[cabf_validation] Ballot 169 changes

Kirk Hall Kirk.Hall at entrust.com
Thu Jun 30 14:30:52 MST 2016


Sorry, meant to post this earlier.



I will review the github draft, but here's my suggestion on how we put the ballot out.



1.  First, just post to the public list the sections that have been edited since the last time we put out a preballot to the public list and discussed on the bi-weekly call.  Ask for any comments on the most recent changes, and give only a few days to respond.



2.  Meanwhile, for this big a change, I think the format we used before (showing existing BR 3.2.2.4 in the left column, and the new language in the right column -- no "track changes" in this version) works best, and once I know I have the complete updated text I can create a new pdf using this format to send out (or for Ben or Peter to send out as a ballot).  The pdf can either contain all the ballot language itself, or just be an attachment to an email with the ballot language.



I attach the most recent version of the comparison I have.  I would probably eliminate the right column "Comments".



3.  Should we also include confirming changes to EVGL 11.7.1 (shown below)?  I think we should.  I think we only need to strike the words “except that a CA MAY NOT verify a domain using the procedure described subsection 3.2.2.4(7).”



11.7.1. Verification Requirements



(1) For each Fully-Qualified Domain Name listed in a Certificate, other than a Domain Name with .onion in the rightmost label of the Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant’s Parent Company, Subsidiary Company, or Affiliate, collectively referred to as “Applicant” for the purposes of this section) either is the Domain Name Registrant or has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements, except that a CA MAY NOT verify a domain using the procedure described subsection 3.2.2.4(7). For a Certificate issued to a Domain Name with .onion in the right-most label of the Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant’s control over the .onion Domain Name in accordance with Appendix F.



(2) Mixed Character Set Domain Names: EV Certificates MAY include Domain Names containing mixed character sets only in compliance with the rules set forth by the domain registrar. The CA MUST visually compare any Domain Names with mixed character sets with known high risk domains. If a similarity is found, then the EV Certificate Request MUST be flagged as High Risk. The CA must perform reasonably appropriate additional authentication and verification to be certain beyond reasonable doubt that the Applicant and the target in question are the same organization.



-----Original Message-----
From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Thursday, June 30, 2016 1:03 PM
To: Tim Hollebeek <THollebeek at trustwave.com>; Ben Wilson <ben.wilson at digicert.com>; Peter Bowen <pzb at amzn.com>; Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: validation (validation at cabforum.org) <validation at cabforum.org>
Subject: Re: [cabf_validation] Ballot 169 changes



Nothing major, but 2 small points:



Maybe this (3.2.2.4, second para):

    The CA SHALL confirm that, as of the date the Certificate issues should be changed to this:

    The CA SHALL confirm that, as of the date the Certificate is issued,



And there seem to be a lot of commas in this (3.2.2.4.1):

  3. The CA is also the Domain Name Registrar, or an Affiliate of the Registrar, of the Base Domain Name.



Otherwise, looks good!



Doug



-----Original Message-----

From: Tim Hollebeek [mailto:THollebeek at trustwave.com]

Sent: Thursday, June 30, 2016 3:29 PM

To: Ben Wilson; Peter Bowen; Doug Beattie; Jeremy Rowley

Cc: validation (validation at cabforum.org<mailto:validation at cabforum.org>)

Subject: RE: [cabf_validation] Ballot 169 changes



Looks good to me.



-----Original Message-----

From: Ben Wilson [mailto:ben.wilson at digicert.com]

Sent: Thursday, June 30, 2016 1:57 PM

To: Peter Bowen; Doug Beattie; Jeremy Rowley; Tim Hollebeek

Cc: validation (validation at cabforum.org<mailto:validation at cabforum.org>)

Subject: RE: [cabf_validation] Ballot 169 changes



Here is the ballot for your review:  http://scanmail.trustwave.com/?c=4062&d=iN311-roc8t7kM5I4lWq10eZGHb3MeHIHYnTR0W7MQ&s=5&u=https%3a%2f%2fcabforum%2eorg%2fwiki%2f169%2520-%2520Revised%2520Validation%2520Requirements .



Is this ready to be posted to the Public list?  (Note the two-week review period mentioned below.)



Ballot 169 - Revised Validation Requirements



The following motion has been proposed by Jeremy Rowley of DigiCert and endorsed by Tim Hollebeek of Trustwave and Doug Beattie of GlobalSign:



Background:



The primary purpose of this change is to replace Domain Validation item 7 "Using any other method of confirmation which has at least the same level of assurance as those methods previously described" with a specific list of the approved domain validation methods (including new methods proposed by Members). This ballot also tightens up and clarifies the existing Domain Validation methods 1 through 6. This revised BR 3.2.2.4 describes the methods that CAs may use to confirm domain ownership or control. Other validation methods can be added in the future.



