[cabf_validation] [EXT] Re: Ballot 190

Fri May 5 15:20:30 MST 2017

Yes, as written this is true.  However I don’t think we should allow 6, 9, or 10 to be used for subdomains, as they only demonstrate control of a single host.

> On May 5, 2017, at 12:56 PM, Steve Medin <Steve_Medin at symantec.com> wrote:
> 
> ADN isn’t necessarily a namespace, it can be assigned an IP and serve for all subdomains under it in 6, 9, and 10. Same with BDN.
>  
>  
> From: Validation [mailto:validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org>] On Behalf Of Peter Bowen via Validation
> Sent: Thursday, May 04, 2017 8:48 PM
> To: CA/Browser Forum Validation WG List <validation at cabforum.org <mailto:validation at cabforum.org>>
> Cc: Peter Bowen <pzb at amzn.com <mailto:pzb at amzn.com>>
> Subject: [EXT] Re: [cabf_validation] Ballot 190
>  
> Jeremy,
>  
> While your table is correct according to 190, I think it points out we got things wrong in a few places.
>  
> 6, 9, and 10 should probably be FQDN-only, as they only demonstrate control of a single host, not domain namespace.  8 should stay FQDN only.
>  
> I think the DAD already covers base domain/authorization domain implicitly, as the document could easily say “Applicant Y is authorized to request certificates for example.com <http://example.com/> and all FQDNs below example.com <http://example.com/>.”
>  
> The definitions have: "Domain Contact: The Domain Name Registrant, technical contact, or administrative contract (or the equivalent under a ccTLD) as listed in the WHOIS record of the Base Domain Name or in a DNS SOA record.”
>  
> This seems to say Base Domain is the only acceptable thing for 1, 2, and 3.
>  
> Does that make sense?
>  
> Thanks,
> Peter
>  
>  
>  
> On May 4, 2017, at 3:39 PM, Jeremy Rowley via Validation <validation at cabforum.org <mailto:validation at cabforum.org>> wrote:
>  
> For 1-3, the method permits you verify with a Domain Contact. The Domain Contact is defined as one at the FQDN or base level.  No authorization domain is permitted in the definition. 
>  
> DAD cannot be used for Authorization Domain or Base Domain. The method specifically says FQDN. 
>  
> I bring this up because I thought we permitted Authorization Domain in more places.  Just making sure it was intentionally to exclude it in several places.
>   <>
> From: Doug Beattie [mailto:doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com>] 
> Sent: Thursday, May 4, 2017 2:11 PM
> To: CA/Browser Forum Validation WG List <validation at cabforum.org <mailto:validation at cabforum.org>>
> Cc: Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com>>
> Subject: RE: Ballot 190
>  
> Why do you have FQDN checked for 1-3?  I think you’d only do FQDN level validation if you also allow Authorization domain.
>  
> Can a DAD be used for Authorization domain and base domain?  Not sure.
> 
> See comments below.
> 
> Doug
>  
>  
> Method
> FQDN
> Authorization Domain
> Base Domain
> 1. Domain Contact – This method relies on the definition of Domain Contact which specifies the WHOIS person either at the FQDN or base domain. 
> X
>  
> X
> 2. WHOIS Email – Only permits email to domain contact, but one of the sentences mentions Authorization Domain? 
> X
>  
> X
> 3. WHOIS Phone – Same as Email
> X
>  
> X
> 4. Constructed Email – sending the email to authorization domain
> X
> X
> X
> 5. Domain Document 
> X
> X?
> X?
> 6. Agreed-Upon Change – Authorization domain specifically mentioned
> X
> X
> X
> 7. DNS Change – Authorization domain name is mentioned but also permits underscore
> X
> X
> X
> 8. IP Address – No Authorization domain mentioned
> X
>  
>  
> 9. Test Cert – Authorization domain mentioned
> X
> X
> X
> 10. TLS Using a Random Number – Authorization Domain mentioned
> X
> X
> X
>  
> Doug
>  
> From: Validation [mailto:validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org>] On Behalf Of Jeremy Rowley via Validation
