[cabfpub] Pre-Ballot 169: Revised Validation Requirements

J.C. Jones jjones at mozilla.com
Tue May 3 15:52:26 UTC 2016


This is deliberate. For example: ACME's HTTP validation mechanism [1]
includes the Random Value in the path, and the ACME server expects to
find in the body the concatenated string  `$random_value ||
$account_key_thumbprint`. The "Account Key" used in this validation is
not included in the request by the CA, and would only be known to the
CA and the Subscriber.

When the Required Website Content includes information not included in
the HTTP validation request, the highlighted risk of false-positives
from certain webserver configurations is mitigated. Supporting this,
some months back an older draft ACME was formally analyzed [2] and
there were no false-positive issues identified, though I haven't yet
seen the final report.

1) https://tools.ietf.org/html/draft-ietf-acme-acme-02#section-7.2
2) https://www.ietf.org/mail-archive/web/acme/current/msg00996.html


On Tue, May 3, 2016 at 7:47 AM, Tim Hollebeek <THollebeek at trustwave.com> wrote:
> I'm slightly concerned that this exact text allows the "Random Value" or "Request Token" to be in the path, as long as the entire RWC is not in the path.
> Should it perhaps instead say that the Random Value or Request Token part of the RWC must not appear in the path?
> -Tim
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of J.C. Jones
> Sent: Monday, May 02, 2016 2:28 PM
> To: Gervase Markham
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Pre-Ballot 169: Revised Validation Requirements
> All,
> One concern with mandating a prefix is that it would break the HTTP validation for the ACME protocol. After some discussions, I'd like to propose adding a new term "Required Website Content" and use that term in the method. Credit to Andrew Ayer for the proposed text (thanks!).
> The diff against Ballot-169 is available at GitHub [1], and can be made into a pull request (into Ballot-169 branch) if desired.
> New Term:
>   **Required Website Content**: Either a Random Value or a Request Token, optionally concatenated with additional information as specified by the CA.
> Method Change (additions in +{ }+ brackets):
>   ##### Agreed-Upon Change to Website
>   Confirming the Applicant's control over the requested FQDN by confirming the presence of +{Required Website Content}+ (contained in the content of a file or on a web page in the form of a meta tag) under the "/.well-known/pki-validation" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that can be validated over an Authorized Port. +{The entire Required Website Content MUST NOT appear in the path used to retrieve the file or web page.}+
> 1) http://scanmail.trustwave.com/?c=4062&d=15yn16AuR_LXsSVpRkrsubRsDevOE_8__pvrBZZ2xg&s=5&u=https%3a%2f%2fgithub%2ecom%2fcabforum%2fdocuments%2fcompare%2fBallot-169%2e%2e%2ejcjones%3aBallot-169%3fexpand%3d1
> Cheers,
> J.C.

More information about the Public mailing list