[cabf_validation] Authorization Email to Domain Contact

Quirin Scheitle scheitle at net.in.tum.de
Thu Apr 12 10:30:58 MST 2018

Hi Ryan,

> On 12. Apr 2018, at 19:14, Ryan Sleevi via Validation <validation at cabforum.org> wrote:
> This seems like a security disaster (for a new method) to not explicitly specify the name to be looked up, or, in the case of CAA, the format that such an attribute is exposed as. For example, as specified, a CA could entirely incorrectly implement this and treat the iodef email as an Authorization Email Address.

I think you are right, let me propose something more specific in line with my impression from the VWG call:

> […] to not explicitly specify the name to be looked up, […]
> Further, I fail to see how this information can be expressed as a CNAME record, given what a CNAME record is. Can you expand upon that?

The record to be looked up could be the subdomain _dcv or the main domain (i.e., the domain name to be validated). The main domain is certainly a bad idea for CNAME, and maybe for TXT. 
For CAA, I think the main domain could be used. 
For CAA, I propose the tag “dcvemail” with the value of the format “abc at example.com”
For CNAME, I guess one could make it contain an e-mail address, although it certainly is odd.

> Is "auth-email.txt" a directory, or a file? What is the format of this file? How do you ensure that the e-mail is unambiguously parsed from this file?

My intuition would be to make it a file, which solely contains an e-mail address in ASCII. 
If it is unparseable, contains weird characters, or extra information, it is not to be used. 

Hope this helps to get the discussion going. 

Kind regards

More information about the Validation mailing list