Thank you for the suggestion.
I created a PR to cover this:
https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/210/changes
This adds to the Security Considerations:
# Validations not Coupled to Users
If an Application Service Provider does not properly associate Domain
Validation with Users, the new owner of a domain could potentially gain
access to Application Service Provider resources associated with the
previous owner of a domain. Application Service Providers need to take care
that re-validation of a domain by a different User is not necessarily
treated as "reactivation" in a way that grants access to potentially
sensitive resources stored and associated with a domain. (H2 in
{{threat-ul1}})
Best, Erik
On Tue, Jan 20, 2026 at 10:42 PM Ángel González <[email protected]> wrote:
> Hi Erik
>
> Section 7.10 mentions a new domain owner reintroducing an old
> validation record to make an old Application Service believe that an
> old user is still active.
>
> I miss however the opposite case: the new domain owner signs up into
> the Service, but the Application Service Provider actually treats it as
> a reactivation of the Service that was available back with the previous
> owner, allowing the old domain owner to access to the service of the
> new owner.
>
>
> Regards
>
> _______________________________________________
> DNSOP mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
