Ballot SC-082: Clarify CA Assisted DNS Validation under 3.2.2.4.7 #501
Conversation
docs/BR.md
Outdated
| @@ -298,6 +298,8 @@ The Definitions found in the CA/Browser Forum's Network and Certificate System S | |||
|
|
|||
| **CA Key Pair**: A Key Pair where the Public Key appears as the Subject Public Key Info in one or more Root CA Certificate(s) and/or Subordinate CA Certificate(s). | |||
|
|
|||
| **Canonical Authorization Domain Name**: The domain name found within the RDATA value of a CNAME record located at an FQDN composed of an Authorization Domain Name that is prefixed with a Domain Label that begins with an underscore character. | |||
There was a problem hiding this comment.
I'm not an english native speaker and struggle to grasp this definition. Could we maybe add an example to make it clearer? Especially the reference to the Domain Label confuses me... :(
There was a problem hiding this comment.
| **Canonical Authorization Domain Name**: The domain name found within the RDATA value of a CNAME record located at an FQDN composed of an Authorization Domain Name that is prefixed with a Domain Label that begins with an underscore character. | |
| **Canonical Authorization Domain Name**: The domain name found within the RDATA value of a CNAME record located at an Authorization Domain Name that is prefixed with a Domain Label that begins with an underscore character. |
@romanf Would this minor change make the definition any clearer?
The goal is to define accountbindingid.cadomain.com as the Canonical Authorization Domain Name of the CNAME record: _somethingsomething.example.com. IN CNAME accountbindingid.cadomain.com
The domain: _somethingsomething.example.com is an underscore prefixed Authorization Domain Name which is currently referenced in section 3.2.2.4.7.
Confirming the Applicant's control over the FQDN by confirming the presence of a Random Value or Request Token for either in a DNS CNAME, TXT or CAA record for either 1) an Authorization Domain Name; or 2) an Authorization Domain Name that is prefixed with a Domain Label that begins with an underscore character.
There was a problem hiding this comment.
I like the example and I think it should be added to the BRs to assist in better understanding the requirement.
There was a problem hiding this comment.
I'm still a bit confused, sorry. :(
So,
-
_somethingsomething would be either defined by the applicant or the CA to validate ownership of "example.com" (and *.example.com?). The regulation would not specify who has to specify what's after the _, correct?
-
The CNAME then points to an entry in a CA-controlled DNS domain (cadomain.com). Whereby the CA defines the "accountbindingid". Would this be per applicant or per domain that is to be validated?
-
The type of that entry in the CA-controlled DNS domain could be (according to 3.2.2.4.7) CNAME, TXT or CAA (where CNAME probably doesn't make any sense?). Correct?
-
The CA would then put the random value that validates "example.com" in that entry.
Hope I got it right this time. :)
Thx
Roman
There was a problem hiding this comment.
Hi @romanf,
1. _somethingsomething would be either defined by the applicant or the CA to validate ownership of "example.com" (and *.example.com?). The regulation would not specify who has to specify what's after the _, correct?
Correct, the underscore-prefixed subdomain name is not security critical so it doesn't matter who defines it. This aligns with the current method 7, which does not specify how the underscore-prefixed subdomain name is created.
2. The CNAME then points to an entry in a CA-controlled DNS domain (cadomain.com). Whereby the CA defines the "accountbindingid". Would this be per applicant or per domain that is to be validated?
It must be per Applicant, otherwise it could be possible for attackers to request certificates for domains that they do not control. It's acceptable for a CA to create a unique per-Applicant, per-domain "accountbindingid", but the security critical component is the per-Applicant uniqueness.
3. The type of that entry in the CA-controlled DNS domain could be (according to 3.2.2.4.7) CNAME, TXT or CAA (where CNAME probably doesn't make any sense?). Correct?
I imagine the common case will be TXT, but the other record types that you mentioned are also fine.
4. The CA would then put the random value that validates "example.com" in that entry.
Yes.
Hopefully this helps. If you think the language can be improved, any suggestions you have would be appreciated.
There was a problem hiding this comment.
Yes, sorry, should have given feedback.
@CBonnell Thanks for the confirmations and explanations!
I'm not a DNS expert, so I'm just trying to understand the meaning and scope of this change and don't have any suggestions for improvements.
slghtr-says
changed the title
slghtr-says
changed the title
slghtr-says
force-pushed
the
main
branch
2 times, most recently
from
81b404d to
1a423fb
Compare
slghtr-says
changed the title
…ation Modify section 3.2.2.4.7 to allow CA Assisted DNS Validation
Ballot SC-082: Clarify CA Assisted DNS Validation under 3.2.2.4.7
Previous Discussion Thread:
slghtr-says#1
Background
CA Assisted DNS Validation is the practice where Certification Authorities (CAs) instruct Applicants to create Canonical Name (CNAME) records specifically for the purpose of assisting the Applicant with Domain Control Verification (DCV) of their domain.
At F2F 59 (July 23’), the Validation Subcommittee of the Server Certificate WG presented the following conclusions on the practice of CA Assisted DNS Validation:
A Tiger Team was formed to threat model CA Assisted DNS Validation and propose modifications to the BRs to add clarity and constraints around the practice. The results of the threat model exercise [1] were presented and discussed at F2F 60 [2] and F2F 61 [3].
Purpose of Ballot
The purpose of this ballot is to clarify the practice of CA Assisted DNS Validation and add constraints under Method 7 (3.2.4.4.7 DNS Change). Modification of other domain validation methods and the introduction of new domain validation methods are not in scope of this ballot but may be addressed in a future ballot.
Overview of Changes
Example
Canonical Authorization Domain Name: The domain name found within the RDATA value of a CNAME record located at an Authorization Domain Name that is prefixed with a Domain Label that begins with an underscore character.
Given an attempt to perform DCV for
example.comusing 3.2.2.4.7,The applicant inserts the following resource record in the public DNS zone of
example.com:_underscore-prefixed-domain-label.example.com. IN CNAME account-binding-id.cadomain.comwhere
account-binding-id.cadomain.comis a resource record of the following form:account-binding-id.cadomain.com IN TXT <RDATA containing random value or request token>oraccount-binding-id.cadomain.com IN CNAME <RDATA containing random value or request token>oraccount-binding-id.cadomain.com IN CAA <RDATA containing random value or request token>then
account-binding-id.cadomain.comis the Canonical Authorization Domain Name.References
[1] Threat Modeling:
Validation SC Threat Modeling Doc: https://docs.google.com/document/d/1G2GYb0eg0rqE23f844J8qs7RYGU1jFVDsU5Pf7UYg3g/edit
[2] F2F-60 Presentation: https://docs.google.com/presentation/d/1M80h1N7MpBuqvZS0FdtJ_zj-AsaFxu7BNBSUJ6Ia5jU/edit?usp=sharing
[3] F2F-61 Presentation: https://docs.google.com/presentation/d/1rKW7I5jOYh37jQFtd1S-fKIs0j-dCAyUUU-fq_C8UKw/edit?usp=sharing
How can you help?