[cabfpub] CNAME-based validation

Ryan Sleevi sleevi at google.com
Sat Sep 3 01:39:46 UTC 2016 

Hi Jeremy,

I'm afraid you may have misread my example.

shop.example.com is a CNAME to paymentprovider.example.org (curse our lack
of distinct TLDs). It does not resolve to example.net

On Fri, Sep 2, 2016 at 6:29 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> Here’s the steps:
>
> 1)      CA verifies example.net using any one of the methods permitted
>
> 2)      CA receives request for shop.example.com
>
> 3)     CA retrieves CNAME for shop.example.com (permitted under
> Authorization Domain Name definition: “The CA may use the FQDN returned
> from a DNS CNAME lookup as the FQDN for the purposes of domain validation”)
>
> 4)     CNAME causes resolution to example.net.
>
> 5)     Example.net is verified under step 1, permitting issuance of the
> certificate
>
>
>
>
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Friday, September 2, 2016 5:12 PM
> *To:* Jeremy Rowley <jeremy.rowley at digicert.com>
> *Cc:* Peter Bowen <pzb at amzn.com>; public at cabforum.org
>
> *Subject:* Re: [cabfpub] CNAME-based validation
>
>
>
> Right, and I'm not sure that (2) sufficiently establishes that example.com
> is authorizing the request, given wildcards.
>
>
>
> I think this would be a similar concern with, say, following HTTP open
> redirects and saying a "200 OK" code authorizes the request - wellllll, not
> really.
>
>
>
> I'm curious if you could expand more why you believe other methods would
> permit a cert to be issued in the presence of this Wildcard DNS.
>
>
>
> As a concrete example:
>
> example.com A [my host]
>
> *.example.com CNAME example.net
>
> shop.example.com CNAME paymentprovider.example.org
>
>
>
> Under this scenario, could you explain what ways that the [<rnd>.
> example.com] would be able to issue a cert for either example.com or
> shop.example.com ? Perhaps I'm just missing the implications of the
> existing validation methods.
>
>
>
>
>
>
>
>
>
> On Fri, Sep 2, 2016 at 3:33 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
> wrote:
>
> Yes. Those are the two steps I am proposing.
>
> -----Original Message-----
> From: Peter Bowen [mailto:pzb at amzn.com]
> Sent: Friday, September 2, 2016 4:31 PM
> To: Jeremy Rowley <jeremy.rowley at digicert.com>
>
> Cc: Ryan Sleevi <sleevi at google.com>; public at cabforum.org
> Subject: Re: [cabfpub] CNAME-based validation
>
> I think you are talking about two different things.
>
> Ryan is concerned that a customer has an existing record that is “*.
> example.com CNAME vanityblogs.example.net”.  If you say “if you can make
> a record show up at _309654fddb59444d8efd6d2cc98881d5.example.com you are
> validated” that is bad.  Instead, you are proposing a two prong validation
> test:
>
> 1) Confirm control of vanityblogs.example.net.
> 2) Make _309654fddb59444d8efd6d2cc98881d5.example.com point to
> vanityblogs.example.net.
>
> You are proposing that passing these both would confirm control of
> example.com, right?  And this would allow getting a certificate for
> shop.example.com, correct?
>
> Thanks,
> Peter
>
> > On Sep 2, 2016, at 3:25 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
> wrote:
> >
> > We are talking about the same thing (wildcard DNS records).
> >
> > Examples:
> >
> > sleevi.example.com CNAME vdomain.com
> > *.example.com CNAME vdomain.com
> > <rnd>.example.com CNAME vdomain.com
> >
> > The BRs permit verification of each of these by establishing control
> over vdomain.com (under the definition of authorization domain name).
> >
> > If *.example.com can be verified this way, what is different between
> verifying *.example.com and <rnd>.example.com to verify all sub domains
> of example.com? All the RND does is make it so the website doesn’t have
> to point to vdomain.com.
> >
> > Jeremy
> >
> > From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> > On Behalf Of Ryan Sleevi
> > Sent: Friday, September 2, 2016 4:05 PM
> > To: Jeremy Rowley <jeremy.rowley at digicert.com>
> > Cc: public at cabforum.org
> > Subject: Re: [cabfpub] CNAME-based validation
> >
> > Jeremy,
> >
> > Perhaps it wasn't clear, I wasn't speaking of wildcard certificates, but
> wildcard DNS rules, in which all requests for a given subdomain return a
> preconfigured record type. While for TXT and CAA records this is quite
> uncommon, it's exceedingly common to have CNAME records.
> >
> > That is, both <rnd>.example.com and sleevi.example.com may both CNAME
> to example.com, by virtue of of the host putting a rule of "*.example.com
> 3600 CNAME example.com"
> >
> > I am attempting to assert that placing the <rnd> in the subdomain is
> insufficient proof of authorization, and is meaningfully and tangibly
> different than the proof of control demonstrated in 3.2.2.4.7.
> >
> > As I read your wording, it suggests the following:
> > CA looks up <rnd>.example.com
> > <rnd>.example.com points to example.com CA sees it previously issued a
> > certificate for example.com using one of the other methods CA issues
> > certificate for <rnd>.example.com
> >
> > That concerns me.
> >
> > Peter's rewording suggests the inverse:
> > CA looks up _certvalidation.example.com _certvalidation.example.com
> > points (CNAMEs) to <rnd>.validation.[nameofca].com CA issues
> > certificate for example.com
> >
> > This is much less concerning.
> >
> > Could you help clarify which you intend, and for what names/purposes?
> >
> >
> > On Fri, Sep 2, 2016 at 2:52 PM, Jeremy Rowley <
> jeremy.rowley at digicert.com> wrote:
> > Wildcard domains are already allowed. We can verify Wildcard DNS because
> a CNAME for *.domain.com is pointing to a record previously verified.
> This verification method is permitted under the definition of Authorization
> Domain Name (where the FQDN returned by a CNAME lookup can be used to
> verify the requested FQDN). Although <rnd>.domain.com isn’t necessarily
> distinguishable from *.domain.com, the validation ends up being the same
> because either its considered an Authorized Domain Name (under the
> definition) or it was validated as a random value in this new method.
> >
> > For example:
> >
> > *.domain.com -> dcv.example.com (validated under the Authorized Domain
> > Name section) <rnd>.domain.com ->validation.example.com (validated
> > under this new section)
> >
> > Because each is validated properly, tracking which exact section was
> used in the validation isn’t necessary.
> >
> > Jeremy
> >
> > From: Ryan Sleevi [mailto:sleevi at google.com]
> > Sent: Friday, September 2, 2016 3:28 PM
> > To: Jeremy Rowley <jeremy.rowley at digicert.com>
> > Cc: public at cabforum.org
> > Subject: Re: [cabfpub] CNAME-based validation
> >
> >
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160902/af1c59f0/attachment-0003.html>

More information about the Public mailing list