[cabf_validation] Two minor changes

Richard Barnes rbarnes at mozilla.com
Thu Sep 24 07:59:20 MST 2015


Hey all,

After a read-through of the ballot with the IETF ACME work in mind, I would
like to propose two minor changes to the current draft text:

Proposal 1: In part L
OLD: "by the Applicant requesting and then installing a Test Certificate
issued by the CA"
NEW: "by the Applicant requesting and then installing a Test Certificate
issued by the CA, or installing a Test Certificate containing a Random
Value or Request Token"

This liberalization would cover the DVSNI proposal being considered in
ACME, and seems to offer equivalent protection to the other option.
(Either way the cert contains something specified by the CA.)

Proposal 2: In part H
OLD: "under "/.well-known/validation" directory on an Authorized Domain
Name"
NEW: "under "/.well-known/validation" directory on an Authorized Domain
Name, or any other path under .well-known registered by IANA for this
purpose"

For automated systems like ACME, they're going to want a much more precise
definition of the validation process than what's in this document, and they
may want to use different .well-known paths to indicate different methods
that are all compliant with this section.  Requiring the IANA registration
allows these differences to exist, but in a controlled way.

I think if we can make these two small liberalizations, it will save us
some revision effort down the road as ACME gets its work done.

Thanks,
--Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150924/db749d06/attachment.html 


More information about the Validation mailing list