[cabfpub] Pre-Ballot 169: Revised Validation Requirements

Tim Hollebeek THollebeek at trustwave.com
Tue May 3 14:47:59 UTC 2016

I'm slightly concerned that this exact text allows the "Random Value" or "Request Token" to be in the path, as long as the entire RWC is not in the path.

Should it perhaps instead say that the Random Value or Request Token part of the RWC must not appear in the path?


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of J.C. Jones
Sent: Monday, May 02, 2016 2:28 PM
To: Gervase Markham
Cc: public at cabforum.org
Subject: Re: [cabfpub] Pre-Ballot 169: Revised Validation Requirements


One concern with mandating a prefix is that it would break the HTTP validation for the ACME protocol. After some discussions, I'd like to propose adding a new term "Required Website Content" and use that term in the method. Credit to Andrew Ayer for the proposed text (thanks!).

The diff against Ballot-169 is available at GitHub [1], and can be made into a pull request (into Ballot-169 branch) if desired.

New Term:

  **Required Website Content**: Either a Random Value or a Request Token, optionally concatenated with additional information as specified by the CA.

Method Change (additions in +{ }+ brackets):

  ##### Agreed-Upon Change to Website
  Confirming the Applicant's control over the requested FQDN by confirming the presence of +{Required Website Content}+ (contained in the content of a file or on a web page in the form of a meta tag) under the "/.well-known/pki-validation" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that can be validated over an Authorized Port. +{The entire Required Website Content MUST NOT appear in the path used to retrieve the file or web page.}+

1) http://scanmail.trustwave.com/?c=4062&d=15yn16AuR_LXsSVpRkrsubRsDevOE_8__pvrBZZ2xg&s=5&u=https%3a%2f%2fgithub%2ecom%2fcabforum%2fdocuments%2fcompare%2fBallot-169%2e%2e%2ejcjones%3aBallot-169%3fexpand%3d1


On Mon, May 2, 2016 at 9:33 AM, Gervase Markham <gerv at mozilla.org> wrote:
> On 30/04/16 00:14, Peter Bowen wrote:
>> I’ve found a possible vulnerability with Agreed-Upon
>> Change to Website.  If the Random Value or Request Token is contained
>> in the URI path, then certain websites will return it in the meta tag
>> of the resulting page.
> Could we require that it appear in the returned data with a particular
> prefix, such as "Response: "?
>> Returns 200 with a page containing:
>> <meta property="og:title"
>> content=".well-known/pki-validation/06ca919e1b1cf100e97fc2215c036a8c817f4443aa0afe5ca1a63db973a09e4b:
>> Search Results from Example"> <meta property="og:url"
>> content="http://scanmail.trustwave.com/?c=4062&d=15yn16AuR_LXsSVpRkrs
>> ubRsDevOE_8__pPtA5V0nw&s=5&u=http%3a%2f%2fwww%2eexample%2ecom%2fsearc
>> h%3fq%3d%2ewell-known%252Fpki-validation%252F06ca919e1b1cf100e97fc221
>> 5c036a8c817f4443aa0afe5ca1a63db973a09e4b %80 >
> Did you try exploiting this as a Cross-Site Scripting vulnerability?
> :-)
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> http://scanmail.trustwave.com/?c=4062&d=15yn16AuR_LXsSVpRkrsubRsDevOE_
> 8__sa5BJRwlw&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2
> fpublic
Public mailing list
Public at cabforum.org


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

More information about the Public mailing list