[cabf_validation] Authorization Email to Domain Contact

Bruce Morton Bruce.Morton at entrustdatacard.com
Thu Apr 12 10:09:10 MST 2018

Here is draft text for a ballot for a new method to validate an FQDN. This method is explicit, can be used by all CAs, and meets similar security requirements in Methods 2, 6 and 7.

Thanks, Bruce.


Add the following to BR 1.6.1. Definitions.
Authorization Email Address: The email address used to obtain authorization for certificate issuance for a specific FQDN. [Format of the indication of the Authorization Email, Address could be stated here to ensure that it is the same indication to be used by all CAs.]

Adding the following method to BR
Authorization Email to Domain Contact
Confirm the Applicant's control over the FQDN by (i) sending an email to one or more Authorization Email Addresses, (ii) including a Random Value in the email, and (iii) receiving a confirming response utilizing the Random Value. The Authorization Email Address may be found in:

1.      DNS CNAME, TXT or CAA record, or
2.      Under the "/.wellknown/pki-validation/auth-email.txt" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name stated in a DNS CNAME, TXT or CAA record over an Authorized Port

Each email MAY confirm control of multiple FQDNs, provided the email address used is an Authorization Email Address for each FQDN being confirmed.

The Random Value SHALL be unique in each email. The email MAY be re-sent in its entirety, including the re-use of the Random Value, provided that its entire contents and recipient SHALL remain unchanged. The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation. The CPS MAY specify a shorter validity period for Random Values.

Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180412/2678e2ae/attachment.html>

More information about the Validation mailing list