[cabf_validation] Pre-Ballot 169: Revised Validation Requirements
pzb at amzn.com
Fri Apr 29 07:32:40 MST 2016
> On Apr 29, 2016, at 4:55 AM, Doug Beattie <doug.beattie at globalsign.com> wrote:
> Hi Jeremy,
> Maybe I missed a change or two that you included in this last proposed ballot so I wanted to check. These are not critical changes and I’m fine with proceeding as it is:
> 1. In H we say:
> “contained in the content of a file or on a web page in the form of a meta tag”
> Are we implying this is the only way to place the random value? The words used to be:
> contained in the name of the file, the content of a file, on a web page in the form of a meta tag, or any other format as determined by the CA
> What is the intent – are these the only 2 ways, or are these examples?
This change was intentional to address an issue raised on the call and mailing lists. A lot of sites return search pages or error pages with the path info on them. For example accessing https://www.xfinity.com/.well-known/pki-validation/3d692acaaa3da46655a3c87b0c196 returns a page that contains 3d692acaaa3da46655a3c87b0c196 in the body of the page (it does return 404, so this is a safe example). Unlike that example, some sites return similar pages with 200 status.
The hope is that requiring a meta tag avoids these issues.
More information about the Validation