<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Yu Mincho";
panose-1:2 2 4 0 0 0 0 0 0 0;}
@font-face
{font-family:"\@Yu Mincho";}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
p.p1, li.p1, div.p1
{mso-style-name:p1;
margin:0in;
margin-bottom:.0001pt;
font-size:9.0pt;
font-family:Helvetica;}
p.p2, li.p2, div.p2
{mso-style-name:p2;
margin:0in;
margin-bottom:.0001pt;
font-size:9.0pt;
font-family:Helvetica;}
span.s1
{mso-style-name:s1;
font-family:"Cambria",serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:380903646;
mso-list-type:hybrid;
mso-list-template-ids:-319496508 -19765990 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:1.75in;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:3.25in;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:4.75in;
text-indent:-9.0pt;}
@list l1
{mso-list-id:769086398;
mso-list-type:hybrid;
mso-list-template-ids:10657352 -667239002 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:2.25in;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:3.75in;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.75in;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:5.25in;
text-indent:-9.0pt;}
@list l2
{mso-list-id:814564104;
mso-list-type:hybrid;
mso-list-template-ids:-1868367128 2091827342 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;}
@list l2:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:1.75in;
text-indent:-9.0pt;}
@list l2:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;}
@list l2:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;}
@list l2:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:3.25in;
text-indent:-9.0pt;}
@list l2:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;}
@list l2:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;}
@list l2:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:4.75in;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">Hi Tim,<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">I did look through the 10 methods while developing this language. Given the following assumptions:<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif"> 1) The ability to create and/or manipulate the contents of DNS records at a given FQDN is sufficient to perform domain validation for it and all children nodes in DNS (using method
7), so if an attacker wishes to leverage a DADL for DV, they may as well just use method 7 and directly create a TXT record containing the Random Value/Request Token.<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif"> 2) Since Applicants can create static CNAME records to delegate domain validation (for example, a static CNAME record for “_acme-challenge.example.com” to “account-123.dv.myca.com”),
there is no need for freshness of the DADL record.<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif"> 3) Given #1 and #2, a DADL record is identical to a CNAME record, except that:<o:p></o:p></span></p>
<p class="p1"><span class="apple-converted-space"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif"> </span></span><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">a) It is specific for domain validation only<o:p></o:p></span></p>
<p class="p1"><span class="apple-converted-space"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">
</span></span><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">b) It delegates to a subdomain of the given Domain Name only (not to another branch of DNS or to a parent node)<o:p></o:p></span></p>
<p class="p1"><span class="apple-converted-space"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif"> </span></span><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">c) Unlike CNAME, it allows for other Resource Records to exist
at the given Domain Name.<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif"> 4) All methods that allow validation at an ADN as of BR version 1.5.6 still allow use of an ADN (we discussed restricting certain methods, such as Method 6, to allow validation
at the FQDN only. I’m ignoring that for now, since a separate analysis is required).<o:p></o:p></span></p>
<p class="p2"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">I determined the redefinition will impact the 10 Blessed Methods accordingly:<o:p></o:p></span></p>
<p class="p2"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">1) :)<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">2) This is weird, as the text states “<span class="s1"><span style="font-family:"Calibri",sans-serif">Each email, fax, SMS, or postal mail MAY confirm control of multiple Authorization
Domain Names</span></span>”. But the validation/confirmation of control is done for the FQDN, not any ADNs. My initial thought was that we could do something similar to method #3 (which states something to the effect of anything under the Base Domain Name
is validated), but that ignores the possibility that a DNS SOA record for a child zone under the Base Domain Name can be used for domain validation using this method (and obviously would validate only FQDNs in that child zone, not all FQDNs under the Base
