[cabf_validation] FW: Domain Validation ballot draft

Mon Feb 29 10:18:07 MST 2016

The TLS-SNI validation type defined in ACME [1] maps most closely to
the Test Certificate concept in Clause 9. The TLS-SNI validation type
works by validating the presentation of a Test Certificate,
self-signed by the Applicant, which contains a Random Value provided
by the CA encoded within the Subject Alternative Name.

To permit the use of the TLS-SNI validation type, I would propose we
keep Doug's updated definition of Test Certificate, and further amend
Clause 9 to provide an either/or for the non-expired Test Certificate,
either:
  1) issued by the CA for the purpose of issuing a certificate with
the same Public Key as in the Test Certificate, or
  2) containing a Random Value

 Clause 9. Confirming the Applicant's control over the requested FQDN
by confirming the presence on the Authorization Domain Name which is
accessible by the CA via TLS over an Authorized Port of a non-expired
Test Certificate either issued by the CA for the purpose of issuing a
certificate with the same Public Key as in the Test Certificate, or
containing a Random Value.

1) https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-7.3

Cheers!

- J.C. Jones

On Sun, Feb 28, 2016 at 9:32 AM, Doug Beattie
<doug.beattie at globalsign.com> wrote:
> Here are my inputs on Test Certificate:
>
> Item 9:
> 9. Confirming the Applicant's control over the requested FQDN by confirming the presence on the Authorization Domain Name of a non-expired Test Certificate  issued by the CA and which is accessible by the CA via TLS over an Authorized Port for the purpose of issuing a certificate with the same Public Key as in the Test Certificate.
>
>
>
> Definition:
> Test Certificate: A Certificate with a maximum validity period of 30 days and which i) includes a critical extension with the specified Test Certificate CABF OID, or ii) which chains to a root certificate not subject to these Requirements.
>
> Commentary: During the F2F meeting it was recommended we add an specified critical Extension to test certificates, which I've added a provision for.  But I'd still like the other option to be an SSL certificate issued under a non-public root (without that critical extension).
>
> Doug
>
>
>
>> -----Original Message-----
>> From: validation-bounces at cabforum.org [mailto:validation-
>> bounces at cabforum.org] On Behalf Of Robin Alden
>> Sent: Thursday, February 25, 2016 11:04 AM
>> To: kirk_hall at trendmicro.com; validation at cabforum.org
>> Subject: Re: [cabf_validation] FW: Domain Validation ballot draft
>>
>>
>>
>> > -----Original Message-----
>> > From: validation-bounces at cabforum.org [mailto:validation-
>> > bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
>> > Sent: 25 February 2016 15:58
>> > To: validation at cabforum.org
>> > Subject: [cabf_validation] FW: Domain Validation ballot draft
>> >
>> > I have not seen a newer draft, so we can work from this draft from
>> > last
>> week
>> >
>> > -----Original Message-----
>> > From: Peter Bowen [mailto:pzb at amzn.com]
>> > Sent: Thursday, February 18, 2016 8:46 AM
>> > To: CABFPub; Kirk Hall (RD-US)
>> > Subject: Domain Validation ballot draft
>> >
>> > Here is the latest draft based on the revisions coming out of the
>> > working group discussion yesterday.  The Word document is the master;
>> > the slides are a reformatting for the discussion tomorrow.
>> >
>> > Thanks,
>> > Peter
>> >
>> >
>> > <table class="TM_EMAIL_NOTICE"><tr><td><pre>
>> > TREND MICRO EMAIL NOTICE
>> > The information contained in this email and any attachments is
>> confidential
>> > and may be subject to copyright or other intellectual property protection.
>> > If you are not the intended recipient, you are not authorized to use
>> > or disclose this information, and we request that you notify us by
>> > reply mail
>> or
>> > telephone and delete the original message from your mail system.
>> > </pre></td></tr></table>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation