[cabf_validation] Question before we start Ballot 169

Kirk Hall Kirk.Hall at entrust.com
Tue Jul 26 09:20:15 MST 2016 

Sorry to be slow to respond - I was off for a couple of days.

Doug, I understand the language now, but I have a question.  Under the scenario you list below, a CA could "use" a Random Value generated to authenticate an FQDN and placed by the Applicant in the DNS record for up to 13/39 months (depending on whether the cert is EV or OV/DV) to issue multiple certs over that period for the same authenticated FQDN.  However, you impose limitations: (1) this reuse of the Random Value can only be used if the subsequent certificate requests come from the Applicant (who could be a reseller or hosting company, I suppose), (2) it's for the same FQDN, and (3) the request comes within the 13/39 month limit on reuse of authentication data.

Here's my question - if the CA knows facts (1), (2), and (3) - identity of the Applicant, which FQDN is allowed (i.e., the one associated with the old Random Value still shown on the DNS record), and whether the 13/39 month limit on reuse has expired - why does the CA need to look again at the DNS record at all?  It seems the CA already has effectively established and "account" for the Applicant/Subscriber, and can verify from the information in (1), (2), and (3) that the Applicant can get more certs for the same FQDN - right?  So why do we need the language in (ii) at all - why is the DNS record relevant for the subsequent certificate requests?  (I ask this because in general it's not a good idea to actually keep relying on the same publicly displayed Random Value over a three year period.)

I have a related question - method 7 says the Random Value must be "unique to the certificate request".  If an applicant applies for a cert for foo.com and receives a Random Value (starting the 30 day clock), and 10 days later ask to add bar.com to the certificate - is that still the same certificate request, and can the Applicant use the same Random Value to authenticate bar.com?   If yes, I assume the authentication of bar.com must occur within the original 30 day period - the 30 day period does not get extended to allow a full 30 days for authentication of bar.com, correct?

From: Doug Beattie [mailto:doug.beattie at globalsign.com]
Sent: Friday, July 22, 2016 9:40 AM
To: Ben Wilson <ben.wilson at digicert.com>; Kirk Hall <Kirk.Hall at entrust.com>; validation (validation at cabforum.org) <validation at cabforum.org>
Subject: RE: Question before we start Ballot 169

The intent here is that you can use the random value for more than 30 days if the applicant submitted the request (not a reseller for example).  While some CAs might pre-validate domains and store them in the CA system, it's also possible that you could keep relying on a DNS TXT record or web site change for up to 13/39 months for subsequent orders for that domain (probably subdomain SANs) by checking that random value over and over for each order.  This only works if the same applicant is associated with each of the orders. The CA as to know it's the same applicant (which turns into the subscriber), and they will based on the agreement between the CA and the entity placing the orders.

Example: Company X wants a whole bunch of DV orders for their domain example.com.  They order the first one, place the random number in a file on example.com/.well-known... and then the CA and they can keep re-using that for all future orders for the domain and that account so the customer doesn't need to keep posting a new value.

Doug




From: Ben Wilson [mailto:ben.wilson at digicert.com]
Sent: Friday, July 22, 2016 12:05 PM
To: Doug Beattie; Kirk Hall; validation (validation at cabforum.org<mailto:validation at cabforum.org>)
Subject: RE: Question before we start Ballot 169

Before we post this as a ballot, Kirk asked if  someone could explain the meaning of 3.2.2.4.7(ii) - see below.  Otherwise, it's ready to go.

3.2.2.4.7 DNS Change
Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value or Request Token in a DNS TXT or CAA record for an Authorization Domain Name or an Authorization Domain Name that is prefixed with a label that begins with an underscore character.

If a Random Value is used, the CA or Delegated Third Party SHALL provide a Random Value unique to the certificate request and SHALL not use the Random Value after (i) 30 days or (ii) if the Applicant submitted the certificate request, the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 of the EV Guidelines).

From: validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Thursday, July 21, 2016 1:54 PM
To: Kirk Hall <Kirk.Hall at entrust.com<mailto:Kirk.Hall at entrust.com>>; validation (validation at cabforum.org<mailto:validation at cabforum.org>) <validation at cabforum.org<mailto:validation at cabforum.org>>
Subject: Re: [cabf_validation] Question before we start Ballot 169

Ignore that last email as you have already answered it.  This one appeared as the most recent in my mail client, so it must have been stuck in our mail filter longer than the others....

From: Doug Beattie
Sent: Thursday, July 21, 2016 3:50 PM
To: 'Kirk Hall'; validation (validation at cabforum.org<mailto:validation at cabforum.org>)
Subject: RE: Question before we start Ballot 169

I'd suggest not changing the ballot now, go with it.  GlobalSIgn was one endorser, maybe Trustwave was the other?  DigiCert as the author.

From: validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org] On Behalf Of Kirk Hall
Sent: Thursday, July 21, 2016 2:38 PM
To: validation (validation at cabforum.org<mailto:validation at cabforum.org>)
Subject: [cabf_validation] Question before we start Ballot 169

On the call today, there were no objections to starting Ballot 169, so I guess we can.

Ben - the most recent Ballot 169 draft doesn't list the proposer and endorsers.  Do you remember who that was?

Question:  I just noticed that the Ballot (and existing BR 3.2.2.4) uses the term Domain Name System about six times total, but it is not included in our Definitions.  (I see we list DNS as an acronym for Domain Name System, and it's pretty well defined outside of the BRs: https://en.wikipedia.org/wiki/Domain_Name_System )

Do we care?  Or just go with the Ballot as written now?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20160726/81883f54/attachment.html

More information about the Validation mailing list