[cabf_validation] Question before we start Ballot 169

Doug Beattie doug.beattie at globalsign.com
Fri Jul 22 09:40:15 MST 2016

The intent here is that you can use the random value for more than 30 days
if the applicant submitted the request (not a reseller for example).  While
some CAs might pre-validate domains and store them in the CA system, it's
also possible that you could keep relying on a DNS TXT record or web site
change for up to 13/39 months for subsequent orders for that domain
(probably subdomain SANs) by checking that random value over and over for
each order.  This only works if the same applicant is associated with each
of the orders. The CA as to know it's the same applicant (which turns into
the subscriber), and they will based on the agreement between the CA and the
entity placing the orders. 


Example: Company X wants a whole bunch of DV orders for their domain
example.com.  They order the first one, place the random number in a file on
example.com/.well-known. and then the CA and they can keep re-using that for
all future orders for the domain and that account so the customer doesn't
need to keep posting a new value.







From: Ben Wilson [mailto:ben.wilson at digicert.com] 
Sent: Friday, July 22, 2016 12:05 PM
To: Doug Beattie; Kirk Hall; validation (validation at cabforum.org)
Subject: RE: Question before we start Ballot 169


Before we post this as a ballot, Kirk asked if  someone could explain the
meaning of - see below.  Otherwise, it's ready to go. DNS Change 

Confirming the Applicant's control over the requested FQDN by confirming the
presence of a Random Value or Request Token in a DNS TXT or CAA record for
an Authorization Domain Name or an Authorization Domain Name that is
prefixed with a label that begins with an underscore character. 


If a Random Value is used, the CA or Delegated Third Party SHALL provide a
Random Value unique to the certificate request and SHALL not use the Random
Value after (i) 30 days or (ii) if the Applicant submitted the certificate
request, the timeframe permitted for reuse of validated information relevant
to the certificate (such as in Section 3.3.1 of these Guidelines or Section
11.14.3 of the EV Guidelines).


From: validation-bounces at cabforum.org
[mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Thursday, July 21, 2016 1:54 PM
To: Kirk Hall <Kirk.Hall at entrust.com>; validation (validation at cabforum.org)
<validation at cabforum.org>
Subject: Re: [cabf_validation] Question before we start Ballot 169


Ignore that last email as you have already answered it.  This one appeared
as the most recent in my mail client, so it must have been stuck in our mail
filter longer than the others..


From: Doug Beattie 
Sent: Thursday, July 21, 2016 3:50 PM
To: 'Kirk Hall'; validation (validation at cabforum.org
<mailto:validation at cabforum.org> )
Subject: RE: Question before we start Ballot 169


I'd suggest not changing the ballot now, go with it.  GlobalSIgn was one
endorser, maybe Trustwave was the other?  DigiCert as the author.


From: validation-bounces at cabforum.org
<mailto:validation-bounces at cabforum.org>
[mailto:validation-bounces at cabforum.org] On Behalf Of Kirk Hall
Sent: Thursday, July 21, 2016 2:38 PM
To: validation (validation at cabforum.org <mailto:validation at cabforum.org> )
Subject: [cabf_validation] Question before we start Ballot 169


On the call today, there were no objections to starting Ballot 169, so I
guess we can.  


Ben - the most recent Ballot 169 draft doesn't list the proposer and
endorsers.  Do you remember who that was?


Question:  I just noticed that the Ballot (and existing BR uses the
term Domain Name System about six times total, but it is not included in our
Definitions.  (I see we list DNS as an acronym for Domain Name System, and
it's pretty well defined outside of the BRs:
https://en.wikipedia.org/wiki/Domain_Name_System )


Do we care?  Or just go with the Ballot as written now?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20160722/50044ee3/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4289 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20160722/50044ee3/attachment-0001.bin 

More information about the Validation mailing list