[cabfpub] VWG Question 2 - Domain Validation pre-ballot

Rick Andrews Rick_Andrews at symantec.com
Thu Nov 19 01:11:11 UTC 2015 

I don't have strong feelings either way. If "validation" is over-broad, we
can use "/.well-known/validation/pki/" instead.

-Rick

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of kirk_hall at trendmicro.com
Sent: Wednesday, November 18, 2015 3:23 PM
To: CABFPub (public at cabforum.org)
Subject: [cabfpub] VWG Question 2 - Domain Validation pre-ballot

 

Richard Barnes is withdrawing this suggested edit of adding other paths, but
has suggested the path "/.well-known/validation" in the current ballot be
CHANGED to "/.well-known/pki-validation".  His reasoning is as follows:

 

I can actually live with this [withdrawing his suggested addition of other
authorized paths].  Eric Mill pointed out to me that you can distinguish
between validation types within that directory, so there's enough
flexibility without the liberalization.  So unless anyone else thinks
there's a need to liberalize this requirement, consider the proposal
withdrawn.

I would like to bike-shed the string a little bit.  The word "validation" is
over-broad.  One could certainly imagine other "validation" things going
under .well-known.  (POSH, an existing .well-known user, comes close
http://www.iana.org/go/draft-ietf-xmpp-posh-06)

What would people think about changing from "validation" to something like
"pki-validation"?

 

 

 

From: Kirk Hall (RD-US) 
Sent: Thursday, November 12, 2015 5:08 PM
To: CABFPub (public at cabforum.org)
Subject: Question 2 - Domain Validation pre-ballot

 

Question 2 - Domain Validation pre-ballot

 

The second open question for the current Domain Validation ballot also comes
from Richard Barnes of Mozilla, and is as follows.

 

Proposal 2: In line H 

 

CURRENT DRAFT: 

 

"6. Having the Applicant demonstrate control over the requested FQDN by
installing a Random Value (contained in the name of the file, the content of
a file, on a web page in the form of a meta tag, or any other format as
determined by the CA) under "/.well-known/validation" directory on an
Authorized Domain Name, that can be validated over an Authorized Port; or"

 

Richard proposes to add the following language as shown: "*** or any other
path under .well-known registered by IANA for this purpose" 

 

6. Having the Applicant demonstrate control over the requested FQDN by
installing a Random Value (contained in the name of the file, the content of
a file, on a web page in the form of a meta tag, or any other format as
determined by the CA) under "/.well-known/validation" directory on an
Authorized Domain Name, or any other path under .well-known registered by
IANA for this purpose that can be validated over an Authorized Port; or 

 

Richard's reasoning: "For automated systems like ACME, they're going to want
a much more precise definition of the validation process than what's in this
document, and they may want to use different .well-known paths to indicate
different methods that are all compliant with this section. Requiring the
IANA registration allows these differences to exist, but in a controlled
way."

 

On the call today, it was noted that only a single path
"/.well-known/validation" directory on an Authorized Domain Name" was chosen
intentionally - so that webmasters could be informed to lock down this path
on their websites to avoid allowing a hacker to post a bogus credential
(such as a bogus Random Value, etc.) and obtain a cert by practical
demonstration for a domain they do not really own or control.  The sentiment
on the call was against this change.  One comment was that if a different
path was needed in the future, it could be discussed and added later by a
separate ballot if justified.

 

Questions:  The Validation Working is likely to reject this suggested
change.  However, we would like to hear from anyone who things the suggested
change is a good idea.

 



 
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail
or
telephone and delete the original message from your mail system.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151118/aad39592/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5749 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151118/aad39592/attachment-0001.p7s>

More information about the Public mailing list