Hi Andrew, On Tue, 17 Sep 2024, Andrew Ayer via Servercert-wg wrote:
Regrettably, parsing emails sent to a Domain Contact is often the easiest way to implement automated validation for a large number of domains, since it allows delegation to a single central point, using configuration that is often already in place (WHOIS record contact information). Delegating DNS records using CNAME (e.g. with [3]) is
The use case you bring up here is however problematic. In this validation scenario, how would the automation ensure that the certificate request subject to approval by e.g. the link contained in the email is indeed the one that was requested?
While it may be possible to securely implement automation based on this that does so securely, checking the CSR and correlates it to the CSR automatically handed in... it sounds unlikely that the majority of such implementations do this properly. It would be reasonably involved to arrive at an actually secure automated process, and it would so easily lend itself to an insecure implementation.
It would be my guess that you could arrive at a secure automation for the use case you describe with much less effort through the use of e.g. ACME.
Accordingly, as I currently see it, this use case is not necessarily one that seems valuable to keep around in the face of fundamental challenges with the underlying WHOIS based Domain Validation method, or at all.
Tobi _______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
