[cabfpub] Domain Control Validation

Ben Wilson ben.wilson at digicert.com
Mon Aug 25 10:08:06 MST 2014 

What if the allowed procedure required a before and after comparison?  The other alternative is an agreed-upon or CA-generated text string.

 

I was just thinking that it would be a good way to promote CAA (one could argue that CAA obviates the need to perform domain control checks).  

 

So dropping the CAA suggestion, what if the language said “7.        Having the Applicant demonstrate practical control over the FQDN by adding a unique, CA-specified TXT record to the DNS zone file.”?

 

From: Rick Andrews [mailto:Rick_Andrews at symantec.com] 
Sent: Monday, August 25, 2014 11:00 AM
To: Ben Wilson; Ryan Sleevi
Cc: CABFPub
Subject: RE: [cabfpub] Domain Control Validation

 

Ben, I don’t think that would work, because AFAIK there’s no way to tell when the record was added to DNS.

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Monday, August 25, 2014 9:42 AM
To: Ryan Sleevi
Cc: CABFPub
Subject: Re: [cabfpub] Domain Control Validation

 

What if it were the simple act of placing a CAA record in the DNS that identified the CA?  

Would that be sufficient as a new method to add into section 11.1 of the BRs that would not be excluded from the EV Guidelines? 

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Sunday, August 24, 2014 11:43 AM
To: Ben Wilson
Cc: CABFPub
Subject: Re: [cabfpub] Domain Control Validation

 


On Aug 24, 2014 9:17 AM, "Ben Wilson" <ben.wilson at digicert.com> wrote:
>
> Does anyone recall whether we have ever discussed domain control validation by having the Applicant demonstrate practical control over the FQDN by making a change to information in the DNS zone file?
>
>  

Right, this was discussed when we talked about demonstrations of control via file on disk, and this falls into subsection 7, any other equivalent.

>
> The EV Guidelines cross-reference Section 11.1 of the Baseline Requirements for this, but it seems that this method is not in subsections 1 through 6 (the closest is subsection 6, from which I drew some of the language for my question), and the EV Guidelines exclude reliance on subsection 7.   Could this be an item that the EV Guidelines working group should add to its list of items to review, if it isn’t already on the list?
>

If they do, I would prefer it be extremely precise and narrowly scoped, such as email.

A site operator MUST be able to take reasonable mitigations against a lax CA.

>  
>
> Thanks
>
>  
>
> Ben
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140825/1c4a23f4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4998 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140825/1c4a23f4/attachment-0001.bin

More information about the Public mailing list