[Servercert-wg] Ballot SC4 - email and CAA CONTACT
Wayne Thayer
wthayer at mozilla.com
Fri Aug 3 10:48:04 MST 2018
I understood that my comment on the phrase "domain being validated" in the
appendix would be addressed in this ballot?
On Fri, Aug 3, 2018 at 9:19 AM Tim Hollebeek via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> I expect the email address would be the entirety of the RDATA for the RR,
> with no additional formatting. I can make that explicit if you think it
> would be helpful.
>
>
>
> -Tim
>
>
>
> *From:* Corey Bonnell <CBonnell at trustwave.com>
> *Sent:* Friday, August 3, 2018 12:04 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>; CA/B Forum Server
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>;
> CA/Browser Forum Public Discussion List <public at cabforum.org>
> *Subject:* Re: [Servercert-wg] Ballot SC4 - email and CAA CONTACT
>
>
>
> Hi Tim,
>
> Can you provide an example of how a TXT record would be formatted to
> convey the email address (as was done for the CAA records)? It’s not clear
> to me based on the description given.
>
>
>
> Thanks,
>
>
>
> *Corey Bonnell*
>
> Senior Software Engineer
>
>
>
> *Trustwave* | SMART SECURITY ON DEMAND
> https://www.trustwave.com <http://www.trustwave.com/>
>
>
>
> *From: *Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of
> Tim Hollebeek via Servercert-wg <servercert-wg at cabforum.org>
> *Reply-To: *Tim Hollebeek <tim.hollebeek at digicert.com>, CA/B Forum Server
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Date: *Friday, August 3, 2018 at 11:50 AM
> *To: *CA/Browser Forum Public Discussion List <public at cabforum.org>, "
> servercert-wg at cabforum.org" <servercert-wg at cabforum.org>
> *Subject: *[Servercert-wg] Ballot SC4 - email and CAA CONTACT
>
>
>
>
>
> Ballot SC4: CAA Contact Property and Associated E-mail Validation Methods
>
> Purpose of Ballot: Increasingly, contact information is not available in
> WHOIS due to concerns about potential GDPR violations. This ballot
> specifies a method by which domain holders can publish their contact
> information via DNS, and how CAs can use that information for validating
> domain control.
>
> The following motion has been proposed by Tim Hollebeek of DigiCert and
> endorsed by Bruce Morton of Entrust and Doug Beattie of GlobalSign.
>
> --- MOTION BEGINS ---
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based on Version
> 1.6.0:
>
> Add Section 3.2.2.4.13: Domain Owner Email in CAA
>
> Confirm the Applicant's control over the FQDN by (i) sending an email to a
> DNS domain name holder, (ii) including a Random Value in the email, and
> (iii) receiving a confirming response utilizing the Random Value. The CA
> MUST send the email to an email address found in the CAA Contact property
> record of the Authorization Domain Name as defined in Appendix B.
>
>
>
> Each email MAY confirm control of multiple FQDNs, provided the email
> address used is a DNS contact email address for each ADN being validated.
>
>
>
> The Random Value SHALL be unique in each email. The email MAY be re-sent
> in its entirety, including the re-use of the Random Value, provided that
> its entire contents and recipient SHALL remain unchanged. The Random Value
> SHALL remain valid for use in a confirming response for no more than 30
> days from its creation. The CPS MAY specify a shorter validity period for
> Random Values.
>
>
>
> Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN. This method is suitable for validating Wildcard Domain
> Names.
>
> Add Section 3.2.2.4.14: Domain Owner Email published in TXT record
>
>
>
> Confirm the Applicant's control over the FQDN by (i) sending an email to a
> DNS domain name holder, (ii) including a Random Value in the email, and
> (iii) receiving a confirming response utilizing the Random Value. The CA
> MUST send the email to an email address found in the DNS TXT record of the
> Authorization Domain Name in the format defined in Appendix B.
>
>
>
> Each email MAY confirm control of multiple FQDNs, provided the email
> address used is a DNS contact email address for each ADN being validated.
>
> The Random Value SHALL be unique in each email. The email MAY be re-sent
> in its entirety, including the re-use of the Random Value, provided that
> its entire contents and recipient SHALL remain unchanged. The Random Value
> SHALL remain valid for use in a confirming response for no more than 30
> days from its creation. The CPS MAY specify a shorter validity period for
> Random Values.
>
>
>
> Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN. This method is suitable for validating Wildcard Domain
> Names.
>
>
>
> Add Appendix B: CAA Contact Tag
>
> The syntax for the contact property is similar to the iodef property. It
> allows domain owners to publish contact information in DNS in addition to
> WHOIS for the purpose of validating domain control.
>
> CAA contact Property
>
>
>
> contact <URL> : The contact property entry specifies the authorized means
> of contacting the holder of the domain or another party who is authorized
> to approve issuance of certificates for the domain.
>
>
>
> The contact property specifies a means of contacting the domain holder, or
> another party that is authorized to approve issuance of certificates for
> the domain in question.
>
> The contact property takes a URL as its parameter. The following URL
> scheme type SHOULD be implemented:
>
> mailto: An SMTP email address where the domain holder or other authorized
> party can be contacted.
>
>
>
> Schemes other than "mailto:" MUST NOT be used.
>
>
>
> The following is an example where the holder of the domain specified the
> contact property using an email address.
>
>
>
> $ORIGIN example.com
> <http://scanmail.trustwave.com/?c=4062&d=rfnk28lbSPhWC4h7ghzRbUm0O2r_iB1ji9mEi2rn9g&s=5&u=http%3a%2f%2fexample%2ecom>
>
> . CAA 0 issue “ca.example.net”
>
> . CAA 0 contact “mailto:domainowner at example.com
> <domainowner at example.com>”
>
>
>
> Support for Legacy Systems
>
>
>
> Some systems still do not have sufficient support for CAA records. To
> allow users of those systems to specify contact information, a legacy
> format using text records is allowed.
>
>
>
> The DNS TXT record MUST be placed on the "_caa_contact" subdomain of the
> domain being validated. The DNS record MUST be named
> "domain-authorization-email". The value of "domain-authorization-email"
> MUST contain a valid email address, or it cannot be used.
>
>
>
> --- MOTION ENDS ---
>
> *** WARNING ***: USE AT YOUR OWN RISK. THE REDLINE BELOW IS NOT THE
> OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):
>
>
>
> A comparison of the changes can be found at:
> https://github.com/cabforum/documents/compare/Ballot-SC4---CAA-CONTACT-email?diff=unified&expand=1
> <https://scanmail.trustwave.com/?c=4062&d=rfnk28lbSPhWC4h7ghzRbUm0O2r_iB1ji4qIgT_i8A&s=5&u=https%3a%2f%2fgithub%2ecom%2fcabforum%2fdocuments%2fcompare%2fBallot-SC4---CAA-CONTACT-email%3fdiff%3dunified%26amp%3bexpand%3d1>
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 2018-08-03 11:50 Eastern
>
> End Time: Not before 2018-08-10 11:50 Eastern
>
> Vote for approval (7 days)
>
> Start Time: TBD
>
> End Time: TBD
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20180803/14b165ea/attachment.html>
More information about the Servercert-wg
mailing list