[cabf_validation] FW: Domain Validation ballot draft

J.C. Jones jjones at mozilla.com
Mon Feb 29 12:00:20 MST 2016


Doug,

Absolutely; thank you for the feedback. I will send one out in the
morning, containing this general substance.

Cheers!
 - J.C.


On Mon, Feb 29, 2016 at 10:34 AM, Doug Beattie
<doug.beattie at globalsign.com> wrote:
>
> J.C.,
>
> I think it would be better to create a new validation option for this so we don't confuse the different options (we've been down this path before).  When using a cert from the CA we 'll need to define the Test certificate and it's validation steps differently from what you propose and I worry that adding this to the current definition (which already has an option in it) will cause confusion and/or ambiguity.  Can you create Domain Validation option 10?
>
>
>> -----Original Message-----
>> From: validation-bounces at cabforum.org [mailto:validation-
>> bounces at cabforum.org] On Behalf Of J.C. Jones
>> Sent: Monday, February 29, 2016 9:18 AM
>> To: validation at cabforum.org
>> Subject: Re: [cabf_validation] FW: Domain Validation ballot draft
>>
>> The TLS-SNI validation type defined in ACME [1] maps most closely to the
>> Test Certificate concept in Clause 9. The TLS-SNI validation type works by
>> validating the presentation of a Test Certificate, self-signed by the Applicant,
>> which contains a Random Value provided by the CA encoded within the
>> Subject Alternative Name.
>>
>> To permit the use of the TLS-SNI validation type, I would propose we keep
>> Doug's updated definition of Test Certificate, and further amend Clause 9 to
>> provide an either/or for the non-expired Test Certificate,
>> either:
>>   1) issued by the CA for the purpose of issuing a certificate with the same
>> Public Key as in the Test Certificate, or
>>   2) containing a Random Value
>>
>>  Clause 9. Confirming the Applicant's control over the requested FQDN by
>> confirming the presence on the Authorization Domain Name which is
>> accessible by the CA via TLS over an Authorized Port of a non-expired Test
>> Certificate either issued by the CA for the purpose of issuing a certificate with
>> the same Public Key as in the Test Certificate, or containing a Random Value.
>>
>> 1) https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-7.3
>>
>> Cheers!
>>
>> - J.C. Jones
>>
>>
>>
>> On Sun, Feb 28, 2016 at 9:32 AM, Doug Beattie
>> <doug.beattie at globalsign.com> wrote:
>> > Here are my inputs on Test Certificate:
>> >
>> > Item 9:
>> > 9. Confirming the Applicant's control over the requested FQDN by
>> confirming the presence on the Authorization Domain Name of a non-expired
>> Test Certificate  issued by the CA and which is accessible by the CA via TLS
>> over an Authorized Port for the purpose of issuing a certificate with the same
>> Public Key as in the Test Certificate.
>> >
>> >
>> >
>> > Definition:
>> > Test Certificate: A Certificate with a maximum validity period of 30 days and
>> which i) includes a critical extension with the specified Test Certificate CABF
>> OID, or ii) which chains to a root certificate not subject to these
>> Requirements.
>> >
>> > Commentary: During the F2F meeting it was recommended we add an
>> specified critical Extension to test certificates, which I've added a provision
>> for.  But I'd still like the other option to be an SSL certificate issued under a
>> non-public root (without that critical extension).
>> >
>> > Doug
>> >
>> >
>> >
>> >> -----Original Message-----
>> >> From: validation-bounces at cabforum.org [mailto:validation-
>> >> bounces at cabforum.org] On Behalf Of Robin Alden
>> >> Sent: Thursday, February 25, 2016 11:04 AM
>> >> To: kirk_hall at trendmicro.com; validation at cabforum.org
>> >> Subject: Re: [cabf_validation] FW: Domain Validation ballot draft
>> >>
>> >>
>> >>
>> >> > -----Original Message-----
>> >> > From: validation-bounces at cabforum.org [mailto:validation-
>> >> > bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
>> >> > Sent: 25 February 2016 15:58
>> >> > To: validation at cabforum.org
>> >> > Subject: [cabf_validation] FW: Domain Validation ballot draft
>> >> >
>> >> > I have not seen a newer draft, so we can work from this draft from
>> >> > last
>> >> week
>> >> >
>> >> > -----Original Message-----
>> >> > From: Peter Bowen [mailto:pzb at amzn.com]
>> >> > Sent: Thursday, February 18, 2016 8:46 AM
>> >> > To: CABFPub; Kirk Hall (RD-US)
>> >> > Subject: Domain Validation ballot draft
>> >> >
>> >> > Here is the latest draft based on the revisions coming out of the
>> >> > working group discussion yesterday.  The Word document is the
>> >> > master; the slides are a reformatting for the discussion tomorrow.
>> >> >
>> >> > Thanks,
>> >> > Peter
>> >> >
>> >> >
>> >> > <table class="TM_EMAIL_NOTICE"><tr><td><pre>
>> >> > TREND MICRO EMAIL NOTICE
>> >> > The information contained in this email and any attachments is
>> >> confidential
>> >> > and may be subject to copyright or other intellectual property
>> protection.
>> >> > If you are not the intended recipient, you are not authorized to
>> >> > use or disclose this information, and we request that you notify us
>> >> > by reply mail
>> >> or
>> >> > telephone and delete the original message from your mail system.
>> >> > </pre></td></tr></table>
>> > _______________________________________________
>> > Validation mailing list
>> > Validation at cabforum.org
>> > https://cabforum.org/mailman/listinfo/validation
>> _______________________________________________
>> Validation mailing list
>> Validation at cabforum.org
>> https://cabforum.org/mailman/listinfo/validation


More information about the Validation mailing list