[cabfpub] Domain Validation

Jeremy Rowley jeremy.rowley at digicert.com
Tue Aug 23 20:16:03 MST 2016 

Thanks Peter. I'm proposing this:

_<RANDOM>.example.com. CNAME <customer_selected OR ca_selected>.example.com.

I think simply adding CNAME to the DNS section permits the validation. 

Jeremy

-----Original Message-----
From: Peter Bowen [mailto:pzb at amzn.com] 
Sent: Tuesday, August 23, 2016 7:24 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: public at cabforum.org
Subject: Re: [cabfpub] Domain Validation

Jeremy,

I’m a little confused.  According to the current rule, you could do:

_domainvalidation.digicert.com. TXT <RANDOM>

and use that to validate control of shoop.digicert.com, as the validation would be for the base domain.

Are you proposing that we allow:

or that we allow

_domainvalidation.example.com. CNAME <RANDOM>.dcv.digicert.com.

to validate control of example.com?

Thanks,
Peter

> On Aug 23, 2016, at 3:36 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> 
> We noticed a method missing from the recent domain name validation ballot that we would like added as a potential process for validating domains. Basically, we add a random value to the CNAME record to validate a domain. So we’d add [RANDOM].digicert.com to verify control over digicert.com. We add another layer on this check that verifies control over the address that RANDOM.digicert.com points to – ie, we’d validate dcv.digicert.com if [RANDOM].digicert.com pointed there.  
> 
> I just noticed the ballot only permits use of random values for authentication in TXT and CAA records. I’d like to amend the DNS record validation section to permit CNAME validation as well.  The proposed change is:
> 3.2.2.4.7 DNS Change
> Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value or Request Token in a DNS TXT, CNAME, or CAA record for an Authorization Domain Name or an Authorization Domain Name that is prefixed with a label that begins with an underscore character. 
> If a Random Value is used, the CA or Delegated Third Party SHALL provide a Random Value unique to the certificate request and SHALL not use the Random Value after (i) 30 days or (ii) if the Applicant submitted the certificate request, the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 of the EV Guidelines). 
> 
> Thoughts? Endorsers?
> 
> Jeremy
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20160824/76fbf157/attachment.bin

More information about the Public mailing list