[cabfpub] CNAME-based validation

Jeremy Rowley jeremy.rowley at digicert.com
Fri Sep 2 21:53:36 UTC 2016 

That works except I'd rather put _<rnd>.example.com and have it point to validation.public.com and verify validation.public.com as legit.

-----Original Message-----
From: Peter Bowen [mailto:pzb at amzn.com] 
Sent: Friday, September 2, 2016 3:33 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: public at cabforum.org
Subject: Re: [cabfpub] CNAME-based validation

How about making it simpler:

Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value or Request Token in a DNS TXT, CNAME, or CAA record for an Authorization Domain Name or an Authorization Domain Name that is prefixed with a label that begins with an underscore character.

(insert “, CNAME,” in the existing method)

This would allow something like:

_certvalidation.example.com. IN CNAME <random>.validation.publicca.com.

This assumes the reason to ask for CNAME is to handle DNS configurations that don’t support setting TXT records.

Thanks,
Peter

> On Sep 2, 2016, at 2:26 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> 
> I realized after reviewing my proposal that it will require a new method under the domain validation section. Therefore, I’m proposing we add the following as a new permitted method for domain validation:
>  
> Add the following as Section 3.2.2.4.11:
>  
> Confirming the Applicant’s control over the requested FQDN by appending a Random Value or Request Token as a sub domain to an Authorization Domain Name and pointing the CNAME record of the created sub domain to a FQDN verified by the CA using one of methods permitted under Section 3.2.2.4
>  
> Looking for two endorsers.
>  
> Jeremy
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160902/38aaef07/attachment-0001.p7s>

More information about the Public mailing list