Question, is there any prohibition against demonstration of domain control being delegated to a third party or even the CA itself? I don't think so, but figured we've discussed differences in interpretation a lot lately so wanted to see if people agreed.
Section 3.2.2.4.7 in the CAB/F requires that the CA verify a domain by "confirming the Applicant's control over the FQDN by confirming the presence of a Random Value or Request Token for either in a DNS CNAME, TXT or CAA record for either an Authorization Domain Name; or 2) an Authorization Domain Name that is prefixed with a label that begins with an underscore character." If the CA is using a random value then the Random Value has to be unique the certificate request. Could a third party or the CA itself set up a service of entities that hated doing domain validation? For example: _validation.customer.com. 3600 IN CNAME _validation.domain.com. _validation.domain.com. 3600 IN CNAME _validation.myvalidation.com. _validation.myvalidation.com. 1 IN CNAME _<RNDVALUE>.myalidation.com. Since each domain approval request requires an unique random value, the random value could be uploaded each time a certificate request comes in and checked. I mean, the obvious issue is the customer.com domain would need to want to delegate this domain.com. But if you had a pretty non-technical person operating the DNS, they could set it to the domain.com name and leave their DNS settings forever. This looks allowed under the BRs, but should it be? Or is it like key escrow - okay if a reseller does it (but frowned upon). Totally not cool if the CA does it. Jeremy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
