[Servercert-wg] Ballot SC18 version 2: Phone Contact with DNS CAA Phone Contact
Wayne Thayer
wthayer at mozilla.com
Mon Apr 15 13:54:27 MST 2019
Sorry, looks like my comment wasn't clear. My concern is with the statement
"...perameter value of the MUST...". Should it be "...parameter value of
the _____ MUST..."?
On Mon, Apr 15, 2019 at 1:46 PM Doug Beattie <doug.beattie at globalsign.com>
wrote:
> Wayne,
>
>
>
> The ballot appendix says: “The entire parameter value of the MUST be a
> valid Global Number as defined in RFC 3966 section 5.1.4, or it cannot be
> used. “
>
>
>
> RFC 3966 defines “Global number” as a “thing” in section 5.1.4 , but I
> might have messed up the reference:
>
>
>
> 5.1.4. Global Numbers
>
>
>
> Globally unique numbers are identified by the leading "+" character.
>
> Global numbers MUST be composed with the country (CC) and national
>
> (NSN) numbers as specified in E.123 [E.123] and E.164 [E.164].
>
> Globally unique numbers are unambiguous everywhere in the world and
>
> SHOULD be used.
>
>
>
> Is the reference too weak or broken? I suppose I can include a definition
> in the BRs for “Global Number” so there is no confusion.
>
>
>
> Doug
>
>
>
>
>
>
>
> *From:* Wayne Thayer <wthayer at mozilla.com>
> *Sent:* Monday, April 15, 2019 4:18 PM
> *To:* Doug Beattie <doug.beattie at globalsign.com>; CA/B Forum Server
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg] Ballot SC18 version 2: Phone Contact with
> DNS CAA Phone Contact
>
>
>
> Doug - I noticed what looks like a minor typo in the appendix: "The entire
> parameter value of the MUST be a valid Global Number..." Of the what?
>
>
>
> Thanks,
>
>
>
> Wayne
>
>
>
> On Fri, Apr 12, 2019 at 12:07 PM Doug Beattie via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
> Updates from last version: Added ADN to the acronym list in section 1.6.2
>
>
>
> =============================
>
> Ballot SC18: Phone Contact with DNS CAA Phone Contact
>
> Purpose of Ballot: This ballot will permit domain owners to publish phone
> numbers in a DNS CAA record for the purposes of performing domain
> validation.
>
> The following motion has been proposed by Doug Beattie of GlobalSign and
> endorsed Tim Hollebeek of DigiCert and Bruce Morton from Entrust.
>
> --- MOTION BEGINS ---
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates” as follows, based on Version
> 1.6.4.
>
>
>
> Add the following definition to section 1.6.1:
>
> DNS CAA Phone Contact: The phone number defined in section B.1.2.
>
>
>
> Add the following Acronym to section 1.6.2:
>
> ADN Authorization Doman Name
>
>
>
>
>
> Add Section 3.2.2.4.17 as follows:
>
> 3.2.2.4.17 Phone Contact with DNS CAA Phone Contact
>
> Confirm the Applicant's control over the FQDN by calling the DNS CAA Phone
> Contact’s phone number and obtain a confirming response to validate the
> ADN. Each phone call MAY confirm control of multiple ADNs provided that the
> same DNS CAA Phone Contact phone number is listed for each ADN being
> verified and they provide a confirming response for each ADN. The
> relevant CAA Resource Record Set MUST be found using the search algorithm
> defined in RFC 6844 Section 4, as amended by Errata 5065 (Appendix A).
>
> The CA MAY NOT be transferred or request to be transferred as this phone
> number has been specifically listed for the purposes of Domain Validation.
>
>
> In the event of reaching voicemail, the CA may leave the Random Value and
> the ADN(s) being validated. The Random Value MUST be returned to the CA to
> approve the request.
>
> The Random Value SHALL remain valid for use in a confirming response for
> no more than 30 days from its creation. The CPS MAY specify a shorter
> validity period for Random Values.
>
> Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN. This method is suitable for validating Wildcard Domain
> Names.
>
>
>
> Add appendix section B.1.2 as follows:
>
> B.1.2. CAA contactphone Property
>
> SYNTAX: contactemail <rfc3966 Global Number>
>
> The CAA contactphone property takes a phone number as its parameter. The
> entire parameter value of the MUST be a valid Global Number as defined in
> RFC 3966 section 5.1.4, or it cannot be used. Global Numbers MUST have a
> preceding + and a country code and MAY contain visual separators.
>
> The following is an example where the holder of the domain specified the
> contact property using a phone number.
>
> $ORIGIN example.com
> <https://clicktime.symantec.com/a/1/RrrP5wlUIQO0UEjES80UukJCFmwihBc7ewjfd-b_CQw=?d=_T97g78l-8OxNi8y9HcnecBd6kOhpD4OMPofFY5ICoU11DJf_5A8WZNy9Ebhlk9EU1493o-cw2ufBrk_KyPjP5jHjWZzBrywM79-63FKXl0bNo6iQsoyJwUlSACCytubGSMK9qpRH2MMU3bDA-kNpoYQInVxfDn3HxqzwxirEY0OaC96e1cfUzdUtTHmBFANU7rJUC6wy8soSb3QC_xlnCShaNi5Dn4rBvui7cTKJNS-Y0rysL60AtYs5PIgO8BiMU9RbE25y_Ub-CWOD0mq6DU2VTir5ewnM5lteZQV7NKGVir566yr6VusFmdDsnGQ7IN04SOYzJHJ0BaQpW1ldsZnIdQMElOtzWgjqhZv1HbbsTJ1GTsBHUaqxrljTvKis2p07PvKBJLDUpH-4i2DTtJHidnrZuTVshduGxPcI5Plt1RPbE73ddIdkv3bT2720-0vs-vGYu5n6XuxDtgIVIor3qxDksjD_3yy38MvvVbzZwqrNPfB5NYZPw%3D%3D&u=http%3A%2F%2Fexample.com>
> .
>
> CAA 0 contactphone "+1 (555) 123-4567"
>
> The contactphone property MAY be critical if the domain owner does not
> want CAs who do not understand it to issue certificates for the domain.
>
> --- MOTION ENDS ---
>
>
>
> *** WARNING ***: USE AT YOUR OWN RISK. THE REDLINE BELOW IS NOT THE
> OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):
>
>
>
> A comparison of the changes can be found at:
>
>
> https://github.com/dougbeattie/documents/compare/master...dougbeattie:SC18-v1-CAA-Phone-Validation
>
>
>
> The procedure for approval of this ballot is as follows:
>
>
>
> Discussion (7+ days)
>
>
>
> Start Time: 2019-04-12 15:30 Eastern
>
> End Time: Not before 2018-04-19 15:30 Eastern
>
>
>
> Vote for approval (7 days)
>
>
>
> Start Time: TBD
>
> End Time: TBD
>
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190415/389ca9c4/attachment.html>
More information about the Servercert-wg
mailing list