[cabfpub] New validation method

Tim Hollebeek THollebeek at trustwave.com
Wed Oct 25 16:50:00 UTC 2017


Being overly generic allows methods whose security implications have not been analyzed, and may not be correct.  We keep running into cases where validation works by accident, for example by a value being reflected in a 404 error message, a email scanner following an embedded link, etc.

The trend has been to be more explicit about exactly how validation methods work, for example requiring files to be in a specific location under .well-known, instead of anywhere, and I think this is a good thing.

I think it would be better to call out WHOIS and RDAP as acceptable, and even call out one or more fields (for RDAP) which should be used for this purpose.

-Tim

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen via Public
Sent: Tuesday, October 24, 2017 10:07 PM
To: Geoff Keating <geoffk at apple.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] New validation method




On Oct 24, 2017, at 3:46 PM, Geoff Keating <geoffk at apple.com<mailto:geoffk at apple.com>> wrote:




On 24 Oct 2017, at 2:58 pm, Peter Bowen via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

As ballot 190 is complete and fully effective, it seems like a reasonable time to start considering further validation method.  Amazon proposes the following new method.  As far as I know, this does not overlap with any of the existing methods.

3.2.2.4.12 Registrar challenge validation
Confirming the Applicant’s control over the request Domain Name by confirming the presence of a Random Value or Request Token in a response from the Domain Name Registrar or Registry received in response to a request containing an Authorization Domain Name.

I like the concept, but can we be a bit more specific than just ‘in response to a request’?  For example, can we say ‘in response to a WHOIS request for the Authorization Domain Name’?

I was trying to stay fairly generic because some registries, such as Núcleo de Informação e Coordenação do Ponto BR, CZ.NIC, z. s. p. o., and Dirección Nacional del Registro de Dominios de Internet, the registries for .br, .cz, and .ar, are using RDAP now (see https://data.iana.org/rdap/dns.json<https://scanmail.trustwave.com/?c=4062&d=hfHv2ejcp8PsaiAk9PrsR3ttPMTnWnAYRNmWlcOp9g&s=5&u=https%3a%2f%2fdata%2eiana%2eorg%2frdap%2fdns%2ejson> for the current list).  Additionally, as you may be aware some registries do not have RDAP or Whois servers, so one could imagine that some registries might even be open to implementing an API that could be used for validation.

Thanks,
Peter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171025/c2614972/attachment-0003.html>


More information about the Public mailing list