[cabfpub] CNAME-based validation

Ryan Sleevi rsleevi at chromium.org
Thu Sep 8 15:47:44 MST 2016 

On Thu, Sep 8, 2016 at 3:25 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> The one short-coming of this approach over using multiple random values to
> detect wildcard domains is that the process makes obtaining multiple
> certificates from different CAs difficult. If a customer wants to use both
> DigiCert and another CA, the customer would have to order each one in
> separate intervals as _pki.domain.com can only have a single CNAME
> record. Using two random values, the customer can have multiple CAs
> simultaneously issue certificates.
>
>
>
> CA1:
>
> <rnd_CA1>.domain.com CNAME <rnd2_CA1>.validation.com
>
> CA2:
>
> <rnd_CA2>.domain.com CNAME <rnd2_CA2>.validation.com
>
>
>
I think this proposal is different than what I understood your previous
proposal to be, and I think it probably resolves the heart of my objection
- that the randomness shouldn't be "trusted" if it's in the "name to be
resolved", but can be if it's in the "contents of the record" (in this
case, the CNAME-pointed to domain).

My understanding is your proposal was
<rnd_CA1>.example.net CNAME shop.example.com  (Notice how I keep using RFC
6761 special-use domains? :P)

Would be seen as authorization to issue for "example.net" if the CA
previously issued for "shop.example.com". I don't think that's good,
because the <rnd_CA1> can't be taken as positive
consent/configuration/control in the presence of Wildcard DNS.

If the proposal is that
<rnd_CA1>.example.net CNAME <rnd2_CA1>.shop.example.com

Be taken as authorization to issue for example.net if the CA has validated
shop.example.com, then I think that'd be OK, and would be curious if anyone
spots any risk I'm missing. That's because the <rnd_CA1> is not a "Random
Token/Value", but just a "Don't disrupt the service" variation, and the
real random value/token is in the contents of the CNAME - specifically,
<rnd2_CA1>.

In the case of non-Wildcard DNS, this demonstrates practical control over
example.net (by creating rnd_CA1)
In the case of Wildcard DNS, this demonstrates practical control at least
to the level of the Wildcard DNS rule, because it's statistically unlikely
that they would have just 'happened' to chose <rnd2_CA1> as a subdomain,
provided that it has sufficient randomness.


To double check my math, a given DNS label (that is, the value of <rnd_CA1
/ rnd2_CA2>) is limited to 64 characters, which should be plenty sufficient
for a modified Base32-encoding of a minimum 112-bit random value, which
would be 24 characters (using perhaps 0/1 as the padding character, since =
can't appear due to the LDH rule)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160908/f08bc14d/attachment.html

More information about the Public mailing list