Domain Name). In other words, further analysis/wordsmithing required :)<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">3) N/A (ADN not used)<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">4) Given assumption #3, and that mail clients chase aliases when resolving the domain name, there are no surprising security properties of the redefinition of ADN.<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">5) :))<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">6) Given assumption #3, and that the DNS resolution logic used by HTTP(S) clients generally chase aliases when resolving the server hostname to an IP address, there is nothing surprising
here.<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">7) As mentioned in my previous email, modifying the ADN definition does allow for validation at a sub-sub-domain of the FQDN. This is undesirable, but I don’t address that for now
as we likely need to rework method 7 to allow only an explicit set of subdomains (ie, “_acme-challenge”).<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">8) N/A<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">9) Given assumption #3, and that the DNS resolution logic used to make TLS connections generally chase aliases, there is nothing surprising here.<o:p></o:p></span></p>
<p class="p1"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">10) See #9.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal">I’ll respond to Ryan’s comments in a separate email.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Corey<o:p></o:p></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span style="color:black">Tim Hollebeek <tim.hollebeek@digicert.com><br>
<b>Date: </b>Tuesday, April 24, 2018 at 10:44 AM<br>
<b>To: </b>Corey Bonnell <CBonnell@trustwave.com>, CA/Browser Forum Validation WG List <validation@cabforum.org><br>
<b>Subject: </b>RE: [cabf_validation] Designated Authorization Domain Label (method F) write-up<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><a name="_MailOriginalBody"><span style="font-size:11.0pt">Also, have you looked through all the places where ADN is used and verified this definition change doesn’t have unfortunate undesired consequences?</span><o:p></o:p></a></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:11.0pt"> </span><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:11.0pt">-Tim</span><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:11.0pt"> </span><o:p></o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><b><span style="font-size:11.0pt">From:</span></b></span><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:11.0pt"> Validation [mailto:validation-bounces@cabforum.org]
<b>On Behalf Of </b>Corey Bonnell via Validation<br>
<b>Sent:</b> Tuesday, April 24, 2018 9:25 AM<br>
<b>To:</b> validation@cabforum.org<br>
<b>Subject:</b> [cabf_validation] Designated Authorization Domain Label (method F) write-up</span><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">I wrote up a preliminary “ballot text” for Method F (using a subdomain to function as an Authorization Domain Name for a FQDN) as defined in the Validation Summit Findings document.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">Since this proposed change increases the number of ADNs, I believe that explicit opt-in is required so that the ecosystem is not negatively affected if this method is allowed. The mechanism chosen
is a DNS TXT record with a specific syntax for the RDATA value. Using DNS TXT over another record type has three advantages:<o:p></o:p></span></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormalCxSpMiddle" style="margin-left:.25in;mso-add-space:auto;mso-list:l2 level1 lfo1">
<span style="mso-bookmark:_MailOriginalBody">There is precedent for this syntax, as DKIM and SPF records use a very similar syntax.<o:p></o:p></span></li><li class="MsoNormalCxSpMiddle" style="margin-left:.25in;mso-add-space:auto;mso-list:l2 level1 lfo1">
<span style="mso-bookmark:_MailOriginalBody">TXT is a universally supported record type, unlike other alternatives.<o:p></o:p></span></li><li class="MsoNormalCxSpMiddle" style="margin-left:.25in;mso-add-space:auto;mso-list:l2 level1 lfo1">
<span style="mso-bookmark:_MailOriginalBody">TXT has an advantage over CAA in that the presence of TXT records at a specific Domain Name does not halt CAA tree-climbing and does not invert the CAA restriction model. The current CAA tree-climbing logic indicates
that tree-climbing for records stops upon encountering a non-empty CAA record set. This means that, if in the course of CAA processing, a non-empty CAA record set is encountered that contains only property tags which signal allowed domain validation methods
but otherwise does not contain any issue/issuewild records which restrict the set of CAs that are allowed to issue, then any CA can issue for that domain. If the domain owner wishes to both restrict domain validation methods AND restrict the set of allowed
CAs, they must repeat these records at every subdomain that may be used as an ADN if any CAA record differs from the CAA records at a parent Domain Name. In addition, the CAA tree-climbing process (which starts at the most specific Domain Name) is the inverse
of ADN processing (where authorization is top-down), creating an impedance mismatch that is both difficult to comprehend and is error-prone for domain owners. As such, TXT records were selected as the preferred mechanism to opt-in for Method F.<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">This proposed method allows domain owners to create a special TXT record at a FQDN to signal that a specific subdomain (called the “DADL”, or “Designated Authorization Domain Label”) is allowed
