[cabf_validation] Using 3.2.2.4.2/.3 for future domains

Ryan Sleevi sleevi at google.com
Wed Mar 21 08:12:55 MST 2018


On Wed, Mar 21, 2018 at 7:39 AM, Tim Hollebeek <tim.hollebeek at digicert.com>
wrote:

> Delegation to the CA itself, though, can be subject to audit
> requirements.  That’s one of the cases I’m potentially the most concerned
> about.  Delegation to your service provider is something we’ve long agreed
> is a feature, not a bug.
>

I think I disagree here, for the same reason I have struggle with key
protection mechanisms - delegation via a service provider that is a
reseller of the CA is an incredibly simple thing to set up. Indeed, the
"Amazon" case is precisely that, and it seems to be one that gave you
concern - AWS delegating to a third-party CA for the issuance.


> There’s also the point that if domain validations are no longer fresh
> (which may be fine), then we might want to adjust requirements elsewhere,
> for example around 3.2.5 validation of authority (or elsewhere) to
> compensate.  I’ll post a more concrete case that I’m worried about when I
> have more time, because it’s easier to discuss concrete cases.  Maybe if we
> can solve (or not solve) a few concrete cases, it will help.
>

Right, I do think 3.2.5 and 3.2.2.4 are separable concerns.


> Rules around CNAME chasing and redirects outside of the authorized domain
> name have already been discussed in the VWG several times.  Will that just
> encourage people to auto-forward postmaster at example.com to
> email-validation at digicert.com, which auto-responds?  Probably.
>

Exactly.


> These are just things we have to think through.
>
>
>
> These sorts of considerations also cause me to want to start working on
> restricting DCV methods via CAA again, so people can opt their domains out
> of having to worry about some of these things.
>

I'm similarly interested in declaring the validation method(s) used,
particularly for domain names, which provides a way for the domain holder
to validate that the CAA policy is respected. I assume DigiCert's support
for this has not waned since the last time it was discussed (in the context
of 190)?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180321/720b033b/attachment.html>


More information about the Validation mailing list