RE: [cabfquest] Request for well-known URI: /.well‐known/pki‐validation

Ben Wilson <> Thu, 12 January 2017 17:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E8E5F129422 for <>; Thu, 12 Jan 2017 09:05:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.401
X-Spam-Status: No, score=-7.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hjBiYKvSJpcg for <>; Thu, 12 Jan 2017 09:05:37 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 292E21293EC for <>; Thu, 12 Jan 2017 09:05:37 -0800 (PST)
From: Ben Wilson <>
Authentication-Results:; dkim=permerror (bad message/signature format)
To: "" <>, "" <>
Subject: =?utf-8?B?UkU6IFtjYWJmcXVlc3RdIFJlcXVlc3QgZm9yIHdlbGwta25vd24gVVJJOiAv?= =?utf-8?B?LndlbGzigJBrbm93bi9wa2nigJB2YWxpZGF0aW9u?=
Thread-Topic: =?utf-8?B?W2NhYmZxdWVzdF0gUmVxdWVzdCBmb3Igd2VsbC1rbm93biBVUkk6IC8ud2Vs?= =?utf-8?B?bOKAkGtub3duL3BraeKAkHZhbGlkYXRpb24=?=
Thread-Index: AQHSZhsqx0bmdMr5T0OOG6uaj1KdHqEpvXgAgAtiMAA=
Date: Thu, 12 Jan 2017 17:05:34 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>, "" <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Well-Known URI review list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Jan 2017 17:05:39 -0000

Please go ahead and amend the application accordingly.
Ben Wilson, JD, CISA, CISSP
DigiCert VP Compliance
+1 801 701 9678

-----Original Message-----
From: Mark Nottingham []
Sent: Wednesday, January 4, 2017 9:14 PM
To: Ryan Sleevi <>
Cc: Ben Wilson <>om>;;
Subject: Re: [cabfquest] Request for well-known URI: /.well‐known/pki‐validation

Hi Ryan,

Happy New Year. Some responses below.

> On 4 Jan. 2017, at 10:42 am, Ryan Sleevi <> wrote:
> I never saw these questions go answered, but my attempt is:
> 1) The intent is/was to allow the construction of a URL that meets the template of "{Authorized Scheme}://{Authorization Domain Name}:{Optional Authorized Port}/.well-known/pki-validation/", with the addition of one or more path components, to be used. Authorized Scheme is HTTP/HTTPS, Authorization Domain Name is defined in the BRs, as is Authorized Port.
> So, put differently, the intent is that "/.well-known/pki-validation/"
> represents the base of the path component, followed by one or more
> additional paths (or query strings), provided that the remaining URL
> components do not contain the entire Required Website Content :)
> It is possible that future modifications to the Baseline Requirements
> may further restrict the path components (e.g. to specify a specific
> construction), and it's possible that future modifications to the
> Baseline Requirements may loosen the requirements (e.g. allowing
> "/.well-known/pki-validation/anything-else" while also allowing
> "/.well-known/acme-challenge/{construction}" in a manner that complies
> with )

Sure. It's just that URLs are defined in terms of paths, path components, etc. -- "directory" implies a filesystem, which may not be the case, depending on the implementation.

> 2) The grouping is intended as "(file) or (web page in the form of meta tag)". This means that the latter is, by definition, fully included in the check of the former - and is thus redundant - but was included to explicitly note acceptable practice.
> Sorry these questions got dropped.

No problem. If Ben can confirm that it's Ok to elide the Related Information, we can go ahead and register.


> On Fri, Aug 26, 2016 at 4:39 AM, Mark Nottingham <> wrote:
> Hi Ben,
> Overall this looks reasonable, but that's probably too much to put into Related Information. Since it's already in the referenced, that can be safely omitted. If that's OK, I'll register (items below are non-blocking).
> One comment and a question:
> The use of "directory" is odd in the first sentence. The well-known location specifies a path; clients can retrieve that path, and/or they can add more path components and/or a query string to it to generate other URLs. It's not clear whether you want clients to only use the registered value, or allow any arbitrary path that uses it as a root.
> Also, the phrase " contained in the content of a file or on a web page in the form of a meta tag" is ambiguous; does the OR group as:
> 1. (file) or (web page in the form of a meta tag) 2. (file or web
> page) in the form of a meta tag
> ? (two occurrences)
> Regards,
> > On 26 Aug 2016, at 5:22 AM, Ben Wilson <> wrote:
> >
> >
> >    URI suffix:  pki-validation
> >
> >    Change controller:  CA/Browser Forum, e-mail address:
> >, homepage:
> >
> >    Specification document(s):  Section of version 1.3.8 of
> > the CA/Browser Forum’s Baseline Requirements Certificate Policy for
> > the Issuance and Management of Publicly-Trusted Certificates
> > (“Baseline Requirements”) - specifically here -
> >
> > f  (generally here
> >
> >
> >    Related information:    The Baseline Requirements read in pertinent part as follows:
> >
> > Agreed-Upon Change to Website
> >
> > Confirming the Applicant's control over the requested FQDN by confirming one of the following under the "/.well-known/pki-validation" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that is accessible by the CA via HTTP/HTTPS over an Authorized Port:
> >
> >       • The presence of Required Website Content contained in the content of a file or on a web page in the form of a meta tag. The entire Required Website Content MUST NOT appear in the request used to retrieve the file or web page, or
> >       • The presence of the Request Token or Request Value contained in the content of a file or on a webpage in the form of a meta tag where the Request Token or Random Value MUST NOT appear in the request.
> > If a Random Value is used, the CA or Delegated Third Party SHALL provide a Random Value unique to the certificate request and SHALL not use the Random Value after the longer of (i) 30 days or (ii) if the Applicant submitted the certificate request, the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 of the EV Guidelines).
> >
> > Note: Examples of Request Tokens include, but are not limited to: (i) a hash of the public key; (ii) a hash of the Subject Public Key Info [X.509]; and (iii) a hash of a PKCS#10 CSR. A Request Token may also be concatenated with a timestamp or other data. If a CA wanted to always use a hash of a PKCS#10 CSR as a Request Token and did not want to incorporate a timestamp and did want to allow certificate key re-use then the applicant might use the challenge password in the creation of a CSR with OpenSSL to ensure uniqueness even if the subject and key are identical between subsequent requests. This simplistic shell command produces a Request Token which has a timestamp and a hash of a CSR. E.g. echo date -u +%Y%m%d%H%M sha256sum <r2.csr | sed "s/[ -]//g" The script outputs: 201602251811c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f The CA should define in its CPS (or in a document referenced from the CPS) the format of Request Tokens it accepts.
> >
> > Communication with the Forum can be accomplished by sending a response to
> >
> > Sincerely yours,
> >
> > Ben Wilson, on behalf of the CA/Browser Forum
> > _______________________________________________
> > wellknown-uri-review mailing list
> >
> >
> --
> Mark Nottingham
> _______________________________________________
> Questions mailing list

Mark Nottingham