<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
    <div class="moz-cite-prefix">On 8/1/2016 4:53 PM, Geoff Keating
      wrote:<br>
    </div>
    <blockquote
      cite="mid:3681CB30-F9A4-45A9-AD55-D46937D67DC8@apple.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <br class="">
      <div>
        <blockquote type="cite" class="">
          <div class="">On 1 Aug. 2016, at 12:57 pm, Peter Bowen <<a
              moz-do-not-send="true" href="mailto:pzb@amzn.com" class="">pzb@amzn.com</a>>
            wrote:</div>
          <br class="Apple-interchange-newline">
          <div class="">
            <div class=""><br class="">
              <blockquote type="cite" class="">On Aug 1, 2016, at 12:13
                PM, <a moz-do-not-send="true"
                  href="mailto:geoffk@apple.com" class="">geoffk@apple.com</a>
                wrote:<br class="">
                <br class="">
                <br class="">
                <blockquote type="cite" class="">On 1 Aug. 2016, at 9:52
                  am, Peter Bowen <<a moz-do-not-send="true"
                    href="mailto:pzb@amzn.com" class="">pzb@amzn.com</a>>
                  wrote:<br class="">
                  <br class="">
                  I’m familiar with the two sections.  However I’m not
                  clear on the rules for what goes where.<br class="">
                </blockquote>
                <br class="">
                I think it’s not really a bright-line situation.  And,
                importantly, not one that really matters for the purpose
                of certificate issuance; no matter how you do it, you
                need to check that the domain is authorized all the way
                back to the root, whether that’s by consulting an IANA
                list or whois or whatever; the classification of
                registrars is just so you don’t have to keep verifying
                “yes, Verisign still runs .com just as it did 30 seconds
                ago for the previous domain”.<br class="">
              </blockquote>
              <br class="">
              I think it does matter for certificate issuance when using
              validation methods that don’t involve DNS lookup of the
              name being verified.  For example, if I want to send an
              email to the domain registrant, can I send it to the
              person who registered <a moz-do-not-send="true"
                href="http://example.de.com" class="">example.de.com</a>
              with CentralNic or must it only go to the person who
              registered <a moz-do-not-send="true" href="http://de.com"
                class="">de.com</a> (e.g. CentralNic themselves)?<br
                class="">
            </div>
          </div>
        </blockquote>
      </div>
      <br class="">
      <div class="">That’s what I mean by ‘all the way back’: you can
        get the e-mail address from CentralNic, but you also need to
        check that CentralNic does actually own <a
          moz-do-not-send="true" href="http://de.com" class="">de.com</a>.
         It is not wrong to e-mail CentralNic and accept their answer in
        this case, although it might be ineffective.</div>
    </blockquote>
    How often?  As you said, the classification for registrars is just
    so you don't have to keep verifying that Verisign still controls
    .com every 30 seconds.  So how often should one need to re-verify
    that CentralNic still controls de.com?  And by that reasoning
    shouldn't one need to re-verify that Verisign still controls .com
    with the same frequency?<br>
    <blockquote
      cite="mid:3681CB30-F9A4-45A9-AD55-D46937D67DC8@apple.com"
      type="cite">
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>