[Servercert-wg] Ballot SC 13 version 3

Ryan Sleevi sleevi at google.com
Tue Dec 4 12:39:34 MST 2018

On Tue, Dec 4, 2018 at 2:27 PM Doug Beattie <doug.beattie at globalsign.com>

> I was out last week, so sorry for not commenting.
>    1. There is only one ADN per validation, but there may be multiple
>    ADNs candidates for any specified FQDN.  There are 2 in Ryan’s example and
>    a CA might let the user select which one they want to use per FQDN.
> Correct

>    1.
>    2. The validation done on the ADN is reusable (per the note) for other
>    domain validations for that Applicant.
> Correct, provided both domains "choose" (CA or Applicant) the same ADN,
then one can reuse the validation of the ADN from the first FQDN as
validation of the ADN for the second FQDN.

>    1.
>    2. There is no relationship or processing of issue or issuewild CAA
>    records when performing domain validation defined in method 13 or 14.
> No, not correct. The algorithm is defined in terms of RFC 6844 (as amended
...), Section 4. This is intentionally to avoid this misinterpretation. If
there is a CAA record present, and has any property tag - which would
include issue, issuewild, *as well as* iodef and any subsequently
introduced properties - then that constitutes the CAA record set

If we assume the following:
$ORIGIN example.com
. CAA 0 contactemail "domainowner at example.com"
subdomain CAA 0 issue "ca.example.net"

* Verifying FQDN "subdomain.example.com" with an ADN of "

* Verifying FQDN "subdomain.example.com" with an ADN of "example.com"
* Verifying FQDN "example.com" with an ADN of "example.com"

The reason why the ADN of "subdomain.example.com" is NOT PERMITTED is
because CAA("subdomain.example.com"), as defined in Section 4, returns only
"issue" property, and thus lacks contact email.
However, as shown by PERMITTED, you "work around" this by using the ADN of

This may seem a little counter-intuitive, but it ensures there is one
uniform approach for looking up CAA records, as defined in the RFC. For
this specific case (contactemail), because it's being used in verification,
the CA can "work around" the limitation by choosing the ADN. This is,
however, no different from any of our other approaches to validating domain
control - if a method fails for a given ADN (for example, no WHOIS service
for 'subdomain.example.com'), then you can continue walking up to try other

Does that make sense?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181204/f778d2f4/attachment.html>

More information about the Servercert-wg mailing list