[cabfpub] Random value reuse
richard.smith at comodo.com
Fri Jul 28 05:26:43 MST 2017
I think the random value should simply be tied to a particular certificate
request and leave the rest up to the CA and the subscriber. More detailed
comments inline below.
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Tuesday, July 25, 2017 11:21 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: [cabfpub] Random value reuse
An interesting question came up today in connection with random values used
for validation. Methods 2, 4, 6, 7, and 10 permit use of a random values.
Methods 2 and 4, require a unique random value per email. Methods 6, 7, and
10 do not require unique random values per request for the random value.
Some customers would like to use the same random value across multiple
methods (method 2, 6, and 7), having us look for the first instance of the
random value, or across multiple domains. Method 6 and 7 require a unique
random value per certificate request, not per domain. This means, that the
same Random Value can appear in multiple DNS records at once to confirm
The questions raised by this are:
1. Should the random value be unique per verified domain name instead
of per certificate request?
[RWS] No. I think it should be tied to the request. Consider the case of
multiple domain certificate for which the applicant is a web host or CDN
which controls the DNS for all domain names contained w/in. Why should they
not be able to use the same random value to verify all those domains?
With email methods, use of a single email to verify multiple domain names
with the same email address makes sense. I'm not sure this makes as much
sense for DNS records.
[RWS] I think it does if for no other reason than to cut down on confusion
on the part of the subscriber. Consider the non-web host/CDN. Just an
enterprise customer who has multiple domains. Why make one guy deal with 5
different random values for a single MDC request.
2. Can multiple methods use the same random value? Can you request a
random value and then the CA just scour the permitted locations to find it?
This seems okay to me as nothing requires the CA to specify the method of
validation associated with the Random Value, but thought I'd get other
[RWS] As long as the random value is tied to the specific request, I think
this is fine.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public