[cabfpub] Fwd: [cabfquest] DV Proposal - filename-based confirmation
Ryan Sleevi
sleevi at google.com
Thu Apr 14 08:11:47 MST 2016
Forwarding on Patrick's behalf. This does seem like a valid security bug in
the new ballot.
---------- Forwarded message ----------
From: "Patrick Figel" <patfigel at gmail.com>
Date: Apr 14, 2016 2:15 AM
Subject: [cabfquest] DV Proposal - filename-based confirmation
To: <questions at cabforum.org>
Cc:
Section 3.2.2.4.6 of the latest Domain Validation Proposal states the
following:
> Confirming the Applicant's control over the requested FQDN by confirming
the
> presence of a Random Value or Request Token (*contained in the name of
the file*,
> the content of a file, on a web page in the form of a meta tag, or any
other
> format as determined by the CA) under "/.well-known/pki-validation"
directory,
> or another path registered with IANA for the purpose of Domain
Validation, on
> the Authorization Domain Name that can be validated over an Authorized
Port.
Many web applications are configured to (internally) redirect requests for a
non-existing resource to something like a front controller handling
all requests,
which might not necessarily reply with an appropriate HTTP Status Code.
This language would allow misissuance for any FQDN with this type of
configuration.
To add to my previous point, I think it's worth considering whether the
Random Value or Request Token should be allowed to be fully included in the
request URL at all. If the URL is included in the response, it would
technically
confirm the presence of the token, unless the CA enforces a more specific
format for the response.
_______________________________________________
Questions mailing list
Questions at cabforum.org
https://cabforum.org/mailman/listinfo/questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160414/49749383/attachment.html
More information about the Public
mailing list