[cabfpub] [cabfquest] Domain Validation Revision
Doug Beattie
douglas.beattie at globalsign.com
Mon Feb 16 18:31:46 UTC 2015
This suggestion for item 8 works for GlobalSign so you can replace our recommendation with the one below.
Doug
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Friday, February 13, 2015 3:39 PM
To: CABFPub
Subject: Re: [cabfpub] [cabfquest] Domain Validation Revision
Forwarding from questions list.
From: questions-bounces at cabforum.org<mailto:questions-bounces at cabforum.org> [mailto:questions-bounces at cabforum.org] On Behalf Of Jacob Hoffman-Andrews
Sent: Friday, February 13, 2015 11:01 AM
To: questions at cabforum.org<mailto:questions at cabforum.org>
Subject: Re: [cabfquest] [cabfpub] Domain Validation Revision
Following up from a thread on cabfpub:
On 02/12/2015 07:08 PM, Ryan Sleevi wrote:
8 concerns me for a couple reasons, even though it's moving in the
right direction.
- You require HTTPS, but that seems overkill, when you only need to
perform a TLS handshake. That is, consider a mail server configured
for SMTP-S - it seems that would be a viable configuration
Agreed. As a concrete example, the ACME spec under discussion at IETF
proposes a challenge type called "Domain Validation with Server Name
Indication," or DVSNI for short:
http://www.ietf.org/id/draft-barnes-acme-01.txt.
We believe that DVSNI allows us to offer a higher level of assurance
than item (6), "making an agreed-upon change to information found on an
online Web page," since some sites allow arbitrary file upload, either
by intent or by accident. We're planning to use it for the Let's Encrypt
CA for that reason, so we'd like to make sure that item (8) allows for
DVSNI.
For example, here is a version of item (8) that we think would work:
Having the Applicant demonstrate practical control over the FQDN by
providing a TLS service on a host found in DNS for the FQDN. The CA
SHALL initiate a TLS connection with that host and verify that the
response contains unique, unguessable information proposed by the CA, in
a well-specified format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150216/320b1346/attachment-0003.html>
More information about the Public
mailing list