[cabfpub] Ballot 204: Forbid DTPs from doing Domain/IP Ownership Validation

Doug Beattie doug.beattie at globalsign.com
Thu Jul 6 09:06:33 MST 2017


Thanks Ryan, I just wanted to be sure there was no ambiguity being introduced.  I agree with your assessment.

Doug

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Thursday, July 6, 2017 11:54 AM
To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Ballot 204: Forbid DTPs from doing Domain/IP Ownership Validation



On Thu, Jul 6, 2017 at 11:43 AM, Doug Beattie via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
Gerv,

I realize I just missed the review period, but I wanted to ask a question anyway.

Regarding this statement:

"The CA SHALL confirm that, as of the date the Certificate issues, the CA has validated each Fully‐Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below, or is within the Domain Namespace of a Fully-Qualified Domain Name (FQDN) that has been validated using at least one of the methods listed below (not including the method defined in section 3.2.2.4.8)."

Is this a valid example:

-        The Applicant requests the FQDN of shop.example.com<http://shop.example.com>

-        The CA validates example.com<http://example.com> (a valid Authorization Domain Name) and approves the FQDN of www.example.com<http://www.example.com>

-        The Applicant requests the FQDN of www.example.com<http://www.example.com>

-        Since the CA validated example.com<http://example.com>, then www.example.com<http://www.example.com> can be issued

The reason I ask is that the FQDN of example.com<http://example.com> was never requested, so technically it may not be a value that can be re-used (perhaps only the FQDNs that were previously requested can be reused and since this was never specifically requested maybe it can’t be reused).  I hope it can be reused as in the example above, and as long as we all agree on the interpretation, I’m comfortable voting for the ballot.

Doug

Thanks for raising this question, Doug.

For context, the current BRs for that section read:

"The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully‐Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below. "

Gerv's additional clause (of the "or"), does not normatively add or remove capabilities, since the language of the text (with respect to "Authorization Domain Name") means that all methods supporting an ADN (or Base Domain Name) meet the first criteria, which is all of them.

On this basis, when the Applicant requests the FQDN of shop.example.com<http://shop.example.com>, and the CA validates using an ADN, they are entitled to approve www.example.com<http://www.example.com>. Further, the data or documents used to validate the ADN can be reused for subsequent validations, pursuant with the "Completed confirmations of Applicant authority", as "example.com<http://example.com>" has a completed confirmation of Applicant authority for that ADN.

Subsequently, for as long as that method remains within the BRs, it's possible to reuse that "Authorization Domain Name authority" to issue additional certificates for subdomains, such as "www". In each case, the FQDN is being authorized using the "Completed confirmation" of the Authorization Domain Name, and the ADN was validated according to the (current, not previous) BRs.

If the BRs change how the ADN is validated, it would not necessarily constitute a "completed confirmation" - this is the ambiguity as to whether "initiated within the time period specified in the relevant requirement" retroactively grandfathers in previous validation methods (which CAs would prefer it does, and I would prefer it doesn't, for security reasons).

Hopefully this clarifies how the use of a completed confirmation of an ADN to subsequently validate an FQDN constitutes the CA having the validated the FQDN, even though the ADN authorization was reused.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170706/479af924/attachment-0001.html>


More information about the Public mailing list