[cabf_validation] Domain Validation update for discussion

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Tue Jun 23 00:19:40 MST 2015


I think we agree that the same “value” could be used to demonstrate practical control over multiple domains at the time of a single vetting – but we also agreed that new values must be used at the time of revetting.  So we would lose that if we delete the “30 days” requirement shown in yellow on Jeremy’s June 18 draft, and a CA could continue to use an old file for years and years – that would not be proper either.

Doug, can you come up with language that satisfies your concern about validating multiple domains, but requires a CA to generate and use a different value each time a particular domain is being revetted under our timeliness/revetting rules?

From: Doug Beattie [mailto:doug.beattie at globalsign.com]
Sent: Tuesday, June 23, 2015 9:06 AM
To: Kirk Hall (RD-US); Robin Alden; 'Jeremy Rowley'; validation at cabforum.org
Subject: RE: [cabf_validation] Domain Validation update for discussion

OK, if the highlighted text is supposed to be removed, then I don’t have any issues, thanks!

From: kirk_hall at trendmicro.com [mailto:kirk_hall at trendmicro.com]
Sent: Monday, June 22, 2015 3:54 PM
To: Robin Alden; Doug Beattie; 'Jeremy Rowley'; validation at cabforum.org
Subject: RE: [cabf_validation] Domain Validation update for discussion

Jeremy or Robin – can you clarify where we are at on this ballot so we all know for sure we are working from the latest draft?

Here is what Jeremy sent out on June 18 – is this the current draft with all changes and updates for discussion?

From: validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org] On Behalf Of Robin Alden
Sent: Monday, June 22, 2015 12:11 PM
To: 'Doug Beattie'; 'Jeremy Rowley'; validation at cabforum.org<mailto:validation at cabforum.org>
Subject: Re: [cabf_validation] Domain Validation update for discussion

Hi Doug,
                We did have some discussion on this issue of using a new ‘value’ for each ‘domain’ and my recollection was that we decided to strike out the highlighted text in Jeremy’s most recent document.  The most recent version on the mail list was sent in advance of the validation group telecom and does not reflect the discussions on Thursday.

As you wrote, the validation of ownership or control for multi-domain certificates  using methods 5 and 6 is not improved and may be rendered unnecessarily more difficult by using a different ‘value’ for each domain.
On the other hand for methods 2 and 3 it is essential that a different ‘value’ is used for each ‘domain’.

We could and should express those thoughts pithily in the proposed revision to the domain validation requirements, but we didn’t have it after the discussion on Thursday so we elected to strike those words for the time being so that the revision could go forward.

Regards
Robin

From: validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: 21 June 2015 09:09
To: Jeremy Rowley; validation at cabforum.org<mailto:validation at cabforum.org>
Subject: Re: [cabf_validation] Domain Validation update for discussion

I must have missed the discussion around the topics in this new addition:

•        The CA MUST generate and use a new Random Value, Request Token, or Test Certificate for each Authorization Domain validated and MUST NOT rely on a Random Value, Request Token or Test Certificate generated more than 30 days prior completing verification under this section

What was the reasoning behind using different values for different Authorized Domain (not even sure what this means because we are validating FQDNs, not Authorized Domains..) and why the value is limited to 30 days?

If someone orders a multi-san cert the CA should be able to use the same value for all the SANs in the cert when using DNS or a file (maybe not the email validation).  Why do we need to have a lot of different values for one request for a certificate (what we normally call an  “order”)?

If people add and remove SANs from that cert (the “order”), the same random value should be able to be used for the life of the order as long as the time between creating that token (when the request for the cert was first placed) and using it is less than 39 months, it should be acceptable.  Was there a security reason to limit the validity of the random value?

Doug



From: validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, June 18, 2015 3:26 PM
To: validation at cabforum.org<mailto:validation at cabforum.org>
Subject: [cabf_validation] Domain Validation update for discussion





TREND MICRO EMAIL NOTICE

The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.




<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150623/e6e73352/attachment-0001.html 


More information about the Validation mailing list