[cabfpub] Pre-Ballot 169: Revised Validation Requirements

Ryan Sleevi sleevi at google.com
Fri Apr 29 23:28:55 UTC 2016 

A previous suggestion from the public was to explicitly only allow
successful (200) results. Allowing 301 is arguably equally problematic.

On Fri, Apr 29, 2016 at 4:14 PM, Peter Bowen <pzb at amzn.com> wrote:

> Jeremy,
>
> I’ve found a possible vulnerability with 3.2.2.4.6. Agreed-Upon Change to
> Website.  If the Random Value or Request Token is contained in the URI
> path, then certain websites will return it in the meta tag of the resulting
> page.  The pattern I found on a real website is:
>
> Request
> http://www.example.com/.well-known/pki-validation/06ca919e1b1cf100e97fc2215c036a8c817f4443aa0afe5ca1a63db973a09e4b
> Returns 301 with Location:
> /search?q=.well-known%2Fpki-validation%2F06ca919e1b1cf100e97fc2215c036a8c817f4443aa0afe5ca1a63db973a09e4b
> Request
> http://www.example.com/search?q=.well-known%2Fpki-validation%2F06ca919e1b1cf100e97fc2215c036a8c817f4443aa0afe5ca1a63db973a09e4b
> Returns 200 with a page containing:
> <meta property="og:title"
> content=".well-known/pki-validation/06ca919e1b1cf100e97fc2215c036a8c817f4443aa0afe5ca1a63db973a09e4b:
> Search Results from Example">
> <meta property="og:url" content="
> http://www.example.com/search?q=.well-known%2Fpki-validation%2F06ca919e1b1cf100e97fc2215c036a8c817f4443aa0afe5ca1a63db973a09e4b
> ”>
>
> I think this method needs to be updated to preclude the CA from using a
> URL containing the Random Value or Request Token.
>
> Thanks,
> Peter
>
> > On Apr 26, 2016, at 2:40 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
> wrote:
> >
> > Below (and attached) are the revised validation requirements. I’m
> looking for two endorsers.
> >
> > 3.2.2.4.6. Agreed-Upon Change to Website
> > Confirming the Applicant's control over the requested FQDN by confirming
> the presence of a Random Value or Request Token (contained in the content
> of a file or on a web page in the form of a meta tag) under the
> "/.well-known/pki-validation" directory, or another path registered with
> IANA for the purpose of Domain Validation, on the Authorization Domain Name
> that can be validated over an Authorized Port.
> >
> > If a Random Value is used, the CA or Delegated Third Party SHALL provide
> a Random Value unique to the certificate request and SHALL not use the
> Random Value after the longer of (i) 30 days or (ii) if the Applicant
> submitted the certificate request, the timeframe permitted for reuse of
> validated information relevant to the certificate (such as in Section 3.3.1
> of these Guidelines or Section 11.14.3 of the EV Guidelines)
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160429/852f0204/attachment-0003.html>

More information about the Public mailing list