[Servercert-wg] [cabfpub] Voting Begins: SC13 version 5: CAA Contact Property and Associated E-mail Validation Methods

Ramiro Muñoz ramirom at camerfirma.com
Tue Dec 18 11:03:10 MST 2018


Camerfirma votes YES on Ballot SC13 version 5.

 

BR

Ramiro

 

 

	



 <https://www.facebook.com/Camerfirma>    <https://twitter.com/Camerfirma>
<https://www.linkedin.com/company/ca-https:/www.ivnosys.com/wp-content/theme
s/eoIvnosys17/images/camerfirma-s.a./>
<https://www.youtube.com/user/camerfirma>
<https://www.instagram.com/camerfirma/> 

Ramiro Muñoz Muñoz
CTO & Regulatory Standards. CISA. 


   +34 619746291


    <mailto:ramirom at camerfirma.com> ramirom at camerfirma.com

		
	

 


Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener
información CONFIDENCIAL, siendo para uso exclusivo del destinatario,
quedando prohibida su divulgación copia o distribución a terceros. Si Vd. ha
recibido este mensaje erróneamente, se ruega lo notifique al remitente y
proceda a su borrado. De conformidad con lo establecido en el Reglamento UE
2016/679 de 27 de abril de 2016 General de Protección de Datos, se le
informa que la empresa AC CAMERFIRMA, S.A. tratará la información que nos
facilita con el exclusivo fin de cumplir con las obligaciones derivadas de
la relación comercial o contractual adquirida con usted y que sus datos no
podrán ser objeto de otro tratamiento ni de cesión a terceros salvo en los
casos en que exista una obligación legal. Usted tiene derecho a obtener
confirmación acerca del tratamiento de sus datos personales, y a ejercer sus
derechos de acceso, rectificación, supresión, limitación y portabilidad en
el tratamiento, dirigiéndose a AC CAMERFIRMA, S.A., mediante comunicación
escrita remitida a la dirección C/ Ribera del Loira 12 (28042) Madrid, o a
la dirección electrónica  <mailto:juridico at camerfirma.com>
juridico at camerfirma.com o a través de la web de incidencias disponible en la
página web  <http://webcrm.camerfirma.com/incidencias/incidencias.php>
http://webcrm.camerfirma.com/incidencias/incidencias.php

This message, and if applicable, any file attached to it, may contain
CONFIDENTIAL information for the exclusive use of the recipient, being
prohibited its disclosure copy or distribution to third parties. If you have
received this message incorrectly, please notify the sender and proceed with
its deletion. In accordance with the provisions of the EU Regulation
2016/679 of April 27, 2016 General Data Protection, you are informed that
the company AC CAMERFIRMA, S.A. will treat the information you provide us
with the sole purpose of complying with the obligations derived from the
commercial or contractual relationship acquired with you and that your data
will not be subject to another treatment or assignment to third parties
except in cases where there is an legal obligation. You have the right to
obtain confirmation about your personal data treatment, and to exercise your
rights of access, rectification, deletion, limitation and portability,
contacting AC CAMERFIRMA, SA, by written communication sent to the address C
/ Ribera del Loira 12 (28042) Madrid, or to the legal address
<mailto:juridico at camerfirma.com> juridico at camerfirma.com or through the
website  <http://webcrm.camerfirma.com/incidencias/incidencias.php>
http://webcrm.camerfirma.com/incidencias/incidencias.php

 

 

De: Public [mailto:public-bounces at cabforum.org] En nombre de Silva, Marcelo
via Public
Enviado el: martes, 18 de diciembre de 2018 17:50
Para: CA/Browser Forum Public Discussion List <public at cabforum.org>;
servercert-wg at cabforum.org
Asunto: Re: [cabfpub] Voting Begins: SC13 version 5: CAA Contact Property
and Associated E-mail Validation Methods

 

Visa votes Yes on Ballot SC13 version 5.

Thanks,

Marcelo

 

From: Public < <mailto:public-bounces at cabforum.org>
public-bounces at cabforum.org> On Behalf Of Tim Hollebeek via Public
Sent: Monday, December 17, 2018 6:56 PM
To:  <mailto:servercert-wg at cabforum.org> servercert-wg at cabforum.org;
CA/Browser Forum Public Discussion List < <mailto:public at cabforum.org>
public at cabforum.org>
Subject: [cabfpub] Voting Begins: SC13 version 5: CAA Contact Property and
Associated E-mail Validation Methods

 

 

Ballot SC13: CAA Contact Property and Associated E-mail Validation Methods

 

Purpose of Ballot: Increasingly, contact information is not available in
WHOIS due to concerns about potential GDPR violations.  This ballot
specifies a method by which domain holders can publish their contact
information via DNS, and how CAs can use that information for validating
domain control.

 

The following motion has been proposed by Tim Hollebeek of DigiCert and
endorsed by Bruce Morton of Entrust and Doug Beattie of GlobalSign.

 

--- MOTION BEGINS ---

This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” as follows, based on Version
1.6.0:

 

Add the following definitions to section 1.6.1:

 

DNS CAA Email Contact: The email address defined in section B.1.2.

 

DNS TXT Record Email Contact: The email address defined in section B.2.2.

