Request for well-known URI: /.well‐known/pki‐validation
Ben Wilson <ben.wilson@digicert.com> Thu, 25 August 2016 19:22 UTC
Return-Path: <ben.wilson@digicert.com>
X-Original-To: wellknown-uri-review@ietfa.amsl.com
Delivered-To: wellknown-uri-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 930DA12D11C for <wellknown-uri-review@ietfa.amsl.com>; Thu, 25 Aug 2016 12:22:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.769
X-Spam-Level:
X-Spam-Status: No, score=-4.769 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.548, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QythKI0CRkZ7 for <wellknown-uri-review@ietfa.amsl.com>; Thu, 25 Aug 2016 12:22:47 -0700 (PDT)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C32AB12D5F9 for <wellknown-uri-review@ietf.org>; Thu, 25 Aug 2016 12:22:46 -0700 (PDT)
From: Ben Wilson <ben.wilson@digicert.com>
Authentication-Results: mail.digicert.com; dkim=permerror (bad message/signature format)
To: "wellknown-uri-review@ietf.org" <wellknown-uri-review@ietf.org>
Subject: Request for well-known URI: /.well‐known/pki‐validation
Thread-Topic: Request for well-known URI: /.well‐known/pki‐validation
Thread-Index: AdH/BEg64nlRFaAKRzGrFmSI7g3u+w==
Date: Thu, 25 Aug 2016 19:22:44 +0000
Message-ID: <bc378b56d6254682b2e4d3ab045507f4@EX2.corp.digicert.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [67.137.52.8]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0038_01D1FED3.C337BEA0"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/wellknown-uri-review/ZV5t9jPvrs8kiSlUtjBlvhurYAM>
Cc: "questions@cabforum.org" <questions@cabforum.org>
X-BeenThere: wellknown-uri-review@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Well-Known URI review list <wellknown-uri-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wellknown-uri-review>, <mailto:wellknown-uri-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wellknown-uri-review/>
List-Post: <mailto:wellknown-uri-review@ietf.org>
List-Help: <mailto:wellknown-uri-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wellknown-uri-review>, <mailto:wellknown-uri-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 19:22:48 -0000
URI suffix: pki-validation Change controller: CA/Browser Forum, e-mail address: questions@cabforum. org <mailto:questions@cabforum.org> , homepage: www.cabforum.org <http://www.cabforum.org> Specification document(s): Section 3.2.2.4.6 of version 1.3.8 of the CA/Browser Forum’s Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates (“Baseline Requirements”) - specifically here - https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.8.pdf (generally here https://cabforum.org/baseline-requirements-documents/) Related information: The Baseline Requirements read in pertinent part as follows: 3.2.2.4.6 Agreed-Upon Change to Website Confirming the Applicant's control over the requested FQDN by confirming one of the following under the "/.well-known/pki-validation" directory, or another path registered with IANA for the purpose of Domain Validation, on the Authorization Domain Name that is accessible by the CA via HTTP/HTTPS over an Authorized Port: 1. The presence of Required Website Content contained in the content of a file or on a web page in the form of a meta tag. The entire Required Website Content MUST NOT appear in the request used to retrieve the file or web page, or 2. The presence of the Request Token or Request Value contained in the content of a file or on a webpage in the form of a meta tag where the Request Token or Random Value MUST NOT appear in the request. If a Random Value is used, the CA or Delegated Third Party SHALL provide a Random Value unique to the certificate request and SHALL not use the Random Value after the longer of (i) 30 days or (ii) if the Applicant submitted the certificate request, the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 of the EV Guidelines). Note: Examples of Request Tokens include, but are not limited to: (i) a hash of the public key; (ii) a hash of the Subject Public Key Info [X.509]; and (iii) a hash of a PKCS#10 CSR. A Request Token may also be concatenated with a timestamp or other data. If a CA wanted to always use a hash of a PKCS#10 CSR as a Request Token and did not want to incorporate a timestamp and did want to allow certificate key re-use then the applicant might use the challenge password in the creation of a CSR with OpenSSL to ensure uniqueness even if the subject and key are identical between subsequent requests. This simplistic shell command produces a Request Token which has a timestamp and a hash of a CSR. E.g. echo date -u +%Y%m%d%H%M sha256sum <r2.csr | sed "s/[ -]//g" The script outputs: 201602251811c9c863405fe7675a3988b97664ea6baf442019e4e52fa335f406f7c5f26cf14f The CA should define in its CPS (or in a document referenced from the CPS) the format of Request Tokens it accepts. Communication with the Forum can be accomplished by sending a response to questions@cabforum.org <mailto:questions@cabforum.org> . Sincerely yours, Ben Wilson, on behalf of the CA/Browser Forum
- Request for well-known URI: /.well‐known/pki‐vali… Ben Wilson
- Re: Request for well-known URI: /.well‐known/pki‐… Mark Nottingham
- Re: [cabfquest] Request for well-known URI: /.wel… Ryan Sleevi
- Re: [cabfquest] Request for well-known URI: /.wel… Mark Nottingham
- RE: [cabfquest] Request for well-known URI: /.wel… Ben Wilson