[cabfpub] CAA (was RE: Domain Control Validation)
Ryan Sleevi
sleevi at google.com
Mon Aug 25 17:15:03 UTC 2014
On Aug 25, 2014 10:08 AM, "Ben Wilson" <ben.wilson at digicert.com> wrote:
>
> What if the allowed procedure required a before and after comparison?
The other alternative is an agreed-upon or CA-generated text string.
>
>
>
> I was just thinking that it would be a good way to promote CAA (one could
argue that CAA obviates the need to perform domain control checks).
>
No, it really doesn't.
A key point of the demonstration of control is ensuring the applicant is
authorized for the request.
It would allow _anyone_ to request a cert for that domain, without a
demonstration of control, from any of the CAs listed.
The absolute bare minimum would be to ensure a pre-negotiated list of
authorized contacts for the CA (a provision the BR allows for and requires
that CAs vet), but that still requires establishing at some point in time
that the user supplying the list was authorized.
Not to pick on you, since I think it was a good faith effort to improve CAA
adoption (which I do think would be good, especially if CAs had to state
their policies), but this is exactly why I think Item 7 is far too
dangerous for the BRs. Good intentions, but certainly not sufficient
security.
>
>
> So dropping the CAA suggestion, what if the language said “7.
Having the Applicant demonstrate practical control over the FQDN by adding
a unique, CA-specified TXT record to the DNS zone file.”?
>
>
>
> From: Rick Andrews [mailto:Rick_Andrews at symantec.com]
> Sent: Monday, August 25, 2014 11:00 AM
> To: Ben Wilson; Ryan Sleevi
> Cc: CABFPub
> Subject: RE: [cabfpub] Domain Control Validation
>
>
>
> Ben, I don’t think that would work, because AFAIK there’s no way to tell
when the record was added to DNS.
>
>
>
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
> Sent: Monday, August 25, 2014 9:42 AM
> To: Ryan Sleevi
> Cc: CABFPub
> Subject: Re: [cabfpub] Domain Control Validation
>
>
>
> What if it were the simple act of placing a CAA record in the DNS that
identified the CA?
>
> Would that be sufficient as a new method to add into section 11.1 of the
BRs that would not be excluded from the EV Guidelines?
>
>
>
> From: Ryan Sleevi [mailto:sleevi at google.com]
> Sent: Sunday, August 24, 2014 11:43 AM
> To: Ben Wilson
> Cc: CABFPub
> Subject: Re: [cabfpub] Domain Control Validation
>
>
>
>
> On Aug 24, 2014 9:17 AM, "Ben Wilson" <ben.wilson at digicert.com> wrote:
> >
> > Does anyone recall whether we have ever discussed domain control
validation by having the Applicant demonstrate practical control over the
FQDN by making a change to information in the DNS zone file?
> >
> >
>
> Right, this was discussed when we talked about demonstrations of control
via file on disk, and this falls into subsection 7, any other equivalent.
>
> >
> > The EV Guidelines cross-reference Section 11.1 of the Baseline
Requirements for this, but it seems that this method is not in subsections
1 through 6 (the closest is subsection 6, from which I drew some of the
language for my question), and the EV Guidelines exclude reliance on
subsection 7. Could this be an item that the EV Guidelines working group
should add to its list of items to review, if it isn’t already on the list?
> >
>
> If they do, I would prefer it be extremely precise and narrowly scoped,
such as email.
>
> A site operator MUST be able to take reasonable mitigations against a lax
CA.
>
> >
> >
> > Thanks
> >
> >
> >
> > Ben
> >
> >
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140825/232a473a/attachment-0002.html>
More information about the Public
mailing list