The Validation Working Group believes the domain validation rules should follow the current BR 3.2.2.4 structure as much as possible so the changes are easy to understand, be worded as simply and clearly as possible so as to be easily implemented by CAs worldwide, and should avoid unnecessary complications or additional requirements that don’t address with a realistic security threat. If a Forum Member wants to add any new requirements to these validation methods should be added, the Validation Working Group would prefer that the new requirements be proposed and discussed by separate ballot.



--Motion Begins--



Effective Date: 1 March 2017



A. In Section 1.6.1 of the Baseline Requirements INSERT the following definitions alphabetically:



Authorization Domain Name: The Domain Name used to obtain authorization for certificate issuance for a given FQDN. The CA may use the FQDN returned from a DNS CNAME lookup as the FQDN for the purposes of domain validation. If the FQDN contains a wildcard character, then the CA MUST remove all wildcard labels from the left most portion of requested FQDN. The CA may prune zero or more labels from left to right until encountering a Base Domain Name and may use any one of the intermediate values for the purpose of domain validation.



Authorized Port: One of the following ports: 80 (http), 443 (http), 115 (sftp), 25 (smtp), 22 (ssh).



Base Domain Name: The portion of an applied-for FQDN that is the first domain name node left of a registry-controlled or public suffix plus the registry-controlled or public suffix (e.g. "http://scanmail.trustwave.com/?c=4062&d=iN311-roc8t7kM5I4lWq10eZGHb3MeHIHdnTQRLgMA&s=5&u=http%3a%2f%2fexample%2eco%2euk" or "http://scanmail.trustwave.com/?c=4062&d=iN311-roc8t7kM5I4lWq10eZGHb3MeHIHYuEQBfvYA&s=5&u=http%3a%2f%2fexample%2ecom"). For gTLDs, the domain www.[gTLD<http://www.[gTLD>] will be considered to be a Base Domain.



Domain Contact: The Domain Name Registrant, technical contact, or administrative contract (or the equivalent under a ccTLD) as listed in the WHOIS record of the Base Domain Name or in a DNS SOA record.



Random Value: A value specified by a CA to the Applicant that exhibits at least 112 bits of entropy.



Request Token: A value derived in a method specified by the CA which binds this demonstration of control to the certificate request.



The Request Token SHALL incorporate the key used in the certificate request.



A Request Token MAY include a timestamp to indicate when it was created.



A Request Token MAY include other information to ensure its uniqueness.



A Request Token that includes a timestamp SHALL remain valid for no more than 30 days from the time of creation.



A Request Token that includes a timestamp SHALL be treated as invalid if its timestamp is in the future.



A Request Token that does not include a timestamp is valid for a single use and the CA SHALL NOT re-use it for a subsequent validation.



The binding SHALL use a digital signature algorithm or a cryptographic hash algorithm at least as strong as that to be used in signing the certificate request.



Required Website Content: Either a Random Value or a Request Token, together with additional information that uniquely identifies the Subscriber, as specified by the CA.



Test Certificate: A Certificate with a maximum validity period of 30 days and which i) includes a critical extension with the specified Test Certificate CABF OID, or ii) which chains to a root certificate not subject to these Requirements.



B. DELETE Section 3.2.2.4 of the Baseline Requirements in its entirety and INSERT the following:



3.2.2.4 Validation of Domain Authorization or Control



This section defines the permitted processes and procedures for validating the Applicant's ownership or control of the domain.



The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.



Completed confirmations of Applicant authority may be valid for the issuance of multiple certificates over time. In all cases, the confirmation must have been initiated within the time period specified in the relevant requirement (such as Section 3.3.1 of this document) prior to certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant's Parent Company, Subsidiary Company, or Affiliate.



Note: FQDNs may be listed in Subscriber Certificates using dNSNames in the subjectAltName extension or in Subordinate CA Certificates via dNSNames in permittedSubtrees within the Name Constraints extension.



