[cabfpub] [cabfquest] Domain Validation Revision

Doug Beattie douglas.beattie at globalsign.com
Mon Feb 16 18:31:46 UTC 2015

This suggestion for item 8 works for GlobalSign so you can replace our recommendation with the one below.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Friday, February 13, 2015 3:39 PM
Subject: Re: [cabfpub] [cabfquest] Domain Validation Revision

Forwarding from questions list.

From: questions-bounces at cabforum.org<mailto:questions-bounces at cabforum.org> [mailto:questions-bounces at cabforum.org] On Behalf Of Jacob Hoffman-Andrews
Sent: Friday, February 13, 2015 11:01 AM
To: questions at cabforum.org<mailto:questions at cabforum.org>
Subject: Re: [cabfquest] [cabfpub] Domain Validation Revision

Following up from a thread on cabfpub:

On 02/12/2015 07:08 PM, Ryan Sleevi wrote:

8 concerns me for a couple reasons, even though it's moving in the

right direction.

- You require HTTPS, but that seems overkill, when you only need to

perform a TLS handshake. That is, consider a mail server configured

for SMTP-S - it seems that would be a viable configuration

Agreed. As a concrete example, the ACME spec under discussion at IETF

proposes a challenge type called "Domain Validation with Server Name

Indication," or DVSNI for short:


We believe that DVSNI allows us to offer a higher level of assurance

than item (6), "making an agreed-upon change to information found on an

online Web page," since some sites allow arbitrary file upload, either

by intent or by accident. We're planning to use it for the Let's Encrypt

CA for that reason, so we'd like to make sure that item (8) allows for


For example, here is a version of item (8) that we think would work:

Having the Applicant demonstrate practical control over the FQDN by

providing a TLS service on a host found in DNS for the FQDN. The CA

SHALL initiate a TLS connection with that host and verify that the

response contains unique, unguessable information proposed by the CA, in

a well-specified format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150216/320b1346/attachment-0003.html>

More information about the Public mailing list