<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
h5
{mso-style-priority:9;
mso-style-link:"Heading 5 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;
color:black;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.Heading5Char
{mso-style-name:"Heading 5 Char";
mso-style-priority:9;
mso-style-link:"Heading 5";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:250238397;
mso-list-template-ids:360331802;}
@list l1
{mso-list-id:554315707;
mso-list-template-ids:-1276231208;}
@list l2
{mso-list-id:965696554;
mso-list-template-ids:-207554148;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><b><span style='color:windowtext'>From:</span></b><span style='color:windowtext'> Public [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Dimitris Zacharopoulos via Public<br><b>Sent:</b> Friday, January 5, 2018 5:44 AM<br><br></span></p><p><span style='color:windowtext'><snip></span><o:p></o:p></p><p>--- BEGIN updated language for 3.2.2.4.1 ---<o:p></o:p></p><p>Confirming the Applicant's control over the FQDN by validating the Applicant is the Domain Contact directly with the Domain Name Registrar. This method may only be used if:<o:p></o:p></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l2 level1 lfo3'>The CA validates Domain Contact information obtained from the Domain Registrar by using the process described in section 3.2.2.4.2 OR 3.2.2.4.3; OR<o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l2 level1 lfo3'>The CA is also the Domain Name Registrar, or an Affiliate of the Registrar, of the Base Domain Name.<o:p></o:p></li></ol><p class=MsoNormal>Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names.<br><br>--- END updated language for 3.2.2.4.1 ---<br><br></snip><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I think your #1 is redundant as those methods already stipulate obtaining information from the registrar. I’m not completely opposed to #2 because I do think that it makes some sense for a CA who is also the registrar to be able to have some internal process available to it which verifies domain authorization which is by definition not available to a CA which is not also the registrar, however I would really prefer that those CAs which are also registrars would come forward to discuss and outline more specifics as to what those processes might look like, so that we can codify them with more detail as to what is acceptable in such instance rather than continue to be ‘hand wavy’ about it. We’ve now gotten very specific as to the acceptable methods for non-registrar CAs and gotten rid of ‘any other method’ but I see the lack of specificity in this particular case as an ‘any other method’ for registrar CAs and I’m not sure why we should continue to allow it without any specifics.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Regards,<o:p></o:p></p><p class=MsoNormal>Rich<span style='color:windowtext'><o:p></o:p></span></p></div></body></html>