[cabfpub] Domain validation

Ryan Sleevi sleevi at google.com
Thu May 7 09:07:27 MST 2015


On May 7, 2015 6:47 AM, "Tim Hollebeek" <THollebeek at trustwave.com> wrote:
>
> I’ll note that if you object to #6 on those grounds, you also object to
#10, which is basically “do #6 via TLS, with fewer requirements around
where the value must be placed.”
>
>
>
> In fact I’m starting to think that #10 should be eliminated and rolled
into #6, simply by noting in #6 that for the purposes of #6, TLS with an
untrusted server certificate can be used in place of HTTP.
>
>
>
> -Tim
>

No Tim, they aren't equivalent under the threat model / equivalency that
Anoosh agreed as (part of) the concern.

In both the Azure and the AppEngine case, the hosting provider terminates
TLS, and thus the tenant cannot influence it.

This isn't universal for all hosting scenarios (e.g. Google Compute Engine,
AWS), but it does represent a material difference to the threat model that
we should not consider them equivalent.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150507/fb9cb6c1/attachment.html 


More information about the Public mailing list