[cabfpub] Question on validation method #10 in draft domain validaiton ballot

Gervase Markham gerv at mozilla.org
Tue May 5 13:30:19 UTC 2015 

On 05/05/15 02:27, kirk_hall at trendmicro.com wrote:
> Does this simply mean the Applicant must have a website that the CA can
> reach?

Yes, over TLS.

> Because it’s a “TLS” service, does that mean the Applicant must
> already have a cert on the webpage?

Not sure. The answer is either:

a) Yes, but it may be self-signed (i.e. locally generated).
or
b) No, because the Random Value can be sent in one of the messages which
make up a TLS handshake before you even get to the point of exchanging
certs.

> What is the “host” found in the DNS?  

This simply means the computer which responds to the IP address given by
the DNS for the name that is being verified.

> *** (ii) verify a Random Value or a Request Token ***
> 
> How is the Random Value or Request Token supplied by the CA to the
> Applicant?  

That isn't specified in this method. I'm not sure it's specified in
other methods either, is it?

> Where is it to be placed, and by whom?

Anywhere in the TLS response data.

> Other “practical demonstration” methods involve out of band or separate
> sessions between the CA and the Applicant which add security – what is
> the security for placing the Random Value/Token … somewhere?

AIUI, this method is very similar to the "visit a well-known URL to get
the random value" method. In both cases, you are connecting over the
Internet (in an unauthenticated fashion) to an IP address given in the
DNS, and expecting the response to give you back a Random Value. In the
URL case, the RV is in the body of the returned data. In this case, it's
in part of the TLS protocol response packet.

> What does this mean?  What would be a format that is NOT recognized as a
> valid TLS response?

I suspect, to give an example, that
111111111111111111111111111111111111011 would not be a valid TLS
response. I'm not sure what you are asking here.

> The current BR 11.1.1 domain validation methods are spelled out in
> enough detail so everyone can fully understand the steps and processes,
> and controls.  We should add details to the new methods to make sure
> that everyone understands all the steps, processes, and controls and can
> evaluate whether the new processes have sufficient security to be
> included as a domain validation method.

We should certainly make sure any new methods we add are understandable,
absolutely.

Gerv

More information about the Public mailing list