As one of the authors of 3.2.2.4.10, Alex's logic is exactly how we walked through it in the Validation Working Group. The ADN lookup is DNS, and what you find when you connect there via TLS, within the certificate, should be the random value (somewhere). 3.2.2.4.10 was written to permit ACME's TLS-SNI-01 while being generic enough to permit CAs to accomplish the same general validation structure without following the ACME-specified algorithm.
J.C. On Thu, Jan 18, 2018 at 1:47 PM, Alex Gaynor via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I guess it depends how you define "Certificate on the ADN" -- TLS-SNI-01 > performs a DNS lookup for the ADN, connects to that IP, and initiatives a > TLS connection with the .acme.invalid SNI value. > > Certificates don't exist on Domain Names if we think really hard about it, > but servers with IPs that domain names point to can serve certificates, and > that seems like a reasonable interpretation of the intent of that sentence, > which TLS-SNI-01 fulfills. > > Alex > > On Thu, Jan 18, 2018 at 3:43 PM, Doug Beattie via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Now that I'm more familiar with method 9 and 10 domain validation methods > > and heard a few side discussions about the topic, it's made me (and > others) > > wonder if the ACME TLS-SNI-01 is compliant with BR Method 10. > > > > The BRs say: > > 3.2.2.4.10. TLS Using a Random Number > > Confirming the Applicant's control over the FQDN by confirming the > > presence of a Random Value within a Certificate on the Authorization > Domain > > Name which is accessible by the CA via TLS over an Authorized Port. > > > > But it's my understanding that the CA validates the presence of the > random > > number on "random.acme.invalid" and not on the ADN specifically. Is the > > validation done by confirming the presence of a random number within the > > certificate on the ADN, or some other location? I'm probably misreading > > the ACME spec, but is sure seems like the validation is not being done on > > the ADN. > > > > Doug > > > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
