[cabf_validation] *Please review ASAP* Updated domain validation draft

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Fri Aug 28 10:05:45 MST 2015


I like it and will add now.  Thanks.

From: Rick Andrews [mailto:Rick_Andrews at symantec.com]
Sent: Friday, August 28, 2015 9:42 AM
To: Kirk Hall (RD-US); validation at cabforum.org
Subject: RE: [cabf_validation] *Please review ASAP* Updated domain validation draft

Kirk, I saw that mention of CNAME, but I didn’t think it covered my concern. The new method 8 (K) says “Having the Applicant demonstrate control over the requested FQDN by the CA confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the requested FQDN in accordance with section 3.2.2.5;  or”. So the new method isn’t tied to the definition of Authorization Domain Name.

How about if method 8 said “Having the Applicant demonstrate control over the requested FQDN by the CA confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the Authorization Domain Name in accordance with section 3.2.2.5;  or”

That would make it similar to the other uses of Authorization Domain Name in the doc.

-Rick

From: kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com> [mailto:kirk_hall at trendmicro.com]
Sent: Thursday, August 27, 2015 5:30 PM
To: Rick Andrews; validation at cabforum.org<mailto:validation at cabforum.org>
Subject: RE: [cabf_validation] *Please review ASAP* Updated domain validation draft

Rick, I think I saw only two comments or changes.

I will change “Domain Validation” to “Validation of Domain Ownership or Control” for the new title of 3.2.2.4 as you suggest.

The other comment I saw was about CNAME for Method 8.  On the call today, CNAME was raised, and someone said the issue is “covered” by the new definition of Authorization Domain Name (see below).  Do you agree?

Were there any other issues you raised?

Authorization Domain Name: The Domain Name used to obtain authorization for certificate issuance for a given FQDN.  The CA may use the FQDN returned from a DNS CNAME lookup as the FQDN for the purposes of domain validation.  If the FQDN starts with a wildcard character, then the CA MUST remove all wildcard labels from the left most portion of requested FQDN.  The CA may prune zero or more labels from left to right until encountering a Base Domain Name and may use any one of the intermediate values for the purpose of domain validation.

From: Rick Andrews [mailto:Rick_Andrews at symantec.com]
Sent: Thursday, August 27, 2015 2:54 PM
To: Kirk Hall (RD-US); validation at cabforum.org<mailto:validation at cabforum.org>
Subject: RE: [cabf_validation] *Please review ASAP* Updated domain validation draft

Thanks for pulling this together, Kirk (and whoever helped you, if you had help). I added a couple of comments/questions.

-Rick

From: validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>
Sent: Thursday, August 27, 2015 11:49 AM
To: validation at cabforum.org<mailto:validation at cabforum.org>
Subject: [cabf_validation] *Please review ASAP* Updated domain validation draft
Importance: High

I attach an updated Domain Validation draft revision, dated today (Aug. 27) in track changes mode from the Aug. 26 draft we discussed this morning.

I added a new Method 10 (line M) to cover the cases where the CA is also the Registrar.  Wayne, can you edit?

Jeremy, you said you had additional Authorized Ports to propose – please send to this list today if possible.

The definition for Random Value (line Z) has changed as we discussed, so we can use the term everywhere.  Per our discussion, we only specify minimum entropy for two cases – automated processes, and practical demonstration in the DNS record.  Otherwise, the Random Value can be a value specified by the CA that is unknown to the Applicant.  Isn’t that what we decided?

For everyone else – please review and see if this is ready to forward to the Forum members TOMORROW for first discussion next Thursday.  Meaning, please provide your comments today or tomorrow morning at the latest.



TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.






TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.




<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150828/bc3362f0/attachment-0001.html 


More information about the Validation mailing list