[cabf_validation] Pre-Ballot 169: Revised Validation Requirements

Peter Bowen pzb at amzn.com
Fri Apr 29 07:32:40 MST 2016

> On Apr 29, 2016, at 4:55 AM, Doug Beattie <doug.beattie at globalsign.com> wrote:
> Hi Jeremy,
> Maybe I missed a change or two that you included in this last proposed ballot so I wanted to check.  These are not  critical changes and I’m fine with proceeding as it is:
> 1.       In H we say:  
>     “contained in the content of a file or on a web page in the form of a meta tag”
> Are we implying this is the only way to place the random value?  The words used to be:
> contained in the name of the file, the content of a file, on a web page in the form of a meta tag, or any other format as determined by the CA
> What is the intent – are these the only 2 ways, or are these examples?


This change was intentional to address an issue raised on the call and mailing lists.  A lot of sites return search pages or error pages with the path info on them.  For example accessing https://www.xfinity.com/.well-known/pki-validation/3d692acaaa3da46655a3c87b0c196 returns a page that contains 3d692acaaa3da46655a3c87b0c196 in the body of the page (it does return 404, so this is a safe example).  Unlike that example, some sites return similar pages with 200 status.

The hope is that requiring a meta tag avoids these issues.


More information about the Validation mailing list