[cabf_validation] Method 7, when the CA is involved

Tim Hollebeek tim.hollebeek at digicert.com
Thu Dec 2 20:41:40 UTC 2021

As discussed on the November 18th validation subcommittee call, 

I offered to write some text that would clarify the importance 

of binding the request to the customer when doing method 7, 

for CAs that allow DNS delegation to a domain they control.


For the purposes of starting the discussion, what about adding

the following text to the end of Method 7 (, before

the ubiquitous Note:



CAs MAY operate domains for the purpose of assisting customers

with this validation, and MAY instruct customers to add a CNAME

redirect from an Authorization Domain Name to such a domain.

If the CA does so, the CA SHALL ensure that each domain name is

used for a unique Applicant, and not shared across multiple




This at least fixes the urgent problem, which is that some CAs

might currently be doing this in insecure ways.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20211202/9061b5c3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20211202/9061b5c3/attachment.p7s>

More information about the Validation mailing list