I read a draft for ballot[1] about changes to CABForum BR domain validation rules, and noticed that it drops the "required website content" bit, only retaining the Random Value and Request Token bits. Now, request token parts are irrelevant: HTTP-01 clearly does not qualify as request token.
This leaves Random Value. There there is also a requirement that the Random Value does not appear in the request. Now, obviously HTTP-01 does put the Random Value into request. So it seemingly would not comply. Having to drop HTTP validation without replacement would be very bad to say the least. Estimated number of domains using it is in millions, and for vast majority, there is no viable replacement (besides disabling HTTPS, perhaps using commercial cert to ride HSTS timeout).. Maybe the WG could define HTTP-02 that doesn't send the same random value back? It would also solve the known issue that one can mint responses without knowing about the challenge (TLS-SNI-01 had a similar issue). As to why they want to drop the "required website content" bit, historically, many CAs have invented many quite bad validation methods, some based on methods from Baseline Requirements. [1] AFAIK, not yet in pre-voting discussion, but has the two endorsers needed to start official pre-voting discussion. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
