Clarify BR 3.2.2.4.7 #533
Comments
BenWilson-Mozilla
added
the
baseline-requirements
|
This issue was created based on:
|
|
Notes from SCWG Teleconference 2025-01-16. There are many combinations hidden in this method. Proposal to separate the cases. For example, CAA doesn't make sense to require an ADN prefixed with an underscore. This seems like work for the Validation Subcommittee. |
|
My proposal would be something like:
This explicitly spells out the set of options, and makes two cases (putting the CNAME directly on the ADN, which makes that ADN useless; and putting the CAA record below the ADN, where CAA records don't generally make sense) not acceptable. If folks are aware of CAs or systems that do use the two methods I've ruled out here, please say so. |
Section 3.2.2.4.7 should be clarified. In a Validation subcommittee discussion today, related to https://lists.cabforum.org/pipermail/validation/2024-June/001989.html, we looked at the language "Confirming the Applicant’s control over the FQDN by confirming the presence of a Random Value or Request Token for either in a DNS CNAME, TXT or CAA record for either 1) an Authorization Domain Name; or 2) an Authorization Domain Name that is prefixed with a Domain Label that begins with an underscore character." The plain language interpretation is that the RV/RT be in the DNS record (DNS CNAME, TXT or CAA), but each type of DNS record implicates a different method of providing the RV/RT. I would recommend that the language be modified to separate out each one.
E.g., if CNAME is used, then do this; if TXT is used, do that; and if CAA record is used, do this other thing. For additional reference, also see cabforum/definitions#5.
The text was updated successfully, but these errors were encountered: