Re: Request for well-known URI: /.well‐known/pki‐validation

Mark Nottingham <> Fri, 26 August 2016 11:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8937512D8B7 for <>; Fri, 26 Aug 2016 04:45:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9kbzQKQ3Orai for <>; Fri, 26 Aug 2016 04:45:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F208A12D8C3 for <>; Fri, 26 Aug 2016 04:39:58 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id C4AA622E256; Fri, 26 Aug 2016 07:39:39 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Subject: =?utf-8?Q?Re=3A_Request_for_well-known_URI=3A__/=2Ewell=E2=80=90?= =?utf-8?Q?known/pki=E2=80=90validation?=
From: Mark Nottingham <>
In-Reply-To: <>
Date: Fri, 26 Aug 2016 21:39:36 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Ben Wilson <>
X-Mailer: Apple Mail (2.3124)
Archived-At: <>
Cc: "" <>, "" <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Well-Known URI review list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Aug 2016 11:45:07 -0000

Hi Ben,

Overall this looks reasonable, but that's probably too much to put into Related Information. Since it's already in the referenced, that can be safely omitted. If that's OK, I'll register (items below are non-blocking).

One comment and a question:

The use of "directory" is odd in the first sentence. The well-known location specifies a path; clients can retrieve that path, and/or they can add more path components and/or a query string to it to generate other URLs. It's not clear whether you want clients to only use the registered value, or allow any arbitrary path that uses it as a root.

Also, the phrase " contained in the content of a file or on a web page in the form of a meta tag" is ambiguous; does the OR group as:

1. (file) or (web page in the form of a meta tag)
2. (file or web page) in the form of a meta tag

? (two occurrences)


> On 26 Aug 2016, at 5:22 AM, Ben Wilson <> wrote:
>    URI suffix:  pki-validation
>    Change controller:  CA/Browser Forum, e-mail address:, homepage:
>    Specification document(s):  Section of version 1.3.8 of the CA/Browser Forum’s Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates (“Baseline Requirements”) - specifically here -  (generally here
>    Related information:    The Baseline Requirements read in pertinent part as follows:
> Agreed-Upon Change to Website
> Confirming the Applicant's control over the requested FQDN by confirming one of the following under the "/.well-known/pki-validation" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that is accessible by the CA via HTTP/HTTPS over an Authorized Port:
> 	• The presence of Required Website Content contained in the content of a file or on a web page in the form of a meta tag. The entire Required Website Content MUST NOT appear in the request used to retrieve the file or web page, or
> 	• The presence of the Request Token or Request Value contained in the content of a file or on a webpage in the form of a meta tag where the Request Token or Random Value MUST NOT appear in the request.
> If a Random Value is used, the CA or Delegated Third Party SHALL provide a Random Value unique to the certificate request and SHALL not use the Random Value after the longer of (i) 30 days or (ii) if the Applicant submitted the certificate request, the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 of the EV Guidelines).
> Note: Examples of Request Tokens include, but are not limited to: (i) a hash of the public key; (ii) a hash of the Subject Public Key Info [X.509]; and (iii) a hash of a PKCS#10 CSR. A Request Token may also be concatenated with a timestamp or other data. If a CA wanted to always use a hash of a PKCS#10 CSR as a Request Token and did not want to incorporate a timestamp and did want to allow certificate key re-use then the applicant might use the challenge password in the creation of a CSR with OpenSSL to ensure uniqueness even if the subject and key are identical between subsequent requests. This simplistic shell command produces a Request Token which has a timestamp and a hash of a CSR. E.g. echo date -u +%Y%m%d%H%M sha256sum <r2.csr | sed "s/[ -]//g" The script outputs: 201602251811c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f The CA should define in its CPS (or in a document referenced from the CPS) the format of Request Tokens it accepts.
> Communication with the Forum can be accomplished by sending a response to  
> Sincerely yours,
> Ben Wilson, on behalf of the CA/Browser Forum
> _______________________________________________
> wellknown-uri-review mailing list

Mark Nottingham