[cabf_validation] Proposed edit for domain validation method #5

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Jun 4 15:20:25 MST 2015

Chris Bailey and I would like to suggest an edit to domain validation method #5 in the most recent draft.

We think that a CA should also be allowed to ask the Applicant to post the Random Value or Request Token at the home page or "root level" for the FQDN, as a second option to posting at the "well known certificate directory" location included in the current draft.

Here would be the edit (added language):

5.  Having the Applicant demonstrate control over the requested FQDN by adding a file whose name or contents include a Random Value or a Request Token to the root level or the "/.well-known/certificate" directory at an Authorization Domain in accordance with RFC 5785

There may be a better phrase to use than "root level" and we are open to suggestions.

Our thinking is that posting the marker to the root level is at least as secure as posting to the well known certificate directory location.  If the Applicant can't control the root level, then the Applicant isn't in control of much and shouldn't get the cert; on the other hand, if the Applicant does control the root level and can post the marker there, it shows domain control.

Is there support for making this change?  If not, what are the arguments against it?

Kirk R. Hall
Operations Director, Trust Services
Trend Micro

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150604/a9006ae9/attachment.html 

More information about the Validation mailing list