[Servercert-wg] Voting Begins: SC13 version 5: CAA Contact Property and Associated E-mail Validation Methods
Wayne Thayer
wthayer at mozilla.com
Thu Dec 20 16:37:52 MST 2018
Mozilla votes Yes on ballot SC13.
- Wayne
On Mon, Dec 17, 2018 at 4:55 PM Tim Hollebeek via Servercert-wg <
servercert-wg at cabforum.org> wrote:
>
>
> Ballot SC13: CAA Contact Property and Associated E-mail Validation Methods
>
> Purpose of Ballot: Increasingly, contact information is not available in
> WHOIS due to concerns about potential GDPR violations. This ballot
> specifies a method by which domain holders can publish their contact
> information via DNS, and how CAs can use that information for validating
> domain control.
>
> The following motion has been proposed by Tim Hollebeek of DigiCert and
> endorsed by Bruce Morton of Entrust and Doug Beattie of GlobalSign.
>
> --- MOTION BEGINS ---
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based on Version
> 1.6.0:
>
>
>
> Add the following definitions to section 1.6.1:
>
>
>
> DNS CAA Email Contact: The email address defined in section B.1.2.
>
>
>
> DNS TXT Record Email Contact: The email address defined in section B.2.2.
>
> Add Section 3.2.2.4.13: Email to DNS CAA Contact
>
> Confirming the Applicant's control over the FQDN by sending a Random Value
> via email and then receiving a confirming response utilizing the Random
> Value. The Random Value MUST be sent to a DNS CAA Email Contact. The
> relevant CAA Resource Record Set MUST be found using the search algorithm
> defined in RFC 6844 Section 4, as amended by Errata 5065 (Appendix A).
>
>
>
> Each email MAY confirm control of multiple FQDNs, provided that each email
> address is a DNS CAA Email Contact for each Authorization Domain Name being
> validated. The same email MAY be sent to multiple recipients as long as
> all recipients are DNS CAA Email Contacts for each Authorization Domain
> Name being validated.
>
>
>
> The Random Value SHALL be unique in each email. The email MAY be re-sent
> in its entirety, including the re-use of the Random Value, provided that
> its entire contents and recipient(s) SHALL remain unchanged. The Random
> Value SHALL remain valid for use in a confirming response for no more than
> 30 days from its creation. The CPS MAY specify a shorter validity period
> for Random Values.
>
>
>
> Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN. This method is suitable for validating Wildcard Domain
> Names.
>
> Add Section 3.2.2.4.14: Email to DNS TXT Contact
>
>
>
> Confirming the Applicant's control over the FQDN by sending a Random Value
> via email and then receiving a confirming response utilizing the Random
> Value. The Random Value MUST be sent to a DNS TXT Record Email Contact for
> the Authorization Domain Name selected to validate the FQDN.
>
>
>
> Each email MAY confirm control of multiple FQDNs, provided that each email
> address is DNS TXT Record Email Contact for each Authorization Domain Name
> being validated. The same email MAY be sent to multiple recipients as long
> as all recipients are DNS TXT Record Email Contacts for each Authorization
> Domain Name being validated.
>
> The Random Value SHALL be unique in each email. The email MAY be re-sent
> in its entirety, including the re-use of the Random Value, provided that
> its entire contents and recipient(s) SHALL remain unchanged. The Random
> Value SHALL remain valid for use in a confirming response for no more than
> 30 days from its creation. The CPS MAY specify a shorter validity period
> for Random Values.
>
>
>
> Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN. This method is suitable for validating Wildcard Domain
> Names.
>
>
>
> Add Appendix B: DNS Contact Properties
>
> These methods allow domain owners to publish contact information in DNS
> for the purpose of validating domain control.
>
> B.1. CAA Methods
>
>
>
> B.1.1. CAA contactemail Property
>
>
>
> SYNTAX: contactemail <rfc6532emailaddress>
>
>
>
> The CAA contactemail property takes an email address as its parameter.
> The entire parameter value MUST be a valid email address as defined in RFC
> 6532 section 3.2, with no additional padding or structure, or it cannot be
> used.
>
>
>
> The following is an example where the holder of the domain specified the
> contact property using an email address.
>
>
>
> $ORIGIN example.com.
>
> CAA 0 contactemail "domainowner at example.com"
>
>
>
> The contactemail property MAY be critical, if the domain owner does not
> want CAs who do not understand it to issue certificates for the domain.
>
>
>
> B.2. DNS TXT Methods
>
>
>
> B.2.1. DNS TXT Record Email Contact
>
>
>
> The DNS TXT record MUST be placed on the "_validation-contactemail"
> subdomain of the domain being validated. The entire RDATA value of this
> TXT record MUST be a valid email address as defined in RFC 6532 section
> 3.2, with no additional padding or structure, or it cannot be used.
>
>
>
> --- MOTION ENDS ---
>
> *** WARNING ***: USE AT YOUR OWN RISK. THE REDLINE BELOW IS NOT THE
> OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):
>
>
>
> A comparison of the changes can be found at:
> https://github.com/cabforum/documents/compare/Ballot-SC4---CAA-CONTACT-email?diff=unified&expand=1
>
>
>
> The changes between version 5 and version 4 are here:
>
>
> https://github.com/cabforum/documents/commit/92dd4a3a9afa38e9abf6765eb19e27508663ae61
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 2018-12-10 17:30 Eastern
>
> End Time: Not before 2018-12-17 17:30 Eastern
>
> Vote for approval (7 days)
>
> Start Time: 2018-12-17 19:00 Eastern
>
> End Time: 2018-12-24 19:00 Eastern
>
>
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181220/cb1bf3e5/attachment.html>
More information about the Servercert-wg
mailing list