[cabfpub] Question on validation method #10 in draft domain validaiton ballot

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Tue May 5 01:27:52 UTC 2015


Proposed new validation method #10 in the draft domain validation ballot is difficult to understand, as it is lacking in some details.  Here is how the language reads (including Comodo's suggestion of adding Random Token along with Random Value, which we think is fine):

10.  Having the Applicant demonstrate control over the FQDN by providing a TLS service on a host found in DNS for the FQDN and having the CA (i) initiate a TLS connection with the host and (ii) verify a Random Value or a Request Token that is a in a format recognized as a valid TLS response.

Here are my questions for clarification, broken down in sections:

Part

Text of subsection 10

Comments and questions

1

10.  Having the Applicant demonstrate control over the FQDN by providing a TLS service on a host found in DNS for the FQDN ***

Does this simply mean the Applicant must have a website that the CA can reach?  Because it's a "TLS" service, does that mean the Applicant must already have a cert on the webpage?
What is the "host" found in the DNS?  Can we provide more specifics?

2

*** and having the CA (i) initiate a TLS connection with the host and ***

Same question - if the CA must initiate a TLS connection, does the Applicant's website already have to be secured by a cert?  Again, we need more specifics on the "host" - what is it intended to mean here, where did it come from, separate session?

3

*** (ii) verify a Random Value or a Request Token ***

How is the Random Value or Request Token supplied by the CA to the Applicant?  Where is it to be placed, and by whom?  Different session?  Other "practical demonstration" methods involve out of band or separate sessions between the CA and the Applicant which add security - what is the security for placing the Random Value/Token ... somewhere?

4

*** that is a in a format recognized as a valid TLS response.

What does this mean?  What would be a format that is NOT recognized as a valid TLS response?


The current BR 11.1.1 domain validation methods are spelled out in enough detail so everyone can fully understand the steps and processes, and controls.  We should add details to the new methods to make sure that everyone understands all the steps, processes, and controls and can evaluate whether the new processes have sufficient security to be included as a domain validation method.

Let's discuss on Thursday's call.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150505/053ad21f/attachment-0002.html>


More information about the Public mailing list