[cabfpub] CNAME-based validation

Ryan Sleevi rsleevi at chromium.org
Thu Sep 8 15:05:46 MST 2016


On Thu, Sep 8, 2016 at 2:59 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> I suppose that would work for us but wouldn't there be the same concern
> with _pki and wildcard domains.


> Why not permit both validation methods?
>

Because a Wildcard DNS is statistically unlikely to be CNAME'd to <random
token>.anything, while Wildcard DNS implies a significantly greater
probability that <random>.anything will CNAME to <fixed string>

The former - using _pki.[something] to CNAME to <random>.[something] - is
robust in the presence of Wildcard DNS, and still ensures the critical
property desired by <random> - that it's unlikely to happen except through
a demonstration of control.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160908/3eb0d461/attachment.html 


More information about the Public mailing list