[cabfpub] CNAME-based validation

Geoff Keating geoffk at apple.com
Sat Sep 3 01:55:55 UTC 2016


> On 2 Sep 2016, at 6:21 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> 
> Then I suppose I don't understand the objection. The subdomain will always be a random value provided by the CA. This is distinguishable from the case of .well-known. Are you suggesting there should be a DNS record similar to well-known? That would be a happy resolution for me. <rnd>.pki_validation.domain.com?

My point is that you can’t just say “this person could create a randomly named subdomain, therefore he must control the domain”, because there are known examples of domains where anyone can create a named subdomain if it’s not already taken.

I’m not making a suggestion for a solution because I don’t have a good one.  As far as I know there is not a DNS equivalent of /.well-known.  A solution would have to either be something that by chance already works, or would have to wait to be adopted by all affected domains.

> -----Original Message-----
> From: geoffk at apple.com [mailto:geoffk at apple.com] 
> Sent: Friday, September 2, 2016 7:15 PM
> To: Jeremy Rowley <jeremy.rowley at digicert.com>
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] CNAME-based validation
> 
> Yes, in this case the random value is represented as ‘1023456789ABCDEF’.
> 
>> On 2 Sep. 2016, at 5:38 pm, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
>> 
>> In this case it must be a random value provided by the ca that is then used to create the sub domain. It must follow all other rules related to random values (valid only for 30 days, unique per message,etc)
>> 
>> On Sep 2, 2016, at 5:19 PM, Geoff Keating <geoffk at apple.com> wrote:
>> 
>>> 
>>>> On 2 Sep. 2016, at 2:26 pm, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
>>>> 
>>>> I realized after reviewing my proposal that it will require a new method under the domain validation section. Therefore, I’m proposing we add the following as a new permitted method for domain validation:
>>>> 
>>>> Add the following as Section 3.2.2.4.11:
>>>> 
>>>> Confirming the Applicant’s control over the requested FQDN by appending a Random Value or Request Token as a sub domain to an Authorization Domain Name and pointing the CNAME record of the created sub domain to a FQDN verified by the CA using one of methods permitted under Section 3.2.2.4
>>>> 
>>>> Looking for two endorsers.
>>> 
>>> I would be concerned about this for the case of domains that allow user-created subdomains.  For example, if the CA says I need to create 1023456789ABCDEF.github.com, I can probably just go do that.  We dealt with this for web sites by requiring they’d be under /.well-known.
>>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160902/ead37682/attachment-0001.p7s>


More information about the Public mailing list