<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 2 Aug. 2016, at 12:24 pm, Rich Smith <<a href="mailto:richard.smith@comodo.com" class="">richard.smith@comodo.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
<br class="">
<div class="moz-cite-prefix">On 8/1/2016 4:53 PM, Geoff Keating
wrote:<br class="">
</div>
<blockquote cite="mid:3681CB30-F9A4-45A9-AD55-D46937D67DC8@apple.com" type="cite" class="">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1" class="">
<br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On 1 Aug. 2016, at 12:57 pm, Peter Bowen <<a moz-do-not-send="true" href="mailto:pzb@amzn.com" class="">pzb@amzn.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class=""><br class="">
<blockquote type="cite" class="">On Aug 1, 2016, at 12:13
PM, <a moz-do-not-send="true" href="mailto:geoffk@apple.com" class="">geoffk@apple.com</a>
wrote:<br class="">
<br class="">
<br class="">
<blockquote type="cite" class="">On 1 Aug. 2016, at 9:52
am, Peter Bowen <<a moz-do-not-send="true" href="mailto:pzb@amzn.com" class="">pzb@amzn.com</a>>
wrote:<br class="">
<br class="">
I’m familiar with the two sections. However I’m not
clear on the rules for what goes where.<br class="">
</blockquote>
<br class="">
I think it’s not really a bright-line situation. And,
importantly, not one that really matters for the purpose
of certificate issuance; no matter how you do it, you
need to check that the domain is authorized all the way
back to the root, whether that’s by consulting an IANA
list or whois or whatever; the classification of
registrars is just so you don’t have to keep verifying
“yes, Verisign still runs .com just as it did 30 seconds
ago for the previous domain”.<br class="">
</blockquote>
<br class="">
I think it does matter for certificate issuance when using
validation methods that don’t involve DNS lookup of the
name being verified. For example, if I want to send an
email to the domain registrant, can I send it to the
person who registered <a moz-do-not-send="true" href="http://example.de.com/" class="">example.de.com</a>
with CentralNic or must it only go to the person who
registered <a moz-do-not-send="true" href="http://de.com/" class="">de.com</a> (e.g. CentralNic themselves)?<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
<div class="">That’s what I mean by ‘all the way back’: you can
get the e-mail address from CentralNic, but you also need to
check that CentralNic does actually own <a moz-do-not-send="true" href="http://de.com/" class="">de.com</a>.
It is not wrong to e-mail CentralNic and accept their answer in
this case, although it might be ineffective.</div>
</blockquote>
How often? As you said, the classification for registrars is just
so you don't have to keep verifying that Verisign still controls
.com every 30 seconds. So how often should one need to re-verify
that CentralNic still controls <a href="http://de.com" class="">de.com</a>? And by that reasoning
shouldn't one need to re-verify that Verisign still controls .com
with the same frequency?<br class="">
</div></div></blockquote><br class=""></div><div>Well, I guess the BRs say 39 months, don’t they? That doesn’t seem like an unreasonable frequency to check that your list of registrars is still accurate…</div><br class=""></body></html>