[cabf_validation] *Please review ASAP* Updated domain validation draft

Rick Andrews Rick_Andrews at symantec.com
Fri Aug 28 09:41:57 MST 2015


Kirk, I saw that mention of CNAME, but I didn’t think it covered my concern. The new method 8 (K) says “Having the Applicant demonstrate control over the requested FQDN by the CA confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the requested FQDN in accordance with section 3.2.2.5;  or”. So the new method isn’t tied to the definition of Authorization Domain Name.

 

How about if method 8 said “Having the Applicant demonstrate control over the requested FQDN by the CA confirming that the Applicant controls an IP address returned from a DNS lookup for A or AAAA records for the Authorization Domain Name in accordance with section 3.2.2.5;  or”

 

That would make it similar to the other uses of Authorization Domain Name in the doc.

 

-Rick

 

From: kirk_hall at trendmicro.com [mailto:kirk_hall at trendmicro.com] 
Sent: Thursday, August 27, 2015 5:30 PM
To: Rick Andrews; validation at cabforum.org
Subject: RE: [cabf_validation] *Please review ASAP* Updated domain validation draft

 

Rick, I think I saw only two comments or changes.

 

I will change “Domain Validation” to “Validation of Domain Ownership or Control” for the new title of 3.2.2.4 as you suggest.

 

The other comment I saw was about CNAME for Method 8.  On the call today, CNAME was raised, and someone said the issue is “covered” by the new definition of Authorization Domain Name (see below).  Do you agree?

 

Were there any other issues you raised?

 

Authorization Domain Name: The Domain Name used to obtain authorization for certificate issuance for a given FQDN.  The CA may use the FQDN returned from a DNS CNAME lookup as the FQDN for the purposes of domain validation.  If the FQDN starts with a wildcard character, then the CA MUST remove all wildcard labels from the left most portion of requested FQDN.  The CA may prune zero or more labels from left to right until encountering a Base Domain Name and may use any one of the intermediate values for the purpose of domain validation.

 

From: Rick Andrews [mailto:Rick_Andrews at symantec.com] 
Sent: Thursday, August 27, 2015 2:54 PM
To: Kirk Hall (RD-US); validation at cabforum.org
Subject: RE: [cabf_validation] *Please review ASAP* Updated domain validation draft

 

Thanks for pulling this together, Kirk (and whoever helped you, if you had help). I added a couple of comments/questions.

 

-Rick

 

From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Thursday, August 27, 2015 11:49 AM
To: validation at cabforum.org
Subject: [cabf_validation] *Please review ASAP* Updated domain validation draft
Importance: High

 

I attach an updated Domain Validation draft revision, dated today (Aug. 27) in track changes mode from the Aug. 26 draft we discussed this morning.

 

I added a new Method 10 (line M) to cover the cases where the CA is also the Registrar.  Wayne, can you edit?

 

Jeremy, you said you had additional Authorized Ports to propose – please send to this list today if possible.

 

The definition for Random Value (line Z) has changed as we discussed, so we can use the term everywhere.  Per our discussion, we only specify minimum entropy for two cases – automated processes, and practical demonstration in the DNS record.  Otherwise, the Random Value can be a value specified by the CA that is unknown to the Applicant.  Isn’t that what we decided?

 

For everyone else – please review and see if this is ready to forward to the Forum members TOMORROW for first discussion next Thursday.  Meaning, please provide your comments today or tomorrow morning at the latest.



 
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

 



 
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

 

  _____  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150828/15ea52fc/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5749 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20150828/15ea52fc/attachment-0001.bin 


More information about the Validation mailing list