[cabf_validation] Domain Validation Update

Doug Beattie doug.beattie at globalsign.com
Wed May 27 10:36:19 MST 2015


I think the domain control process which used email to an administrator needs to include the concept of a Random value, like DNS and the file methods.  The current description just says send an email to one of the addresses, but if the challenge is not sufficiently strong it might be possible to guess it and circumvent the validation.

Regardless, my real question surrounds the concept that two (or three) of the methods rely on the CA providing a random value to the person requesting the cert and the user then demonstrates control over the domain using that random value.

Let's assume that the CA returns the random value to the person requesting the cert during the ordering process (web pages or via an API).  Are there any security issues with returning a single random value and then letting it be used for multiple methods?  Specifically as they relate to DNS or placing it in a file in the specified directory, can a  single value be generated and used and then the CA checks "all the places it could possibly be"  There are a lot of places which could be checked by the CA:
  * For DNS: FQDN, Domain, and everything in between
  * For ".well-known/..": FQDN, Domain and everything in between
  * eventually maybe it will be returned via TLS handshake or some other method

Certainty we don't want that same value to be somehow used via the email method (or you might be able to re-construct the email link with the value and circumvent the validation).

I don't see any issues with using a single random value for the cert order and then looking for it in all of the approved locations.  We might want to clarify this in the draft ballot.

Doug


From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, May 21, 2015 9:55 AM
To: validation at cabforum.org
Subject: [cabf_validation] Domain Validation Update


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150527/284acb16/attachment.html 


More information about the Validation mailing list