[cabf_validation] Ballot 190

Thu May 4 18:01:31 MST 2017

Looking at this more, I think this ballot has unintended implications on
validation. For instance, the ballot is unclear on reuse of validation
information for subsequent domains subordinate to the FQDN. I'm pretty sure
most CAs do this. For example, if I make a phone call to the WHOIS contact
under method 3, previously I could verify example.com and ask them if they
would like to also allow secure.example.com, mail.example.com, etc.
However, now:

"Each phone call SHALL be made to a single number and MAY confirm control of
multiple FQDNs, provided that the phone number is identified by the Domain
Registrar as a valid contact method for every Base Domain Name being
verified using the phone call."

So, I can still sort-of do this provided I ask the contact if I can reuse it
for all sub-FQDNS of the base domain? It's definitely not clear what the
multiple FQDNs includes. Does each one need to be named?

I also don't understand why method 1-3 do not permit the use of
authorization domain names but method 4 does. Why is method 4 better than
1-3?

Does this need clarity? My biggest concern is the Mozilla policy already
implemented these methods and they go into effect on June 1. This is bad as
I can't tell what the intended effect is and what the limits are on
validation. 

Jeremy

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of
Jeremy Rowley via Validation
Sent: Thursday, May 4, 2017 4:40 PM
To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum Validation
WG List <validation at cabforum.org>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: Re: [cabf_validation] Ballot 190

For 1-3, the method permits you verify with a Domain Contact. The Domain
Contact is defined as one at the FQDN or base level.  No authorization
domain is permitted in the definition. 

DAD cannot be used for Authorization Domain or Base Domain. The method
specifically says FQDN. 

I bring this up because I thought we permitted Authorization Domain in more
places.  Just making sure it was intentionally to exclude it in several
places.

From: Doug Beattie [mailto:doug.beattie at globalsign.com] 
Sent: Thursday, May 4, 2017 2:11 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Jeremy Rowley <jeremy.rowley at digicert.com
<mailto:jeremy.rowley at digicert.com> >
Subject: RE: Ballot 190

Why do you have FQDN checked for 1-3?  I think you'd only do FQDN level
validation if you also allow Authorization domain.

Can a DAD be used for Authorization domain and base domain?  Not sure.

See comments below.

Doug

Method

FQDN

Authorization Domain

Base Domain

1. Domain Contact - This method relies on the definition of Domain Contact
which specifies the WHOIS person either at the FQDN or base domain. 

X

X

2. WHOIS Email - Only permits email to domain contact, but one of the
sentences mentions Authorization Domain? 

X

X

3. WHOIS Phone - Same as Email

X

X

4. Constructed Email - sending the email to authorization domain

X

X

X

5. Domain Document 

X

X?

X?

6. Agreed-Upon Change - Authorization domain specifically mentioned

X

X

X

7. DNS Change - Authorization domain name is mentioned but also permits
underscore

X

X

X

8. IP Address - No Authorization domain mentioned

X

9. Test Cert - Authorization domain mentioned

X

X

X

10. TLS Using a Random Number - Authorization Domain mentioned

X

X

X

Doug

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of
Jeremy Rowley via Validation
Sent: Thursday, May 4, 2017 3:46 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Cc: Jeremy Rowley <jeremy.rowley at digicert.com
<mailto:jeremy.rowley at digicert.com> >
Subject: [cabf_validation] Ballot 190

I wanted to make sure that I'm implementing the methods correctly. For each
FQDN you can verify the FQDN using the FQDN, an Authorization Domain, or
Base Domain, as specified in the method. Going through the methods, it looks
like the verification listed in the table below is permitted. Is this
everyone else's understanding? 

Method

FQDN

Authorization Domain

Base Domain