You are correct, I was not clear. 3.2.2.4.4, 3.2.2.4.6, 3.2.2.4.9, and 3.2.2.4.10 all use the newly defined "Authorization Domain Name", which should avoid this in the future.
3.2.2.4.7 is actually the outlier, in that it allows _<something> (underscore + some label) prefixed to the name being validated. It is the one remaining place where showing control over a subdomain allows validation of the direct parent. The other methods mostly rely upon the registered domain name, so they never have the subdomain problem. Does that help? Thanks, Peter On Sun, Oct 2, 2016 at 8:25 PM, Man Ho (Certizen) <[email protected]> wrote: > Peter, > > I'm confused why only the section 3.2.2.4.7 specifically addresses this > concern, and how. If only it does, would it implies that CA must use > this method of section 3.2.2.4.7 to validate a Base Domain Name, which > happened to be an Authorization Domain Name requested by the applicant ? > However, according to section 3.2.2.4, each FQDN listed in the > certificate is required to be validated using AT LEAST one of the > methods only. > > Thanks, > > Man > > > On 10/3/2016 3:53 AM, Peter Bowen wrote: >> The new section 3.2.2.4.7 specifically >> addresses DNS validation. Under the new rules, which should be in >> effect as of 1 March 2017, validating www.<domain> will not be a valid >> method of showing control of <domain>. The name is true for any valid >> hostname under <domain>. The only note is that names in the form >> _<something>.<domain> (that is starting with an underscore) can be >> used to validate <domain>. > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
