[cabf_validation] Proposed edit for domain validation method #5

Jeremy Rowley jeremy.rowley at digicert.com
Mon Jun 8 16:27:02 MST 2015

I don’t agree with this one. I think we’re restricting practical control enough with the .well-known extension as-is. I don’t think this is any riskier than the other domain validation methods where you can validate at any level of the string.

From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Thursday, June 4, 2015 4:20 PM
To: validation at cabforum.org
Subject: [cabf_validation] Proposed edit for domain validation method #5

Chris Bailey and I would like to suggest an edit to domain validation method #5 in the most recent draft.

We think that a CA should also be allowed to ask the Applicant to post the Random Value or Request Token at the home page or “root level” for the FQDN, as a second option to posting at the “well known certificate directory” location included in the current draft.

Here would be the edit (added language):

5.  Having the Applicant demonstrate control over the requested FQDN by adding a file whose name or contents include a Random Value or a Request Token to the root level or the “/.well-known/certificate” directory at an Authorization Domain in accordance with RFC 5785

There may be a better phrase to use than “root level” and we are open to suggestions.

Our thinking is that posting the marker to the root level is at least as secure as posting to the well known certificate directory location.  If the Applicant can’t control the root level, then the Applicant isn’t in control of much and shouldn’t get the cert; on the other hand, if the Applicant does control the root level and can post the marker there, it shows domain control.

Is there support for making this change?  If not, what are the arguments against it?

Kirk R. Hall
Operations Director, Trust Services
Trend Micro


The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150608/0f897d0f/attachment.html 

More information about the Validation mailing list