[cabf_validation] CNAME ballot
Robin Alden
robin at comodo.com
Mon Mar 6 10:58:17 MST 2017
Jeremy,
Sorry, I just realized you already said this was being added
to the updated 169 ballot.
Please just accept our latecomer support for your inclusion of CNAME in the
"DNS Change" method to that ballot.
Regards
Robin Alden
Comodo
From: Robin Alden [mailto:robin at comodo.com]
Sent: 06 March 2017 17:32
To: 'Doug Beattie' <doug.beattie at globalsign.com>; 'Jeremy Rowley'
<jeremy.rowley at digicert.com>
Cc: 'CA/Browser Forum Validation WG List' <validation at cabforum.org>
Subject: RE: [cabf_validation] CNAME ballot
Hi Jeremy, Doug,
I've been considering domain control validation using
CNAMEs, and I re-read this thread.
Jeremy, we'll endorse your one word insertion, if you're still game.
Doug said..
> What does confirming the presence of a random number in a CNAME record
mean? There is no place to put a random number "in a CNAME record", it's
just an alias.
Yes, there is a place you can put the random value. You put it in the right
hand side of the CNAME.
You're right that it's intended to be an alias, and that DNS name syntax
rules apply to the right hand side of the CNAME, but there is no requirement
that the name at the right hand side of the CNAME actually resolves.
Doug said..
> Assuming this means you can put a random value in the DNS entry for the
fqdn supplied in a CNAME record, Is this change intended to only be used for
DNS validation or can this be used for file based or email validation as
well?
It is not intended to be used with file or email based validation.
3.2.2.4.7 provides a method of confirming applicant control. It is not a
factor or a sub-method to be used within other methods of confirming
control.
In fact the use of CNAMEs in any other method is already achieved by the
definition of 'Authorization Domain Name' which reads:
"Authorization Domain Name: The Domain Name used to obtain authorization for
certificate issuance for a
given FQDN. The CA may use the FQDN returned from a DNS CNAME lookup as the
FQDN for the purposes of
domain validation."
Here's an example that would work with Jeremy's proposed 1 word change to
3.2.2.4.7.
<Example1>
Given: The domain name the applicant wants in a certificate is
'sub1.example.com'.
Given: The CA is WonderCA Corp.
The applicant sets up a DNS record of the form
<_CA-specific-prefix>.domain.com CNAME <rnd>.validation.com
Specifically, in this contrived example
_WonderCA.sub1.example.com CNAME
bm9lwphmmw4jkzym4zjwvnzdiyllr7t9apsdadpj4bjqz2z9al0eg3icoidblyo.wonderca.com
The random value (or request token) in this case is the first 63 character
long DNS label on the right hand side. 63 characters is the longest that a
single DNS label can be, but there would be nothing to stop you using
multiple labels to store a longer value if required - up to the 255
character limit on a DNS name.
So when the CA executes this command
dig _WonderCA.sub1.example.com CNAME +short
this would be the response..
bm9lwphmmw4jkzym4zjwvnzdiyllr7t9apsdadpj4bjqz2z9al0eg3icoidblyo.wonderca.com
.
</Example1>
Regards
Robin
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Doug
Beattie via Validation
Sent: 15 December 2016 17:08
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Doug Beattie <doug.beattie at globalsign.com
<mailto:doug.beattie at globalsign.com> >
Subject: Re: [cabf_validation] CNAME ballot
Jeremy,
I think we need an example or two with supplemental info with this ballot to
describe how it could be used - not necessarily in the body of the change
for the ballot, but in the introduction/background. I'm still not clear on
the various scenarios for how it could be used.
Doug
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Doug
Beattie via Validation
Sent: Thursday, December 8, 2016 10:50 AM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Doug Beattie <doug.beattie at globalsign.com
<mailto:doug.beattie at globalsign.com> >
Subject: Re: [cabf_validation] CNAME ballot
Jeremy,
Sorry I missed the call last week.
What does confirming the presence of a random number in a CNAME record mean?
There is no place to put a random number "in a CNAME record", it's just an
alias.
Assuming this means you can put a random value in the DNS entry for the fqdn
supplied in a CNAME record, Is this change intended to only be used for DNS
validation or can this be used for file based or email validation as well?
In other words, if we have this:
NAME TYPE VALUE
--------------------------------------------------
bar.example.com. CNAME foo.example.com.
Can send an email to admin at foo.example.com <mailto:admin at foo.example.com>
to validate the SAN bar.example.com?
Can I put a random number in well-known on foo.example.com to approve the
SAN bar.example.com?
Assuming you want to use foo.example.com to validate bar.example.com, should
we embed this rule into the definition of Authorization Domain name? I'm
having Deja-vu
Doug
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of
Jeremy Rowley via Validation
Sent: Thursday, December 1, 2016 10:47 AM
To: validation (validation at cabforum.org <mailto:validation at cabforum.org> )
<validation at cabforum.org <mailto:validation at cabforum.org> >
Cc: Jeremy Rowley <jeremy.rowley at digicert.com
<mailto:jeremy.rowley at digicert.com> >
Subject: [cabf_validation] CNAME ballot
This is the CNAME ballot discussed last week:
Confirming the Applicant's control over the requested FQDN by confirming the
presence of a Random Value or Request Token in a DNS TXT, CNAME, or CAA
record for an Authorization Domain Name or an Authorization Domain Name that
is prefixed with a label that begins with an underscore character.
If a Random Value is used, the CA or Delegated Third Party SHALL provide a
Random Value unique to the certificate request and SHALL not use the Random
Value after (i) 30 days or (ii) if the Applicant submitted the certificate
request, the timeframe permitted for reuse of validated information relevant
to the certificate (such as in Section 3.3.1 of these Guidelines or Section
11.14.3 of the EV Guidelines).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170306/0073d18d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5152 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170306/0073d18d/attachment-0001.bin>
More information about the Validation
mailing list