[cabfpub] Pre-Ballot 169: Revised Validation Requirements

J.C. Jones jjones at mozilla.com
Mon May 2 11:28:00 MST 2016 

All,

One concern with mandating a prefix is that it would break the HTTP
validation for the ACME protocol. After some discussions, I'd like to
propose adding a new term "Required Website Content" and use that term
in the method. Credit to Andrew Ayer for the proposed text (thanks!).

The diff against Ballot-169 is available at GitHub [1], and can be
made into a pull request (into Ballot-169 branch) if desired.

New Term:

  **Required Website Content**: Either a Random Value or a Request
Token, optionally concatenated with additional information as
specified by the CA.

Method Change (additions in +{ }+ brackets):

  ##### 3.2.2.4.6 Agreed-Upon Change to Website
  Confirming the Applicant's control over the requested FQDN by
confirming the presence of +{Required Website Content}+ (contained in
the content of a file or on a web page in the form of a meta tag)
under the "/.well-known/pki-validation" directory, or another path
registered with IANA for the purpose of Domain Validation, on the
Authorization Domain Name that can be validated over an Authorized
Port. +{The entire Required Website Content MUST NOT appear in the
path used to retrieve the file or web page.}+

1) https://github.com/cabforum/documents/compare/Ballot-169...jcjones:Ballot-169?expand=1

Cheers,
J.C.

On Mon, May 2, 2016 at 9:33 AM, Gervase Markham <gerv at mozilla.org> wrote:
> On 30/04/16 00:14, Peter Bowen wrote:
>> I’ve found a possible vulnerability with 3.2.2.4.6. Agreed-Upon
>> Change to Website.  If the Random Value or Request Token is contained
>> in the URI path, then certain websites will return it in the meta tag
>> of the resulting page.
>
> Could we require that it appear in the returned data with a particular
> prefix, such as "Response: "?
>
>> Returns 200 with a page containing:
>> <meta property="og:title"
>> content=".well-known/pki-validation/06ca919e1b1cf100e97fc2215c036a8c817f4443aa0afe5ca1a63db973a09e4b:
>> Search Results from Example"> <meta property="og:url"
>> content="http://www.example.com/search?q=.well-known%2Fpki-validation%2F06ca919e1b1cf100e97fc2215c036a8c817f4443aa0afe5ca1a63db973a09e4b”>
>
> Did you try exploiting this as a Cross-Site Scripting vulnerability? :-)
>
> Gerv
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list