to be an Authorization Domain Name of the FQDN.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">Assume a domain owner owns “example.com”. For operational reasons, they cannot use any of the accepted domain validation methods directly against “example.com”, but they can provision a web server
at “_pki-validation.example.com” to perform domain validation. As such, they create a TXT record at “example.com” to designate “_pki-validation” as the DADL for “example.com”:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"></span><a href="http://scanmail.trustwave.com/?c=4062&d=r8Lf2tsBK6gPsVNBW9LnqAJotHOPdIVFjOayKP9kpw&s=5&u=http%3a%2f%2fexample%2ecom"><span style="mso-bookmark:_MailOriginalBody">example.com.</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">
IN TXT “v=DADL1; l=_pki-validation”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">There is an initial overhead in creating the TXT record at
</span><a href="http://scanmail.trustwave.com/?c=4062&d=r8Lf2tsBK6gPsVNBW9LnqAJotHOPdIVFjOayKP9kpw&s=5&u=http%3a%2f%2fexample%2ecom"><span style="mso-bookmark:_MailOriginalBody">example.com,</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">
but moving forward the domain owner can use the _pki-validation subdomain for domain validation.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">There is also support for DADLs at aliases. Assume that “example.thecdn.com” is an alias for “example.com”. If the domain owner for “example.com” wishes to use “_pki-validation.example.thecdn.com”
as the ADN, they can create the following TXT record at “example.thecdn.com”:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"></span><a href="http://scanmail.trustwave.com/?c=4062&d=r8Lf2tsBK6gPsVNBW9LnqAJotHOPdIVFjOK_IqprpQ&s=5&u=http%3a%2f%2fexample%2ethecdn%2ecom"><span style="mso-bookmark:_MailOriginalBody">example.thecdn.com.</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody">
IN TXT “v=DADL1; l=_pki-validation”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">Note that the current algorithm I have below does not permit the DADL to itself have an alias. This was done to keep the number of ADNs reasonable, but we may determine that allowing aliases
in this case is desirable.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">Also, method 7 (DNS change) allows for an arbitrary subdomain which starts with an underscore to function as the ADN for a given FQDN. This means that in combination with the DADL, a sub-sub-domain
of the FQDN can be allowed as the ADN. This has undesirable security properties, so I imagine we’d want to restrict that. However, I don’t address this situation, as we discussed restricting method 7 at the Validation Summit. I can modify this ballot text
when we determine what to do about method 7.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">Without further ado:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody">Modify the following to BR 1.6.1 Definition:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><b>Authorization Domain Name:
</b>The Domain Name used to obtain authorization for certificate issuance for a given FQDN, which is determined using the following algorithm:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="mso-bookmark:_MailOriginalBody">Let PARENT(X) be the parent Domain Name of X. The parent Domain Name is determined by removing the leftmost label of X.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> Let NOWILD(X) be PARENT(X) if X starts with “*.” (Unicode U+002A ASTERISK and U+002E FULL STOP). If X does not start with “*.”, then NOWILD(X) is X.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> Let ALIAS(X) be the target of DNS alias chasing at X. If there is no alias for X, then ALIAS(X) is NIL.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> Let DADL(X) be the result of performing the following algorithm:<o:p></o:p></span></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="margin-left:.75in;mso-list:l1 level1 lfo2"><span style="mso-bookmark:_MailOriginalBody">Perform a DNS TXT lookup at X.<o:p></o:p></span></li><li class="MsoNormal" style="margin-left:.75in;mso-list:l1 level1 lfo2"><span style="mso-bookmark:_MailOriginalBody">For each TXT record in the retrieved Resource Record Set from step 1, check that the record’s RDATA string matches the following ABNF grammar
(as per RFC 5234):<o:p></o:p></span></li></ol>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:.5in"><span style="mso-bookmark:_MailOriginalBody"><span style="font-family:"Times New Roman",serif">rdata = “v=DADL1;” *WSP “l=” label [“;”]</span><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:.5in"><span style="mso-bookmark:_MailOriginalBody"><span style="font-family:"Times New Roman",serif">label = “_” (ALPHA / DIGIT) *( *"-" (ALPHA / DIGIT))</span><o:p></o:p></span></p>
<ol style="margin-top:0in" start="3" type="1">
<li class="MsoNormal" style="margin-left:.75in;mso-list:l1 level1 lfo2"><span style="mso-bookmark:_MailOriginalBody">If there is a match found in step 2, then DADL(X) is the concatenation of the “label” value, Unicode U+002E FULL STOP character (“.”), and X.
