[Servercert-wg] Ballot SC 13 version 3

Ryan Sleevi sleevi at google.com
Wed Nov 28 13:25:21 MST 2018 

On Wed, Nov 28, 2018 at 1:41 PM Tim Hollebeek <tim.hollebeek at digicert.com>
wrote:

> That matches my reading.  The question is how to say it.  That’s why I
> suggested “one of”, which I think captures the fact that the individual
> validation uses exactly one ADN from the potential ADNs.
>
>
>
> I’m open to other suggested text that says the same thing if you don’t
> think that’s clear.
>
>
>
> To be explicit, my problem with “the” is that it would need a qualifier to
> unambiguous identify that only one of the a number of potential ADNs is
> being referred to.  E.g. “the chosen ADN” or “the ADN selected to validate
> the FQDN”.  Otherwise it is prone to misinterpretation.
>

Thanks! I think either of those would potentially minimize the confusion,
and helps clarify that the act of "performing" a validation is based on
selecting an ADN (out of the set of valid ADNs) for the FQDN, running the
steps, and seeing if you get a yes/no result.

The consequence of this means the following, which I think we're in
agreement, but explicitly stating (for the archives):
Given:
* An FQDN of "a.b.example.com"
* Where a.b.example.com has a TXT/CAA email association of "john at example.com
"
* And b.example.com has a TXT/CAA email association of "jane at example.com"
* And example.com has no TXT/CAA email association

Then:
* The valid ADNs are "a.b.example.com", "b.example.com", and "example.com"
* The act of performing validation is done by selecting one of those ADNs
and performing a validation method for a given FQDN & ADN

You MAY:
* Send an email to john at example.com with Random Value 1 (and an ADN of "
a.b.example.com")
* Send an email to jane at example.com with Random Value 2 (and an ADN of "
b.example.com")

You MUST NOT
* Send an email to john at example.com AND jane at example.com with Random Value 3
  * This is because the email address associated with each ADN is different.

That is, the Random Value sent to John MUST be different than the Random
Value sent to Jane and you MUST NOT send the same email/Random Value to
both addresses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181128/6b6d7b39/attachment.html>

More information about the Servercert-wg mailing list