[cabf_validation] Domain Validation ballot -- open discussion items

Jeremy Rowley jeremy.rowley at digicert.com
Thu Dec 17 09:56:56 MST 2015


Here's some revisions that I think  keep it clear for the auditors and keep the random value tied to the Applicant rather than each communication.

-----Original Message-----
From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of Bowen, Peter
Sent: Wednesday, December 16, 2015 6:46 PM
To: kirk_hall at trendmicro.com; validation at cabforum.org
Subject: Re: [cabf_validation] Domain Validation ballot -- open discussion items

Kirk,

I propose the attached edits, which address several of the issues you list.  These are independent from the Issue 5 that I previously raised.

The edits cover several items:

* In D, E, and F: clarify the random value must be unique for each communication and that the recipient must return it to the CA.  The intent here is that a single email can be sent to multiple addresses, but each unique set of addresses must have a different random value.  It also clarifies that simply sending the random value is not adequate, which might not be obvious from the existing language.

* In H, J, K, and L: flip the language to state what the CA must so. The BRs are requirements on CAs, not applicants, and auditors cannot verify what an applicant does.  They can verify what actions the CA took.  The revised language mirrors that of the existing methods.

* In H: change to FQDN.  I think the assertion that someone who controls web server content at socsci.example.edu is also the controller of sociology.socsci.example.edu is a little tenuous.  I realize that the comments suggest that the reverse of this change was made previously and I’m late to the game, but I think that new methods 6 and 9 should have the same test scope (FQDN or Authorization Domain).

* In L: move to Random Value or Request Token.  When reading the definitions, it seems that a Test Certificate would inherently either contain a Random Value (e.g. random serial number) or a Request Token (signature).  I am proposing the change to also make the method slightly more flexible to allow returning the expected valued during other parts of the handshake.

In addition to updating 3.2.2.4/5, I think it would be good to clarify the “reuse” of validations.  

I think that it would be appropriate to flag the date the CA received the confirmation of Random Value or Request Token as the the date that the CA obtained the validation for the purposes of section 3.3.1 or the similar section in the EVG. For example, if the CA received a public key from a customer on January 1, 2016 and found a Request Token based on that key in DNS (for example, a TXT record for example.com. included the token) on January 2, 2016, then the validation for the example.com namespace would be good for non-EV certificate issuance until April 2, 2019 

Similarly, if a CA sent an email to hostmaster at example.com on January 1, 2016 and received the confirmation on January 15, 2016, then the validation for the example.com namespace would be good for non-EV certificate issuance until April 15, 2019.

Thanks,
Peter

On 12/16/15, 1:26 PM, "validation-bounces at cabforum.org on behalf of kirk_hall at trendmicro.com" <validation-bounces at cabforum.org on behalf of kirk_hall at trendmicro.com> wrote:


>I went through my notes of remaining issues, and here’s where I think 
>we are for our call on Thursday.  Please refer to the attached email dated Dec. 1 laying out the five  issues we are discussing.  Robin and Doug – you need to send out a redraft of your methods (see below).
> 
>Issue 1 (Method 7): On the Dec. 3 call, Robin said he wants to amend 
>the definition of  Request Token so (1) it has something unique in it 
>that the Applicant can control (more than the public key – maybe also a Random Value the CA sends directly to the Applicant, maybe independent of the Reseller), and (2) if the Request Token is coming through  the Reseller, do something to be sure the Reseller is not and can’t be compromised.
> 
>Robin – can you circulate your redraft before the call?
> 
>Issue 2 (Method 9):
>On the Dec. 3 call, Doug Beatty said the following: (1) the Test 
>Certificates and the certs issued after domain validation using the 
>Test Certificate must all have the same public key  (i.e., the Test Certificate can’t be used for vetting domains in a certificate request using a different public key); (2) The Test Certificate must “work” for all the domains in the certificate request that you are validating, meaning the Test Certificate  must contain all the FQDNs in the certificate request.
> 
>Doug – can you circulate your redraft before the call?
> 
>Issue 3:
>Completed
> 
>Issue 4:
> This question related to whether Random Values, Test Certificates, 
>and/or Request Tokens should have limits on re-use (either for 
>authenticating more than one domain, such as multiple domains in the SANs field of a single CSR, re-used to re-authenticate the  same domain when re-vetting is required, 13 or 39 months or 10 years later, or limited over what period of time it can be used after being send by the CA to the Applicant, such as 48 hours or 96 hours).  The question relates to making sure the validation method  remains secure and can’t be gamed by hackers.
> 
>Peter Bowen suggested an RV could only be reused if all the emails in 
>WhoIs are all the same (meaning, you could list multiple domains for validation in an email containing  a single RV); otherwise, they should be changed every time.
> 
>General rules were discussed, such as the following:
> 
>·       
>Random Values, Test Certificates, and Request Tokens that are tied to a 
>certificate request can be reused for all the FQDNs in that certificate request, but only  for issuing certificates for the same public key as in the certificate request
>·       
>Random Values, Test Certificates, and Request Tokens may never be reused for revetting a domain at a later date.
>·       
>Random Values, Test Certificates, and Request Tokens must be reissued 
>if not used by the Applicant within [x] days, and must be reissued for 
>any domains that have  not been authenticated within [x] days (where x 
>is what – 30 days?)
> 
>Issue 5 - Applicant/Subscriber versus domain Registrant:
>
> 
>We did not have time to discuss Peter Bowens suggestions.
> 
>
>TREND MICRO EMAIL NOTICE
>The information contained in this email and any attachments is 
>confidential and may be subject to copyright or other intellectual property protection.
>If you are not the intended recipient, you are not authorized to use or 
>disclose this information, and we request that you notify us by reply 
>mail or telephone and delete the original message from your mail system.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Domain Validation Draft with PBZ revised slightly by Jeremy.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 36222 bytes
Desc: Domain Validation Draft with PBZ revised slightly by
 Jeremy.docx
Url : https://cabforum.org/pipermail/validation/attachments/20151217/771aba56/attachment-0001.bin 


More information about the Validation mailing list