[cabfpub] [Ext] .well-known and re-directs

Paul Hoffman paul.hoffman at icann.org
Wed Jul 19 00:20:21 MST 2017

On Jul 18, 2017, at 8:35 PM, Jeremy Rowley via Public <public at cabforum.org> wrote:
> We recently encountered a reoccurring scenario while using .well-known to validate a certificate. The customer is trying to validate basedomain.com using http://basedomain.com/.well-known/pki-validation/[page]. However, the server redirects this to https://www.basedomain.com/.well-known.pki-valdiation/[page]  Because basedomain.com cannot be used to verify www.basedomain.com, the validation fails.  Is this the correct result?

No, definitely not. Their server is misconfigured. RFC 5785 says nothing about redirects, and many of the registered /.well-known/ prefixes do not redirect.

> Or is a returned random value through a re-direct sufficient to verify the base domain? 

If the BRs allow "we got the correct returned random from an unexpected URI", yes. Otherwise, probably not.

--Paul Hoffman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3906 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170719/fbda9c85/attachment.p7s>

More information about the Public mailing list