 

Add Section 3.2.2.4.13: Email to DNS CAA Contact

 

Confirming the Applicant's control over the FQDN by sending a Random Value
via email and then receiving a confirming response utilizing the Random
Value. The Random Value MUST be sent to a DNS CAA Email Contact.  The
relevant CAA Resource Record Set MUST be found using the search algorithm
defined in RFC 6844 Section 4, as amended by Errata 5065 (Appendix A).

 

Each email MAY confirm control of multiple FQDNs, provided that each email
address is a DNS CAA Email Contact for each Authorization Domain Name being
validated.  The same email MAY be sent to multiple recipients as long as all
recipients are DNS CAA Email Contacts for each Authorization Domain Name
being validated.

 

The Random Value SHALL be unique in each email. The email MAY be re-sent in
its entirety, including the re-use of the Random Value, provided that its
entire contents and recipient(s) SHALL remain unchanged. The Random Value
SHALL remain valid for use in a confirming response for no more than 30 days
from its creation. The CPS MAY specify a shorter validity period for Random
Values.

 

Note: Once the FQDN has been validated using this method, the CA MAY also
issue Certificates for other FQDNs that end with all the labels of the
validated FQDN. This method is suitable for validating Wildcard Domain
Names.

 

Add Section 3.2.2.4.14: Email to DNS TXT Contact

 

Confirming the Applicant's control over the FQDN by sending a Random Value
via email and then receiving a confirming response utilizing the Random
Value. The Random Value MUST be sent to a DNS TXT Record Email Contact for
the Authorization Domain Name selected to validate the FQDN.

 

Each email MAY confirm control of multiple FQDNs, provided that each email
address is DNS TXT Record Email Contact for each Authorization Domain Name
being validated.  The same email MAY be sent to multiple recipients as long
as all recipients are DNS TXT Record Email Contacts for each Authorization
Domain Name being validated.

 

The Random Value SHALL be unique in each email. The email MAY be re-sent in
its entirety, including the re-use of the Random Value, provided that its
entire contents and recipient(s) SHALL remain unchanged. The Random Value
SHALL remain valid for use in a confirming response for no more than 30 days
from its creation. The CPS MAY specify a shorter validity period for Random
Values.

 

Note: Once the FQDN has been validated using this method, the CA MAY also
issue Certificates for other FQDNs that end with all the labels of the
validated FQDN. This method is suitable for validating Wildcard Domain
Names.

 

Add Appendix B: DNS Contact Properties

 

These methods allow domain owners to publish contact information in DNS for
the purpose of validating domain control.

 

B.1. CAA Methods

 

B.1.1. CAA contactemail Property

 

SYNTAX: contactemail <rfc6532emailaddress> 

 

The CAA contactemail property takes an email address as its parameter.  The
entire parameter value MUST be a valid email address as defined in RFC 6532
section 3.2, with no additional padding or structure, or it cannot be used.

 

The following is an example where the holder of the domain specified the
contact property using an email address.

 

$ORIGIN example.com.

               CAA 0 contactemail " <mailto:domainowner at example.com>
domainowner at example.com"

 

The contactemail property MAY be critical, if the domain owner does not want
CAs who do not understand it to issue certificates for the domain.

 

B.2. DNS TXT Methods

 

B.2.1. DNS TXT Record Email Contact

 

The DNS TXT record MUST be placed on the "_validation-contactemail"
subdomain of the domain being validated.  The entire RDATA value of this TXT
record MUST be a valid email address as defined in RFC 6532 section 3.2,
with no additional padding or structure, or it cannot be used.

 

--- MOTION ENDS ---

 

*** WARNING ***: USE AT YOUR OWN RISK.  THE REDLINE BELOW IS NOT THE
OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):

 

A comparison of the changes can be found at:
<https://github.com/cabforum/documents/compare/Ballot-SC4---CAA-CONTACT-emai
l?diff=unified&expand=1>
https://github.com/cabforum/documents/compare/Ballot-SC4---CAA-CONTACT-email
?diff=unified&expand=1

 

The changes between version 5 and version 4 are here:

 
<https://github.com/cabforum/documents/commit/92dd4a3a9afa38e9abf6765eb19e27
508663ae61>
https://github.com/cabforum/documents/commit/92dd4a3a9afa38e9abf6765eb19e275
08663ae61

 

The procedure for approval of this ballot is as follows:

 

Discussion (7+ days)

 

Start Time: 2018-12-10 17:30 Eastern

 

End Time: Not before 2018-12-17 17:30 Eastern

 

Vote for approval (7 days)

 

Start Time: 2018-12-17 19:00 Eastern

 

End Time: 2018-12-24 19:00 Eastern

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181218/cab46dba/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3680 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181218/cab46dba/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 873 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181218/cab46dba/attachment-0006.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 775 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181218/cab46dba/attachment-0007.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 863 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181218/cab46dba/attachment-0008.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.jpg
Type: image/jpeg
Size: 778 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181218/cab46dba/attachment-0009.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.jpg
Type: image/jpeg
Size: 913 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181218/cab46dba/attachment-0010.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 649 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181218/cab46dba/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.jpg
Type: image/jpeg
Size: 749 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181218/cab46dba/attachment-0011.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181218/cab46dba/attachment-0001.p7s>


More information about the Servercert-wg mailing list