Question, is there any prohibition against demonstration of domain control 
being delegated to a third party or even the CA itself? I don't think so, but 
figured we've discussed differences in interpretation a lot lately so wanted to 
see if people agreed.

Section in the CAB/F requires that the CA verify a domain by 
"confirming the Applicant's control over the FQDN by confirming the presence of 
a Random Value or Request Token for either in a DNS CNAME, TXT or CAA record 
for either an Authorization Domain Name; or 2) an Authorization Domain Name 
that is prefixed with a label that begins with an underscore character."

If the CA is using a random value then the Random Value has to be unique the 
certificate request.

Could a third party or the CA itself set up a service of entities that hated 
doing domain validation? For example: 3600 IN CNAME 3600 IN CNAME 1 IN CNAME _<RNDVALUE>

Since each domain approval request requires an unique random value, the random 
value could be uploaded each time a certificate request comes in and checked.

I mean, the obvious issue is the domain would need to want to 
delegate this But if you had a pretty non-technical person 
operating the DNS, they could set it to the name and leave their DNS 
settings forever.

This looks allowed under the BRs, but should it be? Or is it like key escrow - 
okay if a reseller does it (but frowned upon). Totally not cool if the CA does 


dev-security-policy mailing list

Reply via email to