[cabfpub] Question 5 – Domain Validation pre-ballot

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Fri Nov 13 01:08:26 UTC 2015

Question 5 – Domain Validation pre-ballot

Richard Wang of WoSign posted the following comment on the pre-ballot:

“I think the ballot should include some sort of requirement that a Random Value, Request Token, or Test Certificate can only be used once by the CA and customer to validate one domain, and that a new Random Value, Request Token, or Test Certificate must be generated by the CA for the customer for each domain being validated, and each time a domain is validated.”

Currently, there is no limitation on how many times the same Random Value, Request Token, or Test Certificate (call them all “CA markers”) can be used, or for confirming how many domains, or for what period of time.

On the call today, there was general agreement that the CA Markers should not be reused, but that a new CA Marker should be generated by the CA for validation of each new domain.  By extension, a CA should also generate a new CA Marker each time the CA re-validates the same domain (every 13 months or earlier for EV domains, every 39 months or earlier for DV and OV domains).

There was one suggestion that maybe a CA could use a single CA Marker for validating all the domains included in a single CSR.

Gerv also suggested there should be a time limit on how long a CA Marker would be valid, as a hacker could perhaps find an unused CA Marker sent to a domain owner and then use it to get a bogus cert.   For this reason, if the customer does not use the CA Token in a fairly short period, the CA should generate and send a new CA Marker to the customer for the domain.

Eddy said that applicants are sometimes slow to complete their vetting process, and so any time limit should not be too short.  He will explain and offer suggestions in an email.

Question for Discussion:

(1) Should all “CA Markers” (Random Values, Request Tokens, Test Certificates) be prohibited from re-use?  Should the limitation be one of the following?

(a) CA Markers should only be used one time for one domain being validated for an Applicant
(b) CA Markers should only be used one time, but can be re-used for confirming control of multiple domains so long as they are all contained in one CSR from an Applicant
(c) In any case, no CA Marker may be used more than x days after it has been generated and issued by the CA to the Applicant – if the domain validation is not completed in that period, the CA must generate and give a new CA Marker to the Applicant.

What rule(s) should we set for this?

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151113/a6e6d02b/attachment-0002.html>

More information about the Public mailing list