3.2.2.4.1 Validating the Applicant as a Domain Contact



Confirming the Applicant's control over the FQDN by validating the Applicant is the Domain Contact directly with the Domain Name Registrar. This method may only be used if:



   1.  The CA authenticates the Applicant's identity under BR Section 3.2.2.1 and the authority of the Applicant Representative under BR Section 3.2.5, OR

   2.  The CA authenticates the Applicant's identity under EV Guidelines Section 11.2 and the agency of the Certificate Approver under EV Guidelines Section 11.8; OR

   3.  The CA is also the Domain Name Registrar, or an Affiliate of the Registrar, of the Base Domain Name.



3.2.2.4.2 Email, Fax, SMS, or Postal Mail to Domain Contact



Confirming the Applicant's control over the FQDN by sending a Random Value via email, fax, SMS, or postal mail and then receiving a confirming response utilizing the Random Value. The Random Value MUST be sent to an email address, fax/SMS number, or postal mail address identified as a Domain Contact.



Each email, fax, SMS, or postal mail MAY confirm control of multiple Authorization Domain Names.



The CA or Delegated Third Party MAY send the email, fax, SMS, or postal mail identified under this section to more than one recipient provided that every recipient is identified by the Domain Name Registrar as representing the Domain Name Registrant for every FQDN being verified using the email, fax, SMS, or postal mail.



The Random Value SHALL be unique in each email, fax, SMS, or postal mail.



The CA or Delegated Third Party MAY resend the email, fax, SMS, or postal mail in its entirety, including re-use of the Random Value, provided that the communication's entire contents and recipient(s) remain unchanged.



The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values, in which case the CA MUST follow its CPS.



3.2.2.4.3 Phone Contact with Domain Contact



Confirming the Applicant's control over the requested FQDN by calling the Domain Name Registrant's phone number and obtaining a response confirming the Applicant's request for validation of the FQDN. The CA or Delegated Third Party MUST place the call to a phone number identified by the Domain Name Registrar as the Domain Contact.



Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs, provided that the phone number is identified by the Domain Registrar as a valid contact method for every Base Domain Name being verified using the phone call.



3.2.2.4.4 Constructed Email to Domain Contact



Confirm the Applicant's control over the requested FQDN by (i) sending an email to one or more addresses created by using 'admin', 'administrator', 'webmaster', 'hostmaster', or 'postmaster' as the local part, followed by the at-sign ("@"), followed by an Authorization Domain Name, (ii) including a Random Value in the email, and (iii) receiving a confirming response utilizing the Random Value.



Each email MAY confirm control of multiple FQDNs, provided the Authorization Domain Name used in the email is an Authorization Domain Name for each FQDN being confirmed



The Random Value SHALL be unique in each email.



The email MAY be re-sent in its entirety, including the re-use of the Random Value, provided that its entire contents and recipient SHALL remain unchanged.



The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values, in which case the CA.



3.2.2.4.5 Domain Authorization Document



Confirming the Applicant's control over the requested FQDN by relying upon the attestation to the authority of the Applicant to request a Certificate contained in a Domain Authorization Document. The Domain Authorization Document MUST substantiate that the communication came from the Domain Contact. The CA MUST verify that the Domain Authorization Document was either (i) dated on or after the date of the domain validation request or (ii) that the WHOIS data has not materially changed since a previously provided Domain Authorization Document for the Domain Name Space.



3.2.2.4.6 Agreed-Upon Change to Website



Confirming the Applicant's control over the requested FQDN by confirming one of the following under the "/.well-known/pki-validation" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that is accessible by the CA via HTTP/HTTPS over an Authorized Port:



    1.  The presence of Required Website Content contained in the content of a file or on a web page in the form of a meta tag. The entire Required Website Content MUST NOT appear in the request used to retrieve the file or web page, or

    2.  The presence of the Request Token or Request Value contained in the content of a file or on a webpage in the form of a meta tag where the Request Token or Random Value MUST NOT appear in the request.



If a Random Value is used, the CA or Delegated Third Party SHALL provide a Random Value unique to the certificate request and SHALL not use the Random Value after the longer of (i) 30 days or (ii) if the Applicant submitted the certificate request, the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 of the EV Guidelines).



Note: Examples of Request Tokens include, but are not limited to: (i) a hash of the public key; (ii) a hash of the Subject Public Key Info [X.509]; and (iii) a hash of a PKCS#10 CSR. A Request Token may also be concatenated with a timestamp or other data. If a CA wanted to always use a hash of a PKCS#10 CSR as a Request Token and did not want to incorporate a timestamp and did want to allow certificate key re-use then the applicant might use the challenge password in the creation of a CSR with OpenSSL to ensure uniqueness even if the subject and key are identical between subsequent requests. This simplistic shell command produces a Request Token which has a timestamp and a hash of a CSR. E.g. echo date -u +%Y%m%d%H%M sha256sum <r2.csr | sed "s/[ -]//g" The script outputs: 201602251811c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f The CA should define in its CPS (or in a document referenced from the CPS) the format of Request Tokens it accepts.



