<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 28, 2017 at 9:54 AM, Gervase Markham via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p> </p>
<div class="m_-1283017773478553299moz-text-html" lang="x-unicode">
<div class="m_-1283017773478553299WordSection1"><u></u><u></u>Hi everyone,<br>
<br>
Here's a draft of a ballot to forbid DTPs from doing Domain
Validation, as discussed at the F2F. Again, this is early text,
so comments on both the approach and the wording are very
welcome.<br>
<br>
Is an Enterprise RA a subset of Delegated Third Party, or a
different thing? The BRs seem a little unclear on this. I think
they are a separate thing, but there are some bits of wording
this ballot modifies or removes that suggest that they are a
subset. Comments?<br></div></div></div></blockquote><div><br></div><div>An enterprise RA is a subset of DTPs. That is, they may perform name validation (beneath their DNS tree), or may perform other forms of identity or organizational validation for their name space.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div class="m_-1283017773478553299moz-text-html" lang="x-unicode"><div class="m_-1283017773478553299WordSection1">
<br>
Gerv<br>
<br>
<b>Ballot XXX - Forbid DTPs from doing Domain/IP Ownership
Validation<br>
</b>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<u></u><u></u></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<b>Purpose of Ballot: </b>At the moment, CAs are permitted to
delegate the process of domain and IP address validation.
However, permitting such delegations is problematic due to the
way audits work - the auditing of such work may or may not be
required and, if it is, those audit documents may not make it
back to root programs for consideration. Although the audit
situation also needs fixing, domain validation is an important
enough component of a CA's core competencies that it seems
wiser to remove it from the larger problem and forbid its
delegation. The purpose of this ballot is to ensure that CAs
or their Affiliates are always the ones performing domain/IP
address ownership validation for certificates that CA is
responsible for.<br>
</p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">The
following motion has been proposed by Gervase Markham of
Mozilla and endorsed by XXX of XXX and XXX of XXX:<br>
<u></u><u></u></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
-- MOTION BEGINS -- <u></u><u></u></p>
<p class="MsoNormal" style="margin-bottom:0in;margin-bottom:.0001pt;line-height:normal">
<u></u><u></u></p>
<pre>1) In section 1.3.2 of the Baseline Requirements, replace the following sentence:
"The CA MAY delegate the performance of all, or any part, of Section 3.2 requirements to a Delegated Third Party, provided that the process as a whole fulfills all of the requirements of Section 3.2."
with:
"With the exception of sections 3.2.2.4 and 3.2.2.5, the CA MAY delegate the performance of all, or any part, of Section 3.2 requirements to a Delegated Third Party, provided that the process as a whole fulfills all of the requirements of Section 3.2."
2) In sections 3.2.2.4 and 3.2.2.4.11 (if still present in the text at the time the ballot passes), replace the following text:
"either the CA or a Delegated Third Party"
with:
"the CA"
3) In section 3.2.2.4.6, remove the words "or Delegated Third Party".
4) In section 8.4, remove the paragraph beginning: "If a Delegated Third Party is not currently audited...".
5) In section 8.4, replace the following text:
"If the CA is not using one of the above procedures and the Delegated Third Party is not an Enterprise RA, then"
with:
"For Delegated Third Parties (but not Enterprise RAs)".</pre></div></div></div></blockquote><div>Could you explain why you reworded this? Was this based on your interpretation that Enterprise RAs aren't DTPs?</div></div></div></div>