[messaging] What counts as proof of ownership?
diafygi at gmail.com
Mon Jan 19 15:26:54 PST 2015
Over the weekend, I made a script that gets certificate signing
requests signed by the Let's Encrypt Demo CA. You have to prove to
the CA that you own the domain you're requesting a signature for, so I
spent quite a bit of time digging into the ACME spec for automatically
determining ownership of a domain.
So it got me wondering what is considered best practice or ideal for
proving your ownership of a resource? What will create the widest
adoption? What will people trust?
For ACME, there are several challenges that can prove you have control
over the domain:
1. Simple HTTPS - Serve a specific file at a specific domain on port 443
2. DVSNI - Serve a TLS cert with a specific subjectAltName on port 443
3. DNS - Add a specific TXT record to your DNS
4. Email (undocumented, possibly in the future)
5. DNSSEC (undocumented, possibly in the future)
6. WHOIS (undocumented, possibly in the future)
For KeyBase, #1 or #3 is used. For StartSSL, Comodo, and other SSL
cert retailers, #4 and #6 are used. App.net and Google use html
tags to verify ownership (which is not on the ACME list). EV
certificates require a legal entity to be verified.
What about other resources? Package managers use PGP keys to sign
packages (yet another method). As far as I know there's not a similar
clients could use Subresource Integrity to manually restrict file
hashes. another great use for signed code instead of TLS would be for
keyserver pools like SKS.
So what's best? We have a ton of methods for proving ownership of
domains and web content, which makes things very confusing.
More information about the Messaging