3.2.2.4.7 DNS Change



Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value or Request Token in a DNS TXT or CAA record for an Authorization Domain Name or an Authorization Domain Name that is prefixed with a label that begins with an underscore character.



If a Random Value is used, the CA or Delegated Third Party SHALL provide a Random Value unique to the certificate request and SHALL not use the Random Value after (i) 30 days or (ii) if the Applicant submitted the certificate request, the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 of the EV Guidelines).



3.2.2.4.8 IP Address



Confirming the Applicant's control over the requested FQDN by confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the FQDN in accordance with section 3.2.2.5.



3.2.2.4.9 Test Certificate



Confirming the Applicant's control over the requested FQDN by confirming the presence of a non-expired Test Certificate issued by the CA on the Authorization Domain Name and which is accessible by the CA via TLS over an Authorized Port for the purpose of issuing a Certificate with the same Public Key as in the Test Certificate.



3.2.2.4.10. TLS Using a Random Number



Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value within a Certificate on the Authorization Domain Name which is accessible by the CA via TLS over an Authorized Port.



--Motion Ends--



The review period for this ballot shall be a two-week period commencing immediately and closing at 2200 UTC on 15 July 2016. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on 22 July 2016. Votes must be cast by posting an on-list reply to this thread.



A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: http://scanmail.trustwave.com/?c=4062&d=iN311-roc8t7kM5I4lWq10eZGHb3MeHIHY6JSkK4Zw&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmembers%2f



In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently ten (10) members– at least ten members must participate in the ballot, either by voting in favor, voting against, or abstaining.





-----Original Message-----

From: validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org] On Behalf Of Peter Bowen

Sent: Thursday, June 30, 2016 10:03 AM

To: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>

Cc: validation (validation at cabforum.org<mailto:validation at cabforum.org>) <validation at cabforum.org<mailto:validation at cabforum.org>>

Subject: Re: [cabf_validation] Ballot 169 changes



I fixed on sentence that had a cut and paste error and merged in ballots passed between  The resulting changes are online at:



http://scanmail.trustwave.com/?c=4062&d=iN311-roc8t7kM5I4lWq10eZGHb3MeHIHY_WEUbgMw&s=5&u=https%3a%2f%2fgithub%2ecom%2fcabforum%2fdocuments%2fpull%2f25%2ffiles%3fshort%5fpath%3d7f6d14a%23diff-7f6d14a20e7f3beb696b45e1bf8196f2



I’m going to generate a PDF with the changes and send it around.



For those viewing online using the above link, here are a few tips:



-          A vertical red line on the left means the paragraph has been removed in the revision



-          A vertical green line on the left means the paragraph has been added in the revision



-          When there are changes within a paragraph, removed text is in red and has a strikethrough and new text has green background



-          You can click the gray accordion icon in the middle of the page to show more of the document.  This allows seeing the unchanged text surrounding the changes.



Thanks,

Peter





> On Jun 30, 2016, at 8:15 AM, Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>> wrote:

>

> http://scanmail.trustwave.com/?c=4062&d=iN311-roc8t7kM5I4lWq10eZGHb3Me

> HIHd6GQkDqYA&s=5&u=https%3a%2f%2fgithub%2ecom%2fcabforum%2fdocuments%2

> fcompare%2fBallot-169%3fname%3dBallot-169%26short%5fpath%3d7f6d14a%23d

> iff-7f6d14a20e7f3beb696b45e1bf8196f2

>

>

> _______________________________________________

> Validation mailing list

> Validation at cabforum.org<mailto:Validation at cabforum.org>

> http://scanmail.trustwave.com/?c=4062&d=iN311-roc8t7kM5I4lWq10eZGHb3Me

> HIHdiFShbvNg&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2

> fvalidation



_______________________________________________

Validation mailing list

Validation at cabforum.org<mailto:Validation at cabforum.org>

http://scanmail.trustwave.com/?c=4062&d=iN311-roc8t7kM5I4lWq10eZGHb3MeHIHdiFShbvNg&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fvalidation



________________________________



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

_______________________________________________

Validation mailing list

Validation at cabforum.org<mailto:Validation at cabforum.org>

https://cabforum.org/mailman/listinfo/validation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20160630/2003afef/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Domain Validation Draft 11-21-2015 with PZB 12-16-2015.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 33714 bytes
Desc: Domain Validation Draft 11-21-2015 with PZB
 12-16-2015.docx
Url : https://cabforum.org/pipermail/validation/attachments/20160630/2003afef/attachment-0001.bin 


More information about the Validation mailing list