[cabfpub] Ballot 169 - Revised Validation Requirements
Geoff Keating
geoffk at apple.com
Fri Jul 22 18:30:44 UTC 2016
> On 22 Jul. 2016, at 11:06 am, Ben Wilson <ben.wilson at digicert.com> wrote:
>
> The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values, in which case the CA.
I think this sentence was intended to have a few more words at the end?
> 3.2.2.4.6 Agreed-Upon Change to Website
> 3.2.2.4.9 Test Certificate
etc.
These allow someone to validate something.example.com if they have control over http://example.com. In particular, it allows validation of shop.example.com if an attacker has access to a non-ssl website at www.example.com which is also example.com. This is a common layout and this ability might be surprising to some website operators. I can see reasons for needing this, and it doesn’t prevent me voting yes on this proposal (because the current text is worse!), but I would like to highlight it as something to work on for the future. For example, perhaps in future we can require HTTPS for 3.2.2.4.6 unless the authorization domain name is the same as the requested domain name.
Overall, I support this proposal as written, and I thank the WG for their effort!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160722/a8808d23/attachment-0001.p7s>
More information about the Public
mailing list