[cabfpub] Random value reuse

[Jeremy Rowley]

An interesting question came up today in connection with random values used
for validation.  Methods 2, 4, 6, 7, and 10 permit use of a random values.
Methods 2 and 4, require a unique random value per email. Methods 6, 7, and
10 do not require unique random values per request for the random value. 

 

Some customers would like to use the same random value across multiple
methods (method 2, 6, and 7), having us look for the first instance of the
random value, or across multiple domains. Method 6 and 7 require a unique
random value per certificate request, not per domain. This means, that the
same Random Value can appear in multiple DNS records at once to confirm
control. 

 

The questions raised by this are:

1.	Should the random value be unique per verified domain name instead
of per certificate request? With email methods, use of a single email to
verify multiple domain names with the same email address makes sense. I'm
not sure this makes as much sense for DNS records.  
2.	Can multiple methods use the same random value? Can you request a
random value and then the CA just scour the permitted locations to find it?
This seems okay to me as nothing requires the CA to specify the method of
validation associated with the Random Value, but thought I'd get other
opinions.

 

 

Jeremy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170726/46904f34/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170726/46904f34/attachment.p7s>