[cabfpub] CNAME-based validation

Jeremy Rowley jeremy.rowley at digicert.com
Fri Sep 2 21:52:49 UTC 2016


Wildcard domains are already allowed. We can verify Wildcard DNS because a CNAME for *.domain.com is pointing to a record previously verified. This verification method is permitted under the definition of Authorization Domain Name (where the FQDN returned by a CNAME lookup can be used to verify the requested FQDN). Although <rnd>.domain.com isn’t necessarily distinguishable from *.domain.com, the validation ends up being the same because either its considered an Authorized Domain Name (under the definition) or it was validated as a random value in this new method. 

 

For example:

 

*.domain.com -> dcv.example.com (validated under the Authorized Domain Name section)

<rnd>.domain.com ->validation.example.com (validated under this new section)

 

Because each is validated properly, tracking which exact section was used in the validation isn’t necessary.

 

Jeremy

 

From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Friday, September 2, 2016 3:28 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: public at cabforum.org
Subject: Re: [cabfpub] CNAME-based validation

 

Jeremy,

 

Does this introduce risk for sites that use Wildcard DNS records? How would you propose mitigating that risk?

 

On Fri, Sep 2, 2016 at 2:26 PM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

I realized after reviewing my proposal that it will require a new method under the domain validation section. Therefore, I’m proposing we add the following as a new permitted method for domain validation:

 

Add the following as Section 3.2.2.4.11:

 

Confirming the Applicant’s control over the requested FQDN by appending a Random Value or Request Token as a sub domain to an Authorization Domain Name and pointing the CNAME record of the created sub domain to a FQDN verified by the CA using one of methods permitted under Section 3.2.2.4

 

Looking for two endorsers.

 

Jeremy


_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160902/d9c16f82/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160902/d9c16f82/attachment-0001.p7s>


More information about the Public mailing list