[cabf_validation] Draft language on reuse of Random Values, Request Tokens, and Test Certificates

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Wed Dec 2 13:28:31 MST 2015


To help drive us to some conclusions on issue 4 on our call tomorrow, I want to offer the following draft language to include in this section of the BRs.  Language in [red brackets] are possible additions.

A Random Value, Request Token, or Test Certificate may be used to validate domain ownership or control for multiple domains in a single certificate request with a single public key.  The same Random Value, Request Token, or Test Certificate may not be used to validate domain ownership or control for multiple certificate requests or multiple public keys, or to re-validate domain ownership or control for a domain at a later time.

[1. Should we also include an outside time limit for use of a Random Value, Request Token, or Test Certificate, such as 96 hours, or one week, or one month?]

[2. From a security engineering standpoint, wouldn't it be better to require a different Random Value, Request Token, or Test Certificate for each domain being validated, rather than allowing the same Random Value, Request Token, or Test Certificate for multiple domains in a single certificate order?  It's true I can't identify a specific threat vector today to support this requirement (in part because I don't fully understand the exact process flow for this domain validation method), but good security engineering involves adding "best practices" in advance of all known threat vectors to head them off.  We are already requiring 112 bits of entropy for Random Values, so it seems a good idea to prohibit reuse of a Random Value, Request Token, or Test Certificate for multiple domains.

If this is too difficult to implement now (a different marker for each domain being validated), what if we include this as a requirement to apply at a future date so CAs can modify their process flow?]

[3. For methods that use a hash, should we specify the minimum hash algorithm?]


<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20151202/5d44b4b9/attachment.html 


More information about the Validation mailing list