[cabf_validation] Simpler language for 3.2.2.4.6

Mon May 14 12:19:59 MST 2018

Hi Doug,

That sounds like it significantly weakens the guarantees - but perhaps CAs
have been interpreting this using a maximally-liberal form of
interpretation, and this is just reflective of that?

That is, I would have thought "in the content of a file" to mean that the
files content is exclusively that. Similarly, the <meta> tag has defined
syntax about where it can appear.

I'm fully supportive of removing the <meta> tag exception, and I think with
the change to use /.well-known/pki-validation/, this should hopefully be
uncontroversial. Requiring that the file _exclusively_ contain the security
content seems like it would fully remove any cross-format or cross-protocol
issues that would otherwise arise if you can just do a "search for
substring in the file"

Would that be problematic?

On Mon, May 14, 2018 at 3:02 PM, Doug Beattie <doug.beattie at globalsign.com>
wrote:

> Since a meta-tag is within a file (html file), can’t we remove “or on a
> web page in *the form of a meta tag one of the following”*?
>
>
>
> "Confirming the Applicant's control over the requested FQDN by confirming
> the presence of a Request Token or Random Value contained in the content of
> a *under the* "/.well‐known/pki‐validation" directory, or another path
> registered with IANA for the purpose of Domain Validation, on the
> Authorization Domain Name that is accessible by the CA via HTTP/HTTPS over
> an Authorized Port."
>
>
>
> *From:* Validation [mailto:validation-bounces at cabforum.org] *On Behalf Of
> *Dimitris Zacharopoulos via Validation
> *Sent:* Monday, May 14, 2018 2:39 AM
> *To:* Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Validation WG
> List <validation at cabforum.org>
> *Subject:* Re: [cabf_validation] Simpler language for 3.2.2.4.6
>
>
>
> On 14/5/2018 4:37 πμ, Ryan Sleevi wrote:
>
> Could you give a sense of what was found confusing, so as to help spark
> possible ideas?
>
>
>
> Simplification isn't necessarily a good goal - simplification hides
> necessary complexity - but making it more understandable is reasonable.
>
>
>
> This requirement seems very similar to other forms of technical
> requirements in the BRs, so was there anything particular that stood out?
>
>
> I think it is more of a complex English language issue. The part in bold
> sounds very strange to me.
>
> "Confirming the Applicant's control over the requested FQDN by confirming
> the presence of a Request Token or Random Value contained in the content of
> a file or on a web page in *the form of a meta tag one of the following
> under the* "/.well‐known/pki‐validation" directory, or another path
> registered with IANA for the purpose of Domain Validation, on the
> Authorization Domain Name that is accessible by the CA via HTTP/HTTPS over
> an Authorized Port."
>
>
> I made an attempt to make the language easier to read and more
> understandable, while -hopefully- keeping the technical requirements intact.
>
> "Confirming the Applicant's control over the requested FQDN by confirming
> the presence of a Request Token or Random Value contained:
>
>    1. in the content of a file; or
>    2. on a web page in the form of a "meta tag" (BTW, let's introduce
>    some RFC references for the definition of "meta tag")
>
> This file or web page MUST be accessible under the
> "/.well‐known/pki‐validation" directory, or another path registered with
> IANA for the purpose of Domain Validation, on the Authorization Domain Name
> that is accessible by the CA via HTTP/HTTPS over an Authorized Port."
>
> Improvements are always welcome.
>
>
> Dimitris.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180514/4eef84e0/attachment-0001.html>