[cabf_validation] Authorization Email to Domain Contact

Ryan Sleevi sleevi at google.com
Thu Apr 12 10:14:52 MST 2018 

On Thu, Apr 12, 2018 at 1:09 PM, Bruce Morton via Validation <
validation at cabforum.org> wrote:

> Here is draft text for a ballot for a new method to validate an FQDN. This
> method is explicit, can be used by all CAs, and meets similar security
> requirements in Methods 2, 6 and 7.
>

I've pointed out several security and design flaws below that are worth
considering.

Can you speak more to the intended use case here?


> ========================
>
>
>
> Add the following to BR 1.6.1. Definitions.
>
> *Authorization Email Address: * The email address used to obtain
> authorization for certificate issuance for a specific FQDN. [Format of the
> indication of the Authorization Email, Address could be stated here to
> ensure that it is the same indication to be used by all CAs.]
>
>
>
> Adding the following method to BR 3.2.2.4.
>
> *Authorization Email to Domain Contact *
>
> Confirm the Applicant's control over the FQDN by (i) sending an email to
> one or more Authorization Email Addresses, (ii) including a Random Value in
> the email, and (iii) receiving a confirming response utilizing the Random
> Value. The Authorization Email Address may be found in:
>
>
>
> 1.      DNS CNAME, TXT or CAA record, or
>

This seems like a security disaster (for a new method) to not explicitly
specify the name to be looked up, or, in the case of CAA, the format that
such an attribute is exposed as. For example, as specified, a CA could
entirely incorrectly implement this and treat the iodef email as an
Authorization Email Address.

Further, I fail to see how this information can be expressed as a CNAME
record, given what a CNAME record is. Can you expand upon that?


> 2.      Under the "/.wellknown/pki-validation/auth-email.txt" directory,
> or another path registered with IANA for the purpose of Domain Validation,
> on the Authorization Domain Name stated in a DNS CNAME, TXT or CAA record
> over an Authorized Port
>

Is "auth-email.txt" a directory, or a file? What is the format of this
file? How do you ensure that the e-mail is unambiguously parsed from this
file?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180412/2f2c38b5/attachment-0001.html>

More information about the Validation mailing list