[cabfpub] [Ext] .well-known and re-directs
paul.hoffman at icann.org
Wed Jul 19 00:20:21 MST 2017
On Jul 18, 2017, at 8:35 PM, Jeremy Rowley via Public <public at cabforum.org> wrote:
> We recently encountered a reoccurring scenario while using .well-known to validate a certificate. The customer is trying to validate basedomain.com using http://basedomain.com/.well-known/pki-validation/[page]. However, the server redirects this to https://www.basedomain.com/.well-known.pki-valdiation/[page] Because basedomain.com cannot be used to verify www.basedomain.com, the validation fails. Is this the correct result?
No, definitely not. Their server is misconfigured. RFC 5785 says nothing about redirects, and many of the registered /.well-known/ prefixes do not redirect.
> Or is a returned random value through a re-direct sufficient to verify the base domain?
If the BRs allow "we got the correct returned random from an unexpected URI", yes. Otherwise, probably not.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3906 bytes
Desc: not available
More information about the Public