[Servercert-wg] Voting Begins: SC13 version 5: CAA Contact Property and Associated E-mail Validation Methods

Adriano Santoni adriano.santoni at staff.aruba.it
Tue Dec 18 23:26:04 MST 2018


Actalis votes 'yes'.

Il 18/12/2018 00:55, Tim Hollebeek via Servercert-wg ha scritto:
>
> Ballot SC13: CAA Contact Property and Associated E-mail Validation Methods
>
> Purpose of Ballot: Increasingly, contact information is not available 
> in WHOIS due to concerns about potential GDPR violations. This ballot 
> specifies a method by which domain holders can publish their contact 
> information via DNS, and how CAs can use that information for 
> validating domain control.
>
> The following motion has been proposed by Tim Hollebeek of DigiCert 
> and endorsed by Bruce Morton of Entrust and Doug Beattie of GlobalSign.
>
> --- MOTION BEGINS ---
>
> This ballot modifies the “Baseline Requirements for the Issuance and 
> Management of Publicly-Trusted Certificates” as follows, based on 
> Version 1.6.0:
>
> Add the following definitions to section 1.6.1:
>
> DNS CAA Email Contact: The email address defined in section B.1.2.
>
> DNS TXT Record Email Contact: The email address defined in section B.2.2.
>
> Add Section 3.2.2.4.13: Email to DNS CAA Contact
>
> Confirming the Applicant's control over the FQDN by sending a Random 
> Value via email and then receiving a confirming response utilizing the 
> Random Value. The Random Value MUST be sent to a DNS CAA Email 
> Contact.  The relevant CAA Resource Record Set MUST be found using the 
> search algorithm defined in RFC 6844 Section 4, as amended by Errata 
> 5065 (Appendix A).
>
> Each email MAY confirm control of multiple FQDNs, provided that each 
> email address is a DNS CAA Email Contact for each Authorization Domain 
> Name being validated.  The same email MAY be sent to multiple 
> recipients as long as all recipients are DNS CAA Email Contacts for 
> each Authorization Domain Name being validated.
>
> The Random Value SHALL be unique in each email. The email MAY be 
> re-sent in its entirety, including the re-use of the Random Value, 
> provided that its entire contents and recipient(s) SHALL remain 
> unchanged. The Random Value SHALL remain valid for use in a confirming 
> response for no more than 30 days from its creation. The CPS MAY 
> specify a shorter validity period for Random Values.
>
> Note: Once the FQDN has been validated using this method, the CA MAY 
> also issue Certificates for other FQDNs that end with all the labels 
> of the validated FQDN. This method is suitable for validating Wildcard 
> Domain Names.
>
> Add Section 3.2.2.4.14: Email to DNS TXT Contact
>
> Confirming the Applicant's control over the FQDN by sending a Random 
> Value via email and then receiving a confirming response utilizing the 
> Random Value. The Random Value MUST be sent to a DNS TXT Record Email 
> Contact for the Authorization Domain Name selected to validate the FQDN.
>
> Each email MAY confirm control of multiple FQDNs, provided that each 
> email address is DNS TXT Record Email Contact for each Authorization 
> Domain Name being validated.  The same email MAY be sent to multiple 
> recipients as long as all recipients are DNS TXT Record Email Contacts 
> for each Authorization Domain Name being validated.
>
> The Random Value SHALL be unique in each email. The email MAY be 
> re-sent in its entirety, including the re-use of the Random Value, 
> provided that its entire contents and recipient(s) SHALL remain 
> unchanged. The Random Value SHALL remain valid for use in a confirming 
> response for no more than 30 days from its creation. The CPS MAY 
> specify a shorter validity period for Random Values.
>
> Note: Once the FQDN has been validated using this method, the CA MAY 
> also issue Certificates for other FQDNs that end with all the labels 
> of the validated FQDN. This method is suitable for validating Wildcard 
> Domain Names.
>
> Add Appendix B: DNS Contact Properties
>
> These methods allow domain owners to publish contact information in 
> DNS for the purpose of validating domain control.
>
> B.1. CAA Methods
>
> B.1.1. CAA contactemail Property
>
> SYNTAX: contactemail <rfc6532emailaddress>
>
> The CAA contactemail property takes an email address as its 
> parameter.  The entire parameter value MUST be a valid email address 
> as defined in RFC 6532 section 3.2, with no additional padding or 
> structure, or it cannot be used.
>
> The following is an example where the holder of the domain specified 
> the contact property using an email address.
>
> $ORIGIN example.com.
>
> CAA 0 contactemail "domainowner at example.com"
>
> The contactemail property MAY be critical, if the domain owner does 
> not want CAs who do not understand it to issue certificates for the 
> domain.
>
> B.2. DNS TXT Methods
>
> B.2.1. DNS TXT Record Email Contact
>
> The DNS TXT record MUST be placed on the "_validation-contactemail" 
> subdomain of the domain being validated.  The entire RDATA value of 
> this TXT record MUST be a valid email address as defined in RFC 6532 
> section 3.2, with no additional padding or structure, or it cannot be 
> used.
>
> --- MOTION ENDS ---
>
> *** WARNING ***: USE AT YOUR OWN RISK.  THE REDLINE BELOW IS NOT THE 
> OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):
>
> A comparison of the changes can be found at: 
> https://github.com/cabforum/documents/compare/Ballot-SC4---CAA-CONTACT-email?diff=unified&expand=1
>
> The changes between version 5 and version 4 are here:
>
> https://github.com/cabforum/documents/commit/92dd4a3a9afa38e9abf6765eb19e27508663ae61
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 2018-12-10 17:30 Eastern
>
> End Time: Not before 2018-12-17 17:30 Eastern
>
> Vote for approval (7 days)
>
> Start Time: 2018-12-17 19:00 Eastern
>
> End Time: 2018-12-24 19:00 Eastern
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181219/eee8aaea/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3849 bytes
Desc: Firma crittografica S/MIME
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181219/eee8aaea/attachment-0001.p7s>


More information about the Servercert-wg mailing list