[cabfpub] CNAME-based validation
Geoff Keating
geoffk at apple.com
Fri Sep 2 16:19:33 MST 2016
> On 2 Sep. 2016, at 2:26 pm, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
>
> I realized after reviewing my proposal that it will require a new method under the domain validation section. Therefore, I’m proposing we add the following as a new permitted method for domain validation:
>
> Add the following as Section 3.2.2.4.11:
>
> Confirming the Applicant’s control over the requested FQDN by appending a Random Value or Request Token as a sub domain to an Authorization Domain Name and pointing the CNAME record of the created sub domain to a FQDN verified by the CA using one of methods permitted under Section 3.2.2.4
>
> Looking for two endorsers.
I would be concerned about this for the case of domains that allow user-created subdomains. For example, if the CA says I need to create 1023456789ABCDEF.github.com <http://1023456789abcdef.github.com/>, I can probably just go do that. We dealt with this for web sites by requiring they’d be under /.well-known.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160902/26fc1581/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20160902/26fc1581/attachment.bin
More information about the Public
mailing list