[cabfpub] CNAME-based validation

Geoff Keating geoffk at apple.com
Sat Sep 3 01:15:08 UTC 2016


Yes, in this case the random value is represented as ‘1023456789ABCDEF’.

> On 2 Sep. 2016, at 5:38 pm, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> 
> In this case it must be a random value provided by the ca that is then used to create the sub domain. It must follow all other rules related to random values (valid only for 30 days, unique per message,etc)
> 
> On Sep 2, 2016, at 5:19 PM, Geoff Keating <geoffk at apple.com> wrote:
> 
>> 
>>> On 2 Sep. 2016, at 2:26 pm, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
>>> 
>>> I realized after reviewing my proposal that it will require a new method under the domain validation section. Therefore, I’m proposing we add the following as a new permitted method for domain validation:
>>>  
>>> Add the following as Section 3.2.2.4.11:
>>>  
>>> Confirming the Applicant’s control over the requested FQDN by appending a Random Value or Request Token as a sub domain to an Authorization Domain Name and pointing the CNAME record of the created sub domain to a FQDN verified by the CA using one of methods permitted under Section 3.2.2.4
>>>  
>>> Looking for two endorsers.
>> 
>> I would be concerned about this for the case of domains that allow user-created subdomains.  For example, if the CA says I need to create 1023456789ABCDEF.github.com, I can probably just go do that.  We dealt with this for web sites by requiring they’d be under /.well-known.
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160902/0727124e/attachment-0001.p7s>


More information about the Public mailing list