[cabf_validation] Proposed edit for domain validation method #5

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Mon Jun 8 16:28:38 MST 2015


I wasn’t trying to be more restrictive, but just give a CA more options for this method.  Do you think there is more risk in posting to the root level than to the .well-known extension level?  If so, why?

If the root level is compromised, the game is over.

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Monday, June 08, 2015 4:27 PM
To: Kirk Hall (RD-US); validation at cabforum.org
Subject: RE: Proposed edit for domain validation method #5

I don’t agree with this one. I think we’re restricting practical control enough with the .well-known extension as-is. I don’t think this is any riskier than the other domain validation methods where you can validate at any level of the string.

From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Thursday, June 4, 2015 4:20 PM
To: validation at cabforum.org
Subject: [cabf_validation] Proposed edit for domain validation method #5

Chris Bailey and I would like to suggest an edit to domain validation method #5 in the most recent draft.

We think that a CA should also be allowed to ask the Applicant to post the Random Value or Request Token at the home page or “root level” for the FQDN, as a second option to posting at the “well known certificate directory” location included in the current draft.

Here would be the edit (added language):

5.  Having the Applicant demonstrate control over the requested FQDN by adding a file whose name or contents include a Random Value or a Request Token to the root level or the “/.well-known/certificate” directory at an Authorization Domain in accordance with RFC 5785

There may be a better phrase to use than “root level” and we are open to suggestions.

Our thinking is that posting the marker to the root level is at least as secure as posting to the well known certificate directory location.  If the Applicant can’t control the root level, then the Applicant isn’t in control of much and shouldn’t get the cert; on the other hand, if the Applicant does control the root level and can post the marker there, it shows domain control.

Is there support for making this change?  If not, what are the arguments against it?

Kirk R. Hall
Operations Director, Trust Services
Trend Micro
+1.503.753.3088




TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.




<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150608/7573f020/attachment-0001.html 


More information about the Validation mailing list