> Sent: Thursday, May 4, 2017 3:46 PM
> To: CA/Browser Forum Validation WG List <validation at cabforum.org <mailto:validation at cabforum.org>>
> Cc: Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com>>
> Subject: [cabf_validation] Ballot 190
>  
> I wanted to make sure that I’m implementing the methods correctly. For each FQDN you can verify the FQDN using the FQDN, an Authorization Domain, or Base Domain, as specified in the method. Going through the methods, it looks like the verification listed in the table below is permitted. Is this everyone else’s understanding? 
>  
> Method
> FQDN
> Authorization Domain
> Base Domain
> 1. Domain Contact – This method relies on the definition of Domain Contact which specifies the WHOIS person either at the FQDN or base domain. 
> X
>  
> X
> 2. WHOIS Email – Only permits email to domain contact, but one of the sentences mentions Authorization Domain? 
> X
>  
> X
> 3. WHOIS Phone – Same as Email
> X
>  
> X
> 4. Constructed Email – sending the email to authorization domain
> X
> X
> X
> 5. Domain Document 
> X
>  
>  
> 6. Agreed-Upon Change – Authorization domain specifically mentioned
> X
> X
> X
> 7. DNS Change – Authorization domain name is mentioned but also permits underscore
> X
> X
> X
> 8. IP Address – No Authorization domain mentioned
> X
>  
>  
> 9. Test Cert – Authorization domain mentioned
> X
> X
> X
> 10. TLS Using a Random Number – Authorization Domain mentioned
> X
> X
> X
>  
>  
> Example, 
>  
> FQDN: Secure.mail.example.com <http://secure.mail.example.com/>
> Method
> Permitted Validation Domains
> 1. Domain Contact 
> Secure.mail.example.com <http://secure.mail.example.com/>; Example.com <http://example.com/>
> 2. WHOIS Email
> Secure.mail.example.com <http://secure.mail.example.com/>; Example.com <http://example.com/>
> 3. WHOIS Phone
> Secure.mail.example.com <http://secure.mail.example.com/>; Example.com <http://example.com/>
> 4. Constructed Email
> Secure.mail.example.com <http://secure.mail.example.com/>; mail.example.com <http://mail.example.com/>; Example.com <http://example.com/>
> 5. Domain Document
> Secure.mail.example.com <http://secure.mail.example.com/>
> 6. Agreed-Upon Change
> Secure.mail.example.com <http://secure.mail.example.com/>; mail.example.com <http://mail.example.com/>; Example.com <http://example.com/>
> 7. DNS Change
> Secure.mail.example.com <http://secure.mail.example.com/>; mail.example.com <http://mail.example.com/>; Example.com <http://example.com/> _{value}.Secure.mail.example.com <http://secure.mail.example.com/>; _{value}.mail.example.com <http://mail.example.com/>; _{value}.Example.com <http://example.com/>
> 8. IP Address
> Secure.mail.example.com <http://secure.mail.example.com/>
> 9. Test Certificate
> Secure.mail.example.com <http://secure.mail.example.com/>; mail.example.com <http://mail.example.com/>; Example.com <http://example.com/>
> 10. TLS w/ Random Number
> Secure.mail.example.com <http://secure.mail.example.com/>; mail.example.com <http://mail.example.com/>; Example.com <http://example.com/>
>  
>  
>  
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org <mailto:Validation at cabforum.org>
> https://cabforum.org/mailman/listinfo/validation <https://clicktime.symantec.com/a/1/UtksfQeTsEF2xACryRORa3vgeOXKpCHRuaNhBSqcSMo=?d=_7bPmtjqvkgTjDIuyu7c3tF6xrXA4UB5sg25DA3bST8oMEtO-DkvFX_m2jhVZK8q_AZjogI96LZOzfFw6clmZi5vyvtrThcaOAbaRRcBeGYHawGSXRDIuSDcyxI0Yb1GiNe3qpOtEYXTu5AEsOmufX0NM7hF3mpz2Vo8lbVKiSRBjl0G-Sv3PUlYW7Lvye7FVgzkWff5ui08PCV-1MxF_veL9G6qtyujQY28PoCEt6tVbX3O-zZ8RhMKkevh4waOXKiuMMuo7KIGvobX_JQoxFAJ-c6H--EG66Lp3q2zX8TBflQinNvWrntolhxQVCpRuhnpzrFvifU24VZ9DY33uRKfSWoRQrhTLfIP4cgxjknntdo91KymVwL7RH6AYev7&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fvalidation>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170505/028b0500/attachment-0001.html>