[cabfpub] Pre-Ballot 169 - Revised Validation Requirements
Jacob Hoffman-Andrews
jsha at letsencrypt.org
Tue Jul 19 10:51:25 MST 2016
Thanks for working on these! They're looking good.
> *Authorized Port:* One of the following ports: 80 (http), 443 (http), 115
> (sftp), 25 (smtp), 22 (ssh).
It seems like this list should also include 465 and 587 (smtp), 143 and 993
(imap), 110 and 995 (pop), and possibly 5269 (xmpp), though the last might
be less appropriate since it is not generally reserved for privileged users.
*Authorization Domain Name:* The Domain Name used to obtain authorization
> for certificate issuance for a given FQDN. The CA may use the FQDN returned
> from a DNS CNAME lookup as the FQDN for the purposes of domain validation.
> If the FQDN contains a wildcard character, then the CA MUST remove all
> wildcard labels from the left most portion of requested FQDN. The CA may
> prune zero or more labels from left to right until encountering a Base
> Domain Name and may use any one of the intermediate values for the purpose
> of domain validation.
This is a little confusing to me. Is the implication that *.example.com is
an FQDN? That conflicts with my understanding of an FQDN. I believe an FQDN
should be a Domain Name, which *.example.com is not. Perhaps dNSName to
refer to the field that winds up in the cert, and define Authorization
Domain Name as an FQDN?
> *Random Value:* A value specified by a CA to the Applicant that exhibits
> at least 112 bits of entropy.
>
Is a Random Value intended to be single-use like a Request Token without
timestamp?
> *3.2.2.4.2 Email, Fax, SMS, or Postal Mail to Domain Contact*
>
> Confirming the Applicant's control over the FQDN by sending a Random Value
> via email, fax, SMS, or postal mail and then receiving a confirming
> response utilizing the Random Value. The Random Value MUST be sent to an
> email address, fax/SMS number, or postal mail address identified as a
> Domain Contact.
>
> Each email, fax, SMS, or postal mail MAY confirm control of multiple
> Authorization Domain Names.
>
> The CA or Delegated Third Party MAY send the email, fax, SMS, or postal
> mail identified under this section to more than one recipient provided that
> every recipient is identified by the Domain Name Registrar as representing
> the Domain Name Registrant for every FQDN being verified using the email,
> fax, SMS, or postal mail.
>
> The Random Value SHALL be unique in each email, fax, SMS, or postal mail.
>
Is it worth clarifying that an email, or SMS CC'ed to multiple addresses
counts as a single email?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160719/6099107b/attachment.html
More information about the Public
mailing list