[cabf_validation] Method 7, when the CA is involved
Tim Hollebeek
tim.hollebeek at digicert.com
Thu Dec 2 20:41:40 UTC 2021
As discussed on the November 18th validation subcommittee call,
I offered to write some text that would clarify the importance
of binding the request to the customer when doing method 7,
for CAs that allow DNS delegation to a domain they control.
For the purposes of starting the discussion, what about adding
the following text to the end of Method 7 (3.2.2.4.7), before
the ubiquitous Note:
---
CAs MAY operate domains for the purpose of assisting customers
with this validation, and MAY instruct customers to add a CNAME
redirect from an Authorization Domain Name to such a domain.
If the CA does so, the CA SHALL ensure that each domain name is
used for a unique Applicant, and not shared across multiple
Applicants.
---
This at least fixes the urgent problem, which is that some CAs
might currently be doing this in insecure ways.
-Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20211202/9061b5c3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20211202/9061b5c3/attachment.p7s>
More information about the Validation
mailing list