This is why I wanted to raise this topic. I don't believe we have thought very carefully about when DCV is actually safe or appropriate, and I don't think we should be recommending a mechanism without consensus and guidance for what this mechanism achieves and when this mechanism is safe to use.
In the case of both Google Mail and Office365, the customer is free to delete the verification TXT record after the verification step is complete. And yet these systems treat this verification step as permanently binding the domain to an account in their system. Depending on your threat model, this might be perfectly reasonable or obviously vulnerable. I don't think this document should move forward without providing clear guidance on this key question. If these providers did what you are suggesting, they would be in violation of recommendations in Section 5.7, which says that "a new challenge needs to be issued" every time the ASP checks the verification record. But this is also strange: common sense suggests that I could leave a record in place to indicate my continuing consent. That is true, but such a record is no longer providing Domain Control Validation; instead, it is performing authorization (like MX), and is outside the (present) scope of this draft. Basically, I think we have some work to untangle the purpose of DCV in the current text. --Ben ________________________________ From: Paul Wouters <p...@nohats.ca> Sent: Thursday, October 31, 2024 4:07 PM To: Tim Wicinski <tjw.i...@gmail.com> Cc: Ben Schwartz <bem...@meta.com>; dnsop <dnsop@ietf.org> Subject: Re: [DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-06.txt On Thu, 31 Oct 2024, Tim Wicinski wrote: > draft-ietf-dnsop-domain-verification-techniques-06.txt > > I'll review it today and I now understand your reasoning a lot better. I reviewd the text. It makes assumptions on knowing what are valid and invalid use cases of domain ownership verification. I think that is wrong. The document shouldn't do that and stick to the mechanism only. It also seems to make a suggestion that all of these are time-bound, but this is also not the case. For example if you want google mail or office365 you need to add a record. This record acts as challange / proof but also as continued signal you still want them to do mail for you. So I don't think we should merge this PR. Paul
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