If there is no such match for any retrieved TXT records, then DADL(X) is NIL. <o:p>
</o:p></span></li></ol>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="margin-left:.25in;mso-list:l0 level1 lfo3"><span style="mso-bookmark:_MailOriginalBody">Let X be the FQDN to be validated.<o:p></o:p></span></li><li class="MsoNormal" style="margin-left:.25in;mso-list:l0 level1 lfo3"><span style="mso-bookmark:_MailOriginalBody">Let X’ be the result of NOWILD(X).<o:p></o:p></span></li><li class="MsoNormal" style="margin-left:.25in;mso-list:l0 level1 lfo3"><span style="mso-bookmark:_MailOriginalBody">Add X’ to the set of candidate Domain Names.<o:p></o:p></span></li><li class="MsoNormal" style="margin-left:.25in;mso-list:l0 level1 lfo3"><span style="mso-bookmark:_MailOriginalBody">Let A be the result of ALIAS(X’).
<o:p></o:p></span></li></ol>
<p class="MsoNormal" style="margin-left:1.5in;text-indent:-.25in;mso-list:l0 level2 lfo3">
<span style="mso-bookmark:_MailOriginalBody"><![if !supportLists]><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>If A is not NIL, then:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.75in;text-indent:-1.75in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo3">
<span style="mso-bookmark:_MailOriginalBody"><![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>i.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]> Add A to the set of candidate Domain Names.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.75in;text-indent:-1.75in;mso-text-indent-alt:-9.0pt;mso-list:l0 level3 lfo3">
<span style="mso-bookmark:_MailOriginalBody"><![if !supportLists]><span style="mso-list:Ignore"><span style="font:7.0pt "Times New Roman"">
</span>ii.<span style="font:7.0pt "Times New Roman""> </span></span><![endif]>If DADL(A) is not NIL, then add DADL(A) to the set of candidate Domain Names.<o:p></o:p></span></p>
<ol style="margin-top:0in" start="4" type="1">
<ol style="margin-top:0in" start="2" type="a">
<li class="MsoNormal" style="margin-left:.25in;mso-list:l0 level2 lfo3"><span style="mso-bookmark:_MailOriginalBody">If A is NIL and DADL(X’) is not NIL, then add DADL(X’) to the set of candidate Domain Names.<o:p></o:p></span></li></ol>
</ol>
<ol style="margin-top:0in" start="5" type="1">
<li class="MsoNormal" style="margin-left:.25in;mso-list:l0 level1 lfo3"><span style="mso-bookmark:_MailOriginalBody">If X’ is not a Base Domain Name, then repeat steps 3-5 with PARENT(X’) as X’.<o:p></o:p></span></li><li class="MsoNormal" style="margin-left:.25in;mso-list:l0 level1 lfo3"><span style="mso-bookmark:_MailOriginalBody">Select a Domain Name from the set of candidate Domain Names.<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><b> </b><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:11.0pt"> </span><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:11.0pt"> </span><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.5pt;color:black"> </span><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><b><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#428FC5">Corey Bonnell</span></b><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:gray">Senior Software Engineer</span><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:gray">t: +1 412.395.2233</span><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.5pt;color:black"> </span><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="mso-bookmark:_MailOriginalBody"><b><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#428FC5">Trustwave</span></b></span><span style="mso-bookmark:_MailOriginalBody"><b><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:gray"> </span></b></span><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:gray">| SMART
SECURITY ON DEMAND</span></span><a href="http://www.trustwave.com/"><span style="mso-bookmark:_MailOriginalBody"><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:gray;text-decoration:none"><br>
www.trustwave.com</span></span></a><span style="mso-bookmark:_MailOriginalBody"><o:p></o:p></span></p>
</div>
</div>
</body>
</html>