[cabf_validation] CNAME ballot

Doug Beattie doug.beattie at globalsign.com
Thu Dec 8 08:50:16 MST 2016


Jeremy,

Sorry I missed the call last week.

What does confirming the presence of a random number in a CNAME record mean?  There is no place to put a random number "in a CNAME record", it's just an alias.

Assuming this means you can put a random value in the DNS entry for the fqdn supplied in a CNAME record, Is this change intended to only be used for DNS validation or can this be used for file based or email validation as well?  In other words, if we have this:

NAME                        TYPE              VALUE
--------------------------------------------------
bar.example.com.        CNAME       foo.example.com.

Can send an email to admin at foo.example.com<mailto:admin at foo.example.com> to validate the SAN bar.example.com?
Can I put a random number in well-known on foo.example.com to approve the SAN bar.example.com?

Assuming you want to use foo.example.com to validate bar.example.com, should we embed this rule into the definition of Authorization Domain name?  I'm having Deja-vu

Doug

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Jeremy Rowley via Validation
Sent: Thursday, December 1, 2016 10:47 AM
To: validation (validation at cabforum.org) <validation at cabforum.org>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: [cabf_validation] CNAME ballot

This is the CNAME ballot discussed last week:
Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value or Request Token in a DNS TXT, CNAME, or CAA record for an Authorization Domain Name or an Authorization Domain Name that is prefixed with a label that begins with an underscore character.
If a Random Value is used, the CA or Delegated Third Party SHALL provide a Random Value unique to the certificate request and SHALL not use the Random Value after (i) 30 days or (ii) if the Applicant submitted the certificate request, the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 of the EV Guidelines).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20161208/f657c851/attachment.html>


More information about the Validation mailing list