[cabfpub] Ballot 169 - Revised Validation Requirements

[Kirk Hall]

Geoff, it will probably take the Forum a long time to amend any of this new domain validation language - do you have an amendment to suggest now for 3.2.2.4.6?

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Geoff Keating
Sent: Friday, July 22, 2016 11:31 AM
To: Ben Wilson <ben.wilson at digicert.com>
Cc: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Ballot 169 - Revised Validation Requirements


> On 22 Jul. 2016, at 11:06 am, Ben Wilson <ben.wilson at digicert.com> wrote:
> 
> The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values, in which case the CA. 

I think this sentence was intended to have a few more words at the end?

> 3.2.2.4.6 Agreed-Upon Change to Website
> 3.2.2.4.9 Test Certificate
etc.

These allow someone to validate something.example.com if they have control over http://example.com.  In particular, it allows validation of shop.example.com if an attacker has access to a non-ssl website at www.example.com which is also example.com.  This is a common layout and this ability might be surprising to some website operators.  I can see reasons for needing this, and it doesn’t prevent me voting yes on this proposal (because the current text is worse!), but I would like to highlight it as something to work on for the future.  For example, perhaps in future we can require HTTPS for 3.2.2.4.6 unless the authorization domain name is the same as the requested domain name.

Overall, I support this proposal as written, and I thank the WG for their effort!