<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 8/1/2016 4:53 PM, Geoff Keating
wrote:<br>
</div>
<blockquote
cite="mid:3681CB30-F9A4-45A9-AD55-D46937D67DC8@apple.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 1 Aug. 2016, at 12:57 pm, Peter Bowen <<a
moz-do-not-send="true" href="mailto:pzb@amzn.com" class="">pzb@amzn.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class=""><br class="">
<blockquote type="cite" class="">On Aug 1, 2016, at 12:13
PM, <a moz-do-not-send="true"
href="mailto:geoffk@apple.com" class="">geoffk@apple.com</a>
wrote:<br class="">
<br class="">
<br class="">
<blockquote type="cite" class="">On 1 Aug. 2016, at 9:52
am, Peter Bowen <<a moz-do-not-send="true"
href="mailto:pzb@amzn.com" class="">pzb@amzn.com</a>>
wrote:<br class="">
<br class="">
I’m familiar with the two sections. However I’m not
clear on the rules for what goes where.<br class="">
</blockquote>
<br class="">
I think it’s not really a bright-line situation. And,
importantly, not one that really matters for the purpose
of certificate issuance; no matter how you do it, you
need to check that the domain is authorized all the way
back to the root, whether that’s by consulting an IANA
list or whois or whatever; the classification of
registrars is just so you don’t have to keep verifying
“yes, Verisign still runs .com just as it did 30 seconds
ago for the previous domain”.<br class="">
</blockquote>
<br class="">
I think it does matter for certificate issuance when using
validation methods that don’t involve DNS lookup of the
name being verified. For example, if I want to send an
email to the domain registrant, can I send it to the
person who registered <a moz-do-not-send="true"
href="http://example.de.com" class="">example.de.com</a>
with CentralNic or must it only go to the person who
registered <a moz-do-not-send="true" href="http://de.com"
class="">de.com</a> (e.g. CentralNic themselves)?<br
class="">
</div>
</div>
</blockquote>
</div>
<br class="">
<div class="">That’s what I mean by ‘all the way back’: you can
get the e-mail address from CentralNic, but you also need to
check that CentralNic does actually own <a
moz-do-not-send="true" href="http://de.com" class="">de.com</a>.
It is not wrong to e-mail CentralNic and accept their answer in
this case, although it might be ineffective.</div>
</blockquote>
How often? As you said, the classification for registrars is just
so you don't have to keep verifying that Verisign still controls
.com every 30 seconds. So how often should one need to re-verify
that CentralNic still controls de.com? And by that reasoning
shouldn't one need to re-verify that Verisign still controls .com
with the same frequency?<br>
<blockquote
cite="mid:3681CB30-F9A4-45A9-AD55-D46937D67DC8@apple.com"
type="cite">
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>