On Sun, Oct 2, 2016 at 9:49 AM, Nick Lamb <tialara...@gmail.com> wrote: > > The second thing obviously is that they do have exactly the "rule" Richard > Wang described, and they believe this was justified under the BRs old 3.2.2.4 > method 7 (which isn't a method at all, it's basically a catch-all). > > I think that's probably something that needs to go to CA/B although of course > Mozilla would be well within its rights to just write to all CAs, asking if > they have this or any similar "rules" that frustrate the intention of 3.2.2.4 > and if so asking them to fix it by some reasonable deadline, such as EOY 2016.
There is some good news. The CA/Browser Forum has already addressed this, even prior to the current discussions. Ballot 169 (https://cabforum.org/2016/08/05/ballot-169-revised-validation-requirements/) revises 3.2.2.4 considerably. The new section 3.2.2.4.7 specifically addresses DNS validation. Under the new rules, which should be in effect as of 1 March 2017, validating www.<domain> will not be a valid method of showing control of <domain>. The name is true for any valid hostname under <domain>. The only note is that names in the form _<something>.<domain> (that is starting with an underscore) can be used to validate <domain>. So this gap will close soon. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
