2_CA2>.<a href="http://validation.com" target="_blank">validation.com</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I think this proposal is different than what I understood your previous proposal to be, and I think it probably resolves the heart of my objection - that the randomness shouldn't be "trusted" if it's in the "name to be resolved", but can be if it's in the "contents of the record" (in this case, the CNAME-pointed to domain).<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>My understanding is your proposal was<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><rnd_CA1>.<a href="http://example.net" target="_blank">example.net</a> CNAME <a href="http://shop.example.com" target="_blank">shop.example.com</a> (Notice how I keep using RFC 6761 special-use domains? :P)<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Would be seen as authorization to issue for "<a href="http://example.net" target="_blank">example.net</a>" if the CA previously issued for "<a href="http://shop.example.com" target="_blank">shop.example.com</a>". I don't think that's good, because the <rnd_CA1> can't be taken as positive consent/configuration/control in the presence of Wildcard DNS.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>If the proposal is that<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><rnd_CA1>.<a href="http://example.net" target="_blank">example.net</a> CNAME <rnd2_CA1>.<a href="http://shop.example.com" target="_blank">shop.example.com</a><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Be taken as authorization to issue for <a href="http://example.net" target="_blank">example.net</a> if the CA has validated <a href="http://shop.example.com" target="_blank">shop.example.com</a>, then I think that'd be OK, and would be curious if anyone spots any risk I'm missing. That's because the <rnd_CA1> is not a "Random Token/Value", but just a "Don't disrupt the service" variation, and the real random value/token is in the contents of the CNAME - specifically, <rnd2_CA1>.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>In the case of non-Wildcard DNS, this demonstrates practical control over <a href="http://example.net" target="_blank">example.net</a> (by creating rnd_CA1)<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>In the case of Wildcard DNS, this demonstrates practical control at least to the level of the Wildcard DNS rule, because it's statistically unlikely that they would have just 'happened' to chose <rnd2_CA1> as a subdomain, provided that it has sufficient randomness.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>To double check my math, a given DNS label (that is, the value of <rnd_CA1 / rnd2_CA2>) is limited to 64 characters, which should be plenty sufficient for a modified Base32-encoding of a minimum 112-bit random value, which would be 24 characters (using perhaps 0/1 as the padding character, since = can't appear due to the LDH rule)<o:p></o:p></p></div></div></div></div></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>