[cabf_validation] Simpler language for 3.2.2.4.6

Doug Beattie doug.beattie at globalsign.com
Mon May 14 12:33:29 MST 2018


Hi Ryan,

I’m afraid I was responsible for requesting the meta-tag wording in the beginning because that is what we used to do, but with the move to /.well-known/pki-validation/, we dropped that.  I’m fine with deleting that from the spec.

If you’ve been assuming that "in the content of a file" means the exclusive content, then the method should be updated to say that.  Speaking for GlobalSign, we only put the Security Content in the file, perhaps more than one.

Doug





From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Monday, May 14, 2018 3:20 PM
To: Doug Beattie <doug.beattie at globalsign.com>
Cc: Dimitris Zacharopoulos <jimmy at it.auth.gr>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] Simpler language for 3.2.2.4.6

Hi Doug,

That sounds like it significantly weakens the guarantees - but perhaps CAs have been interpreting this using a maximally-liberal form of interpretation, and this is just reflective of that?

That is, I would have thought "in the content of a file" to mean that the files content is exclusively that. Similarly, the <meta> tag has defined syntax about where it can appear.

I'm fully supportive of removing the <meta> tag exception, and I think with the change to use /.well-known/pki-validation/, this should hopefully be uncontroversial. Requiring that the file _exclusively_ contain the security content seems like it would fully remove any cross-format or cross-protocol issues that would otherwise arise if you can just do a "search for substring in the file"

Would that be problematic?



On Mon, May 14, 2018 at 3:02 PM, Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>> wrote:
Since a meta-tag is within a file (html file), can’t we remove “or on a web page in the form of a meta tag one of the following”?

"Confirming the Applicant's control over the requested FQDN by confirming the presence of a Request Token or Random Value contained in the content of a under the "/.well‐known/pki‐validation" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that is accessible by the CA via HTTP/HTTPS over an Authorized Port."

From: Validation [mailto:validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org>] On Behalf Of Dimitris Zacharopoulos via Validation
Sent: Monday, May 14, 2018 2:39 AM
To: Ryan Sleevi <sleevi at google.com<mailto:sleevi at google.com>>; CA/Browser Forum Validation WG List <validation at cabforum.org<mailto:validation at cabforum.org>>
Subject: Re: [cabf_validation] Simpler language for 3.2.2.4.6

On 14/5/2018 4:37 πμ, Ryan Sleevi wrote:
Could you give a sense of what was found confusing, so as to help spark possible ideas?

Simplification isn't necessarily a good goal - simplification hides necessary complexity - but making it more understandable is reasonable.

This requirement seems very similar to other forms of technical requirements in the BRs, so was there anything particular that stood out?

I think it is more of a complex English language issue. The part in bold sounds very strange to me.

"Confirming the Applicant's control over the requested FQDN by confirming the presence of a Request Token or Random Value contained in the content of a file or on a web page in the form of a meta tag one of the following under the "/.well‐known/pki‐validation" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that is accessible by the CA via HTTP/HTTPS over an Authorized Port."


I made an attempt to make the language easier to read and more understandable, while -hopefully- keeping the technical requirements intact.

"Confirming the Applicant's control over the requested FQDN by confirming the presence of a Request Token or Random Value contained:

  1.  in the content of a file; or
  2.  on a web page in the form of a "meta tag" (BTW, let's introduce some RFC references for the definition of "meta tag")
This file or web page MUST be accessible under the "/.well‐known/pki‐validation" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that is accessible by the CA via HTTP/HTTPS over an Authorized Port."

Improvements are always welcome.


Dimitris.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180514/c9d6e593/attachment.html>


More information about the Validation mailing list