[cabf_validation] Method 7, when the CA is involved

Ryan Sleevi sleevi at google.com
Wed Jan 5 17:57:24 UTC 2022 

On Thu, Dec 2, 2021 at 3:41 PM Tim Hollebeek via Validation <
validation at cabforum.org> wrote:

> As discussed on the November 18th validation subcommittee call,
>
> I offered to write some text that would clarify the importance
>
> of binding the request to the customer when doing method 7,
>
> for CAs that allow DNS delegation to a domain they control.
>
>
>
> For the purposes of starting the discussion, what about adding
>
> the following text to the end of Method 7 (3.2.2.4.7), before
>
> the ubiquitous Note:
>
>
>
> ---
>
> CAs MAY operate domains for the purpose of assisting customers
>
> with this validation, and MAY instruct customers to add a CNAME
>
> redirect from an Authorization Domain Name to such a domain.
>
> If the CA does so, the CA SHALL ensure that each domain name is
>
> used for a unique Applicant, and not shared across multiple
>
> Applicants.
>
> ---
>
>
>
> This at least fixes the urgent problem, which is that some CAs
>
> might currently be doing this in insecure ways.
>

Just catching up on this post-break: I thought it was understood that CAs
weren't allowed to do what's described above, as it stands in the current
BRs.

The reason being that 3.2.2.4.7 requires the CA confirms the
*Applicant's* control
(the entity that operates the device, per 1.6.1), and the CA doing so would
not be a demonstration of the Applicant's control.

Is this controversial / not well understood? Would people feel equally
comfortable if a customer PBX system simply re-routed an extension back to
a CA? Or, similarly, put the CA as the contact in 3.2.2.4.14?

The issue here is the entity performing the demonstration of control is
also the entity that is "promoted" to the Subscriber upon issuance. A model
where the CA demonstrated control would be the same as the CA becoming the
Subscriber, right?

Is the argument that the CA is being designated an Applicant
Representative? Doesn't that require explicitly natural (not legal)
persons, and thus similarly limit such automation?

Maybe it'd be easier to help me understand how it's authorized if someone
works from an assumption that "This is forbidden", and then works through
the clauses that make it permissible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20220105/f039fbbd/attachment.html>

More information about the Validation mailing list