[cabf_validation] FW: Domain Validation ballot draft

Doug Beattie doug.beattie at globalsign.com
Mon Feb 29 10:34:43 MST 2016 

J.C.,

I think it would be better to create a new validation option for this so we don't confuse the different options (we've been down this path before).  When using a cert from the CA we 'll need to define the Test certificate and it's validation steps differently from what you propose and I worry that adding this to the current definition (which already has an option in it) will cause confusion and/or ambiguity.  Can you create Domain Validation option 10?


> -----Original Message-----
> From: validation-bounces at cabforum.org [mailto:validation-
> bounces at cabforum.org] On Behalf Of J.C. Jones
> Sent: Monday, February 29, 2016 9:18 AM
> To: validation at cabforum.org
> Subject: Re: [cabf_validation] FW: Domain Validation ballot draft
> 
> The TLS-SNI validation type defined in ACME [1] maps most closely to the
> Test Certificate concept in Clause 9. The TLS-SNI validation type works by
> validating the presentation of a Test Certificate, self-signed by the Applicant,
> which contains a Random Value provided by the CA encoded within the
> Subject Alternative Name.
> 
> To permit the use of the TLS-SNI validation type, I would propose we keep
> Doug's updated definition of Test Certificate, and further amend Clause 9 to
> provide an either/or for the non-expired Test Certificate,
> either:
>   1) issued by the CA for the purpose of issuing a certificate with the same
> Public Key as in the Test Certificate, or
>   2) containing a Random Value
> 
>  Clause 9. Confirming the Applicant's control over the requested FQDN by
> confirming the presence on the Authorization Domain Name which is
> accessible by the CA via TLS over an Authorized Port of a non-expired Test
> Certificate either issued by the CA for the purpose of issuing a certificate with
> the same Public Key as in the Test Certificate, or containing a Random Value.
> 
> 1) https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-7.3
> 
> Cheers!
> 
> - J.C. Jones
> 
> 
> 
> On Sun, Feb 28, 2016 at 9:32 AM, Doug Beattie
> <doug.beattie at globalsign.com> wrote:
> > Here are my inputs on Test Certificate:
> >
> > Item 9:
> > 9. Confirming the Applicant's control over the requested FQDN by
> confirming the presence on the Authorization Domain Name of a non-expired
> Test Certificate  issued by the CA and which is accessible by the CA via TLS
> over an Authorized Port for the purpose of issuing a certificate with the same
> Public Key as in the Test Certificate.
> >
> >
> >
> > Definition:
> > Test Certificate: A Certificate with a maximum validity period of 30 days and
> which i) includes a critical extension with the specified Test Certificate CABF
> OID, or ii) which chains to a root certificate not subject to these
> Requirements.
> >
> > Commentary: During the F2F meeting it was recommended we add an
> specified critical Extension to test certificates, which I've added a provision
> for.  But I'd still like the other option to be an SSL certificate issued under a
> non-public root (without that critical extension).
> >
> > Doug
> >
> >
> >
> >> -----Original Message-----
> >> From: validation-bounces at cabforum.org [mailto:validation-
> >> bounces at cabforum.org] On Behalf Of Robin Alden
> >> Sent: Thursday, February 25, 2016 11:04 AM
> >> To: kirk_hall at trendmicro.com; validation at cabforum.org
> >> Subject: Re: [cabf_validation] FW: Domain Validation ballot draft
> >>
> >>
> >>
> >> > -----Original Message-----
> >> > From: validation-bounces at cabforum.org [mailto:validation-
> >> > bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
> >> > Sent: 25 February 2016 15:58
> >> > To: validation at cabforum.org
> >> > Subject: [cabf_validation] FW: Domain Validation ballot draft
> >> >
> >> > I have not seen a newer draft, so we can work from this draft from
> >> > last
> >> week
> >> >
> >> > -----Original Message-----
> >> > From: Peter Bowen [mailto:pzb at amzn.com]
> >> > Sent: Thursday, February 18, 2016 8:46 AM
> >> > To: CABFPub; Kirk Hall (RD-US)
> >> > Subject: Domain Validation ballot draft
> >> >
> >> > Here is the latest draft based on the revisions coming out of the
> >> > working group discussion yesterday.  The Word document is the
> >> > master; the slides are a reformatting for the discussion tomorrow.
> >> >
> >> > Thanks,
> >> > Peter
> >> >
> >> >
> >> > <table class="TM_EMAIL_NOTICE"><tr><td><pre>
> >> > TREND MICRO EMAIL NOTICE
> >> > The information contained in this email and any attachments is
> >> confidential
> >> > and may be subject to copyright or other intellectual property
> protection.
> >> > If you are not the intended recipient, you are not authorized to
> >> > use or disclose this information, and we request that you notify us
> >> > by reply mail
> >> or
> >> > telephone and delete the original message from your mail system.
> >> > </pre></td></tr></table>
> > _______________________________________________
> > Validation mailing list
> > Validation at cabforum.org
> > https://cabforum.org/mailman/listinfo/validation
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation

More information about the Validation mailing list