[cabfpub] Ballot 169 - Revised Validation Requirements
Ben Wilson
ben.wilson at digicert.com
Fri Jul 22 11:35:41 MST 2016
Thanks. I think the sentence should read: The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values, in which case the CA MUST follow its CPS.
-----Original Message-----
From: geoffk at apple.com [mailto:geoffk at apple.com]
Sent: Friday, July 22, 2016 12:31 PM
To: Ben Wilson <ben.wilson at digicert.com>
Cc: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Ballot 169 - Revised Validation Requirements
> On 22 Jul. 2016, at 11:06 am, Ben Wilson <ben.wilson at digicert.com> wrote:
>
> The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values, in which case the CA.
I think this sentence was intended to have a few more words at the end?
> 3.2.2.4.6 Agreed-Upon Change to Website
> 3.2.2.4.9 Test Certificate
etc.
These allow someone to validate something.example.com if they have control over http://example.com. In particular, it allows validation of shop.example.com if an attacker has access to a non-ssl website at www.example.com which is also example.com. This is a common layout and this ability might be surprising to some website operators. I can see reasons for needing this, and it doesn’t prevent me voting yes on this proposal (because the current text is worse!), but I would like to highlight it as something to work on for the future. For example, perhaps in future we can require HTTPS for 3.2.2.4.6 unless the authorization domain name is the same as the requested domain name.
Overall, I support this proposal as written, and I thank the WG for their effort!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20160722/1b5d0d0f/attachment-0001.bin
More information about the Public
mailing list