[cabf_validation] 190 definitions

Rick Andrews Rick_Andrews at symantec.com
Thu Jul 13 10:57:06 MST 2017


Peter, thanks for working on this. I know you sent this during our call this
morning and we discussed enhancements to it. But reading it now (I was on
the road during the call) I want to point out some things:

 

-          The definition describes the ADN as a single name ("any name"),
and that's how we think about it ("what was the ADN we used to validate that
Domain Name?"). But the text in 3.2.2.4 describes ADN as a set. Maybe I'm
splitting hairs, but do we need separate terms for the set of possible names
to check, and the single one that ultimately was used for validation?

-          In 3.2.2.4 number 2, you left out "zero or more" Domain Labels
and I think you need that. It's possible that the ADN=Domain Name.

-          In 3.2.2.4 number 3, t's not clear to me if the CA must check for
CNAMEs at each possible ADN. The text below seems to say that CNAMEs should
be checked only at the Domain Name.

 

-Rick

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Peter
Bowen via Validation
Sent: Thursday, July 13, 2017 8:27 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: [cabf_validation] 190 definitions

 

Authorization Domain Name: Any name from the set of Fully-Qualified Domain
Names derived from a Requested Domain Name using the rules described in
section 3.2.2.4.

In 3.2.2.4:

Authorization Domain Names are the set of names created from a Domain Name
using the following rules:

1.      If the Domain Name is a Wildcard Domain Name, Authorization Domain
Names include the Authorizations Domain Names for the FQDN portion of the
Wildcard Domain Name.

2.      If the Domain Name is a Fully-Qualified Domain Name, Authorization
Domain Names include each Domain Name created by pruning Domain Labels from
the Domain Name from left to right until encountering a Base Domain Name. 

3.      If a DNS lookup for CNAME records for the Domain Name returns a
FQDN, Authorization Domain Names include the Authorizations Domain Names for
the returned FQDN.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170713/c43cfc52/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5724 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170713/c43cfc52/attachment-0001.p7s>


More information about the Validation mailing list