[cabf_validation] Domain Validation update for discussion

Robin Alden robin at comodo.com
Mon Jun 22 03:11:00 MST 2015

Hi Doug,

                We did have some discussion on this issue of using a new
'value' for each 'domain' and my recollection was that we decided to
strike out the highlighted text in Jeremy's most recent document.  The
most recent version on the mail list was sent in advance of the
validation group telecom and does not reflect the discussions on


As you wrote, the validation of ownership or control for multi-domain
certificates  using methods 5 and 6 is not improved and may be rendered
unnecessarily more difficult by using a different 'value' for each

On the other hand for methods 2 and 3 it is essential that a different
'value' is used for each 'domain'.


We could and should express those thoughts pithily in the proposed
revision to the domain validation requirements, but we didn't have it
after the discussion on Thursday so we elected to strike those words for
the time being so that the revision could go forward.




From: validation-bounces at cabforum.org
[mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: 21 June 2015 09:09
To: Jeremy Rowley; validation at cabforum.org
Subject: Re: [cabf_validation] Domain Validation update for discussion


I must have missed the discussion around the topics in this new

.        The CA MUST generate and use a new Random Value, Request Token,
or Test Certificate for each Authorization Domain validated and MUST NOT
rely on a Random Value, Request Token or Test Certificate generated more
than 30 days prior completing verification under this section


What was the reasoning behind using different values for different
Authorized Domain (not even sure what this means because we are
validating FQDNs, not Authorized Domains..) and why the value is limited
to 30 days?


If someone orders a multi-san cert the CA should be able to use the same
value for all the SANs in the cert when using DNS or a file (maybe not
the email validation).  Why do we need to have a lot of different values
for one request for a certificate (what we normally call an  "order")?


If people add and remove SANs from that cert (the "order"), the same
random value should be able to be used for the life of the order as long
as the time between creating that token (when the request for the cert
was first placed) and using it is less than 39 months, it should be
acceptable.  Was there a security reason to limit the validity of the
random value? 






From: validation-bounces at cabforum.org
[mailto:validation-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, June 18, 2015 3:26 PM
To: validation at cabforum.org
Subject: [cabf_validation] Domain Validation update for discussion



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150622/a69314d4/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5156 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20150622/a69314d4/attachment.bin 

More information about the Validation mailing list