[cabfpub] Definition of Random Value on draft ballot re new domain validation methods
sleevi at google.com
Tue May 5 11:12:59 MST 2015
On May 5, 2015 11:08 AM, "kirk_hall at trendmicro.com" <
kirk_hall at trendmicro.com> wrote:
> How is security enhanced by the CA telling the Applicant to post [128 bit
Random Value] instead of a one-time use phrase “Rosebud/Ryan Sleevi” on the
website? In each case, it is a shared secret created by the CA. Using a
“Random Value” does not enhance security in and of itself in this case.
There is no requirement today it be a one-time phrase. There is no
requirement that the one-time phrase will not be predictable or
controllable by the attacker.
This is the same reason why you white list email addresses or use a fixed
URI for validation. Because CAs can and are choosing profoundly insecure
methods, and the BRs permit this today.
Perhaps it would help to know why it would be so problematic to get
sufficient random data.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public