Jeremy, I’m a little confused. According to the current rule, you could do:
_domainvalidation.digicert.com. TXT <RANDOM> and use that to validate control of shoop.digicert.com, as the validation would be for the base domain. Are you proposing that we allow: _<RANDOM>.example.com. CNAME <customer_selected>.example.com. or that we allow _domainvalidation.example.com. CNAME <RANDOM>.dcv.digicert.com. to validate control of example.com? Thanks, Peter > On Aug 23, 2016, at 3:36 PM, Jeremy Rowley <[email protected]> wrote: > > We noticed a method missing from the recent domain name validation ballot > that we would like added as a potential process for validating domains. > Basically, we add a random value to the CNAME record to validate a domain. So > we’d add [RANDOM].digicert.com to verify control over digicert.com. We add > another layer on this check that verifies control over the address that > RANDOM.digicert.com points to – ie, we’d validate dcv.digicert.com if > [RANDOM].digicert.com pointed there. > > I just noticed the ballot only permits use of random values for > authentication in TXT and CAA records. I’d like to amend the DNS record > validation section to permit CNAME validation as well. The proposed change > is: > 3.2.2.4.7 DNS Change > Confirming the Applicant's control over the requested FQDN by confirming the > presence of a Random Value or Request Token in a DNS TXT, CNAME, or CAA > record for an Authorization Domain Name or an Authorization Domain Name that > is prefixed with a label that begins with an underscore character. > If a Random Value is used, the CA or Delegated Third Party SHALL provide a > Random Value unique to the certificate request and SHALL not use the Random > Value after (i) 30 days or (ii) if the Applicant submitted the certificate > request, the timeframe permitted for reuse of validated information relevant > to the certificate (such as in Section 3.3.1 of these Guidelines or Section > 11.14.3 of the EV Guidelines). > > Thoughts? Endorsers? > > Jeremy > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
