[cabfpub] Pre-Ballot 169: Revised Validation Requirements
sleevi at google.com
Fri Apr 29 23:28:55 UTC 2016
A previous suggestion from the public was to explicitly only allow
successful (200) results. Allowing 301 is arguably equally problematic.
On Fri, Apr 29, 2016 at 4:14 PM, Peter Bowen <pzb at amzn.com> wrote:
> I’ve found a possible vulnerability with 22.214.171.124.6. Agreed-Upon Change to
> Website. If the Random Value or Request Token is contained in the URI
> path, then certain websites will return it in the meta tag of the resulting
> page. The pattern I found on a real website is:
> Returns 301 with Location:
> Returns 200 with a page containing:
> <meta property="og:title"
> Search Results from Example">
> <meta property="og:url" content="
> I think this method needs to be updated to preclude the CA from using a
> URL containing the Random Value or Request Token.
> > On Apr 26, 2016, at 2:40 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
> > Below (and attached) are the revised validation requirements. I’m
> looking for two endorsers.
> > 126.96.36.199.6. Agreed-Upon Change to Website
> > Confirming the Applicant's control over the requested FQDN by confirming
> the presence of a Random Value or Request Token (contained in the content
> of a file or on a web page in the form of a meta tag) under the
> "/.well-known/pki-validation" directory, or another path registered with
> IANA for the purpose of Domain Validation, on the Authorization Domain Name
> that can be validated over an Authorized Port.
> > If a Random Value is used, the CA or Delegated Third Party SHALL provide
> a Random Value unique to the certificate request and SHALL not use the
> Random Value after the longer of (i) 30 days or (ii) if the Applicant
> submitted the certificate request, the timeframe permitted for reuse of
> validated information relevant to the certificate (such as in Section 3.3.1
> of these Guidelines or Section 11.14.3 of the EV Guidelines)
> Public mailing list
> Public at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public