[cabfpub] Ballot 204: Forbid DTPs from doing Domain/IP Ownership Validation

Thu Jul 6 08:53:44 MST 2017

On Thu, Jul 6, 2017 at 11:43 AM, Doug Beattie via Public <
public at cabforum.org> wrote:

> Gerv,
>
>
>
> I realize I just missed the review period, but I wanted to ask a question
> anyway.
>
>
>
> Regarding this statement:
>
> "The CA SHALL confirm that, as of the date the Certificate issues, the CA has validated each Fully‐Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below, or is within the Domain Namespace of a Fully-Qualified Domain Name (FQDN) that has been validated using at least one of the methods listed below (not including the method defined in section 3.2.2.4.8)."
>
>
>
> Is this a valid example:
>
> -        The Applicant requests the FQDN of shop.example.com
>
> -        The CA validates example.com (a valid Authorization Domain Name)
> and approves the FQDN of www.example.com
>
> -        The Applicant requests the FQDN of www.example.com
>
> -        Since the CA validated example.com, then www.example.com can be
> issued
>
>
>
> The reason I ask is that the FQDN of example.com was never requested, so
> technically it may not be a value that can be re-used (perhaps only the
> FQDNs that were previously requested can be reused and since this was never
> specifically requested maybe it can’t be reused).  I hope it can be reused
> as in the example above, and as long as we all agree on the interpretation,
> I’m comfortable voting for the ballot.
>
>
>
> Doug
>

Thanks for raising this question, Doug.

For context, the current BRs for that section read:

"The CA SHALL confirm that, as of the date the Certificate issues, either
the CA or a Delegated Third Party has validated each Fully‐Qualified Domain
Name (FQDN) listed in the Certificate using at least one of the methods
listed below. "

Gerv's additional clause (of the "or"), does not normatively add or remove
capabilities, since the language of the text (with respect to
"Authorization Domain Name") means that all methods supporting an ADN (or
Base Domain Name) meet the first criteria, which is all of them.

On this basis, when the Applicant requests the FQDN of shop.example.com,
and the CA validates using an ADN, they are entitled to approve
www.example.com. Further, the data or documents used to validate the ADN
can be reused for subsequent validations, pursuant with the "Completed
confirmations of Applicant authority", as "example.com" has a completed
confirmation of Applicant authority for that ADN.

Subsequently, for as long as that method remains within the BRs, it's
possible to reuse that "Authorization Domain Name authority" to issue
additional certificates for subdomains, such as "www". In each case, the
FQDN is being authorized using the "Completed confirmation" of the
Authorization Domain Name, and the ADN was validated according to the
(current, not previous) BRs.

If the BRs change how the ADN is validated, it would not necessarily
constitute a "completed confirmation" - this is the ambiguity as to whether
"initiated within the time period specified in the relevant requirement"
retroactively grandfathers in previous validation methods (which CAs would
prefer it does, and I would prefer it doesn't, for security reasons).

Hopefully this clarifies how the use of a completed confirmation of an ADN
to subsequently validate an FQDN constitutes the CA having the validated
the FQDN, even though the ADN authorization was reused.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170706/834d9c22/attachment.html>