I think that it could be acceptable to "reuse" an old validation provided WHOIS is checked right? Eg, if a hash is made of all the WHOIS data, and all the WHOIS data stays identical from last validation, then theres proof that control of domain has not shifted in the meantime, which is the main reason to implement random challenge checks.
Because if you sell, transfer, change owner, renew, change DNS server, the domain is disabled, or if domain expires, then some data in the WHOIS will change. Especially the "last update" date. And same also applies to the DNS servers and/or DNSSEC keys. So combining a static entry with a WHOIS hash check, would propably suffice, but the static entry must be randomly generated AND contain a key, to prevent "preloading" malicious software with challenges. Of course, for the scheme to be secure, there must be something that enforces the challenge is passed in a short time, for example 24 hours, but once challenge is passed, it will stay valid until WHOIS changes. Of course, such a check could only be accepted for base level domains, where the person validating the domain effectively is the person who paid for the domain aswell, NOT subdomains, as subdomains can be part of "free webhosting services" which will stay static for a very long period. -----Ursprungligt meddelande----- Från: Acme [mailto:[email protected]] För Tim Hollebeek Skickat: den 23 januari 2018 17:38 Till: Jacob Hoffman-Andrews <[email protected]>; [email protected] Ämne: [invalid signature!] > This challenge has the big advantage that subscribers only need to do a one- > time CNAME setup, and renewals can be reliably automated without requiring > that renewing systems have permission to update DNS. In effect, the CNAME > record would act like a long-term delegation permitting the CA to issue > continuously for the base domain. Yes, not having to validate domains saves customers a lot of time and effort! See BR validation methods #1 and #5 for more information!! 😊 Your proposed method defeats one of the goals of the BR domain control validation requirements, which is to demonstrate control at time of validation, not just as some previous time in the past. That's why the existing, approved validation methods require random numbers to guarantee the validation is fresh and not based on some previous validation. If control at some time in the past is sufficient, you can just re-use the previous validation, which is allowed in some circumstances (see the BRs). -Tim
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
