[cabf_validation] Validation methods used for Wildcards/ADNs

Wed Feb 3 20:35:15 UTC 2021

On Wed, Feb 3, 2021 at 3:00 PM Doug Beattie <doug.beattie at globalsign.com>
wrote:

> Ryan,
>
>
>
> There’s a discussion about DNS delegation and the dangers CA could get
> into if they behave inappropriately here:
>
>
> https://groups.google.com/g/mozilla.dev.security.policy/c/lT0Dd9XkPwI/m/TRFhrX52AAAJ
>
>
>
> If we can come up with some guidance or new method that enables CA/hosting
> providers/other 3rd parties to publish the random values in the CNAMed
> destination without introducing massive security problems, then we have a
> method that we can provide customers to ease the deprecation of the HTTP
> method.  Basically, for a specific customer account within a specific CA,
> they can create a subdomain CNAME to a DNS zone controlled by the CA and
> the domain will never expire for them (for their account), until such time
> that they migrate from that CA or change accounts.  The CA need to check
> that the request coming in is from the that account (Applicant) for this to
> work.  That’s really automated and customer friendly.  This type of method
> gets us closer to your stated ultimate goal of doing domain validation
> every week/day/issuance.
>
>
>
> Is that all we need to say on this topic?  Unlikely…
>

Doug,

Thanks, this is helpful for providing context. If I'm understanding
correctly, you're concerned about removing HTTP-01, without offering a
similar method that doesn't require touching DNS? Is that right?

I think the mention of the goal of domain lifetime reduction, most recently
last raised by Mozilla rather than Google, is still a very important goal,
and good progress to be made. However, it's not clear to me that we need
to, or should, block the removal of known-problematic HTTP-style validation
of subdomains/wildcards, especially when we know that there are
particularly thorny and problematic issues with the delegation that will
take time to resolve.

I realize that this may seem as "Yes, it's better to make some folks
unhappy now, by requiring them to change, and then later make them happy".
And, yes, it's very much that we want to close the security hole here, and
then carefully work and collaborate to figure out if there's a less-risky
alternative.

Again, this is where the long-standing request for data comes in, which CAs
have, since Ballot 169, been expected to keep readily at hand, would help
us gauge if we're not adequately considering things. I think it's
reasonable for CAs to want to keep their customers happy, and it's very
much a goal to promote more automation. But if the opposition is because it
will make too many customers unhappy, or require too much effort to change,
then I think we'd need to see data backing up that statement, so we can
consider it. But, at present, it does not seem that we need to, nor do we
plan to, wait to "solve" the thorny CNAME issue before we address the real
issue of sub-domain authorization without adequate proof of control or
authorization.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210203/cd3274d3/attachment.html>