[cabf_validation] Validation methods used for Wildcards/ADNs

Adriano Santoni adriano.santoni at staff.aruba.it
Fri Dec 18 09:55:44 UTC 2020 

Ryan,

do I understand correctly that your post below implies the following? 
(first bullet is just a typical example, of course it would be the same 
for all subdomains)

  * if domain validation is passed on (say) domain.tld by the website
    change method (§3.2.2.4.6), then a certificate containing
    www.domain.tld MUST NOT be issued
  * if domain validation is passed on (say) domain.tld by the website
    change method (§3.2.2.4.6), then a certificate containing
    *.domain.tld MUST NOT be issued

Adriano


Il 03/12/2020 02:31, Ryan Sleevi via Validation ha scritto:
> Hey all,
>
> I know we're not quite done with the certificate profile work, and I'm 
> not wanting to distract from that too much. However, one of the 
> long-standing items we had from our Herndon, VA validation summit 
> (from Meeting 43) was in harmonizing the rules around what 3.2.2.4 
> methods can be used for Authorization Domain Names / Wildcard Domain 
> Names.
>
> I made an initial attempt at 
> https://github.com/cabforum/servercert/compare/main...sleevi:2020-12-01_Wildcard_Rules 
> <https://github.com/cabforum/servercert/compare/main...sleevi:2020-12-01_Wildcard_Rules> 
> to capture this. In effect, allowing validation as an ADN is 
> conceptually "the same as" allowing a Wildcard Domain Name, since the 
> ADN can authorize all children/grandchildren/etc of a domain, and a 
> Wildcard is just a cert that works for all children of a domain.
>
> As we've become aware of some CAs having poorly evaluated the security 
> risks in this space, we'd like to try to close this gap. Here's the 
> TL;DR summary
>
>   * 3.2.2.4.6: Agreed-upon Change to Website
>       o Sunset 2020-06-03 for new validations
>   * 3.2.2.4.18: Agreed-upon Change to Website v2
>   * 3.2.2.4.19: Agreed-upon Change to Website - ACME
>
> (The other bits are just aligning some of the language, so that "MAY 
> NOT" becomes a clearer "MUST NOT", even though we mean the same)
>
> These methods are proposed to *only* authorize a single FQDN, because 
> they only demonstrate control over a specific service/port on a 
> specific FQDN, and not demonstration of control over the whole domain 
> namespace. This aligns with 3.2.2.4.20 (TLS using ALPN), which also 
> only demonstrates control over a single service/port on a single FQDN.
>
> This doesn't touch 3.2.2.4.4 (Constructed Email to Domain Contact), 
> although we identified that one as potentially messy. However, 
> hopefully we'll see that one fully sunset separately, in favor of the 
> improved CAA methods (.13 - .17).
>
> It'd be useful to spend a few minutes on the call discussing folks 
> initial reactions. The big question, as always, is going to be 
> timelines for changes. If folks think more time is needed than 
> "immediately", my request is that they'd share concrete data.
>
> Since Ballot 190 (2017-09-19), CAs have been required to maintain 
> records of the validation methods they use, so this "should" be as 
> easy as scanning all unexpired validations for these three methods and 
> identifying cetrs which have a SAN that doesn't equal the validated 
> FQDN (e.g. a cert with "www.example.com <http://www.example.com>" when 
> the method used was 3.2.2.4.6 for "example.com <http://example.com>"). 
> Just sharing those numbers is useful to understand any challenges CAs 
> might face.
>
> For example:
>
>   * 30% of our certificates used 3.2.2.4.6. Of that 30%:
>       o 80% of our certificates had at least one FQDN validated by
>         ADN, with 40% of that being "www.".
>       o Of the 20% that had >1, we saw an average of 7.3 additional
>         FQDNs validated by FDN.
>   * 17% of our certificates used 3.2.2.4.18. of that 17% ....
>       o 80% of the FQDNs validated by ADNs were for domains that did
>         not resolve (e.g. "internal.corp.foo.example"), and thus would
>         have to switch to a new validation method or expose those
>         services publicly.
>
> This sort of concrete data helps understand the impact to CAs, and 
> their customers, and thus indirectly, our users. It also helps figure 
> out what reasonable time frames to phase in could be, in the unlikely 
> event a phase-in became necessary.
>
> This sunset "should" be fairly simple and uncontroversial, but since 
> there are edge cases (like internal servers), concrete data like the 
> above is useful if folks have concerns.
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/validation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20201218/44501cbc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20201218/44501cbc/attachment.p7s>

More information about the Validation mailing list