[cabf_validation] Domain Validation Update

Jeremy Rowley jeremy.rowley at digicert.com
Mon Mar 28 15:54:11 MST 2016


What if we dropped “Verification by” since every single heading has it?

 

From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Thursday, March 24, 2016 11:05 AM
To: validation at cabforum.org
Subject: Re: [cabf_validation] Domain Validation Update

 

Based on today’s call, I updated the proposed section headings for your consideration.  

 

Jeremy – do you want to add these to the next version of the ballot?

 

3.2.2.4.1   Verification by validating Applicant is a Domain Contact <not awesome, open to ideas>

3.2.2.4.2   Verification by Domain Contact using a random number 

3.2.2.4.3   Verification by Domain Contact using phone

3.2.2.4.4   Verification by Domain Name based constructed emails

3.2.2.4.5   Verification by DAD

3.2.2.4.6   Verification by agree upon web site change

3.2.2.4.7   Verification by agreed upon DNS change

3.2.2.4.8   Verification by IP address

3.2.2.4.9   Verification by Test Certificate

3.2.2.4.10   Verification by Random Number in a certificate <not Certificate, not Test Certificate, but just a self-signed(?) certificate?  I defer to the ACME experts.

 

Doug

 

 

 

From:  <mailto:validation-bounces at cabforum.org> validation-bounces at cabforum.org [ <mailto:validation-bounces at cabforum.org> mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Friday, March 11, 2016 3:40 PM
To: Peter Bowen < <mailto:pzb at amzn.com> pzb at amzn.com>
Cc:  <mailto:validation at cabforum.org> validation at cabforum.org
Subject: Re: [cabf_validation] Domain Validation Update

 

Sure, try this:

 

1.       Verify the Applicant is <the new term for Registrant, technical or admin contact>

2.       Send Random value via email, fax, SMS or postal mail to  <that same new term>

3.       Call the <same new term>

4.       Send Random Number to one of the 5 approved constructed email address

5.       Use a Domain Authorization Document

6.       Make agreed upon change to web site

7.       Make agreed upon change to DNS TXT or CAA record

8.       Verify IP address control

9.       Use a Test Certificate

10.   Use a Random Number in a Certificate

 

Doug

 

From: Peter Bowen [ <mailto:pzb at amzn.com> mailto:pzb at amzn.com] 
Sent: Friday, March 11, 2016 2:48 PM
To: Doug Beattie < <mailto:doug.beattie at globalsign.com> doug.beattie at globalsign.com>
Cc: Jeremy Rowley < <mailto:jeremy.rowley at digicert.com> jeremy.rowley at digicert.com>;  <mailto:validation at cabforum.org> validation at cabforum.org
Subject: Re: [cabf_validation] Domain Validation Update

 

I think putting heading on the methods is not a bad idea.  Anyone want to take a shot proposing a title for each?

 

On Mar 11, 2016, at 6:19 AM, Doug Beattie <doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com> > wrote:

 

Sure, that works.  Looks like our ballot need to include a change to EVGL, so we should add that to the end of the current document/proposed ballot.

 

I mentioned this before, but with the long list of complicated domain validation options, I think each one should be in a numbered subsection under 3.2.2.4, what do others think?

 

Also, we might want to number the paragraphs in some of the longer options, like methods 2 and 4, so everyone can more easily reference the specific items.

 

From: Peter Bowen [ <mailto:pzb at amzn.com> mailto:pzb at amzn.com] 
Sent: Friday, March 11, 2016 9:14 AM
To: Doug Beattie < <mailto:doug.beattie at globalsign.com> doug.beattie at globalsign.com>
Cc: Jeremy Rowley < <mailto:jeremy.rowley at digicert.com> jeremy.rowley at digicert.com>;  <mailto:validation at cabforum.org> validation at cabforum.org
Subject: Re: [cabf_validation] Domain Validation Update

 

EV currently says: "using a procedure specified in Section 3.2.2.4 of the Baseline Requirements, except that a CA MAY NOT verify a domain using the procedure described subsection 3.2.2.4(7)”.

 

With the removal of (7) and insertion of other methods, the EV guidelines are going to need updating anyway.  EV can be updated to say “using at least one of the methods specified in BR 3.2.2.4” and then make it own reuse statement.  For example:

 

11.7.1 Verification Requirements

 


(1) The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has confirmed, for each Fully-Qualified Domain Name (FQDN) in the Certificate, the authority of the Applicant to receive a Certificate containing the FQDN using at least one of the methods specified in the Baseline Requirements section 3.2.2.4 or via the method described in Appendix F.  The method in Appendix F shall only be used when the right most label in the FQDN is “onion”.

Completed confirmations of Applicant authority may be valid for the issuance of multiple certificates over time.  In all cases, the confirmation must have been initiated no more than 13 months prior to certificate issuance.

For purposes of domain validation, the term Applicant includes the Applicant’s Parent Company, Subsidiary Company, or Affiliate.

 

 

On Mar 11, 2016, at 6:06 AM, Doug Beattie < <mailto:doug.beattie at globalsign.com> doug.beattie at globalsign.com> wrote:

 

EV references this same section and they are limited to reusing the data to 13 months and up to 27 months for reissue, so this gets a bit complicated if we need to call out durations in this section.

 

 

From:  <mailto:validation-bounces at cabforum.org> validation-bounces at cabforum.org [ <mailto:validation-bounces at cabforum.org> mailto:validation-bounces at cabforum.org] On Behalf Of Peter Bowen
Sent: Friday, March 11, 2016 9:03 AM
To: Jeremy Rowley < <mailto:jeremy.rowley at digicert.com> jeremy.rowley at digicert.com>
Cc:  <mailto:validation at cabforum.org> validation at cabforum.org
Subject: Re: [cabf_validation] Domain Validation Update

 

I suggest we change the introduction (lines A & B) to read

 


3.2.2.4. Authorization by Domain Name Registrant


The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has confirmed, for each Fully-Qualified Domain Name (FQDN) in the Certificate, the authority of the Applicant to receive a Certificate containing the FQDN using at least one of the methods listed below.

Completed confirmations of Applicant authority may be valid for the issuance of multiple certificates over time.  In all cases, the confirmation must have been initiated no more than 39 months prior to certificate issuance.

For purposes of domain validation, the term Applicant includes the Applicant’s Parent Company, Subsidiary Company, or Affiliate.





There has been lots of discussion about the model where a CA validates domain authorization prior to receiving a specific certificate request.  I think that this revised text should assist in clarifying the situation.  It also make it very clear that the 39 month re-use rule applies to domain authorizations, rather than having to infer it based on the text in "Identification and Authentication for Routine Re‐key”.

 

Thanks,

Peter

 

 

On Mar 10, 2016, at 9:34 PM, Jeremy Rowley < <mailto:jeremy.rowley at digicert.com> jeremy.rowley at digicert.com> wrote:

 

Here’s the updated domain validation draft based on today’s discussion (and a couple of attempts to clarify items of confusion).  I look forward to the comments.

<Domain Validation Draft (3-11-2016).docx>_______________________________________________
Validation mailing list
 <mailto:Validation at cabforum.org> Validation at cabforum.org
 <https://cabforum.org/mailman/listinfo/validation> https://cabforum.org/mailman/listinfo/validation

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20160328/22e1d23d/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20160328/22e1d23d/attachment-0001.bin 


More information about the Validation mailing list