[cabfpub] Fwd: [cabfquest] DV Proposal - filename-based confirmation
sleevi at google.com
Thu Apr 14 15:11:47 UTC 2016
Forwarding on Patrick's behalf. This does seem like a valid security bug in
the new ballot.
---------- Forwarded message ----------
From: "Patrick Figel" <patfigel at gmail.com>
Date: Apr 14, 2016 2:15 AM
Subject: [cabfquest] DV Proposal - filename-based confirmation
To: <questions at cabforum.org>
Section 18.104.22.168.6 of the latest Domain Validation Proposal states the
> Confirming the Applicant's control over the requested FQDN by confirming
> presence of a Random Value or Request Token (*contained in the name of
> the content of a file, on a web page in the form of a meta tag, or any
> format as determined by the CA) under "/.well-known/pki-validation"
> or another path registered with IANA for the purpose of Domain
> the Authorization Domain Name that can be validated over an Authorized
Many web applications are configured to (internally) redirect requests for a
non-existing resource to something like a front controller handling
which might not necessarily reply with an appropriate HTTP Status Code.
This language would allow misissuance for any FQDN with this type of
To add to my previous point, I think it's worth considering whether the
Random Value or Request Token should be allowed to be fully included in the
request URL at all. If the URL is included in the response, it would
confirm the presence of the token, unless the CA enforces a more specific
format for the response.
Questions mailing list
Questions at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public