[cabfpub] [cabfquest] Domain Validation Revision

Ben Wilson ben.wilson at digicert.com
Fri Feb 13 20:38:57 UTC 2015


Forwarding from questions list.



From: questions-bounces at cabforum.org [mailto:questions-bounces at cabforum.org] 
On Behalf Of Jacob Hoffman-Andrews
Sent: Friday, February 13, 2015 11:01 AM
To: questions at cabforum.org
Subject: Re: [cabfquest] [cabfpub] Domain Validation Revision



Following up from a thread on cabfpub:

On 02/12/2015 07:08 PM, Ryan Sleevi wrote:

8 concerns me for a couple reasons, even though it's moving in the
right direction.
- You require HTTPS, but that seems overkill, when you only need to
perform a TLS handshake. That is, consider a mail server configured
for SMTP-S - it seems that would be a viable configuration

Agreed. As a concrete example, the ACME spec under discussion at IETF
proposes a challenge type called "Domain Validation with Server Name
Indication," or DVSNI for short:
http://www.ietf.org/id/draft-barnes-acme-01.txt.

We believe that DVSNI allows us to offer a higher level of assurance
than item (6), "making an agreed-upon change to information found on an
online Web page," since some sites allow arbitrary file upload, either
by intent or by accident. We're planning to use it for the Let's Encrypt
CA for that reason, so we'd like to make sure that item (8) allows for
DVSNI.

For example, here is a version of item (8) that we think would work:


Having the Applicant demonstrate practical control over the FQDN by
providing a TLS service on a host found in DNS for the FQDN. The CA
SHALL initiate a TLS connection with that host and verify that the
response contains unique, unguessable information proposed by the CA, in
a well-specified format.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150213/5cabc264/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150213/5cabc264/attachment-0001.p7s>


More information about the Public mailing list