<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 5/1/2018 6:31 μμ, Rich Smith wrote:<br>
</div>
<blockquote type="cite"
cite="mid:088101d38642$a759a570$f60cf050$@comodo.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
h5
{mso-style-priority:9;
mso-style-link:"Heading 5 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;
color:black;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.Heading5Char
{mso-style-name:"Heading 5 Char";
mso-style-priority:9;
mso-style-link:"Heading 5";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:250238397;
mso-list-template-ids:360331802;}
@list l1
{mso-list-id:554315707;
mso-list-template-ids:-1276231208;}
@list l2
{mso-list-id:965696554;
mso-list-template-ids:-207554148;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span
style="color:windowtext"> Public
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Dimitris
Zacharopoulos via Public<br>
<b>Sent:</b> Friday, January 5, 2018 5:44 AM<br>
<br>
</span></p>
<p><span style="color:windowtext"><snip></span><o:p></o:p></p>
<p>--- BEGIN updated language for 3.2.2.4.1 ---<o:p></o:p></p>
<p>Confirming the Applicant's control over the FQDN by
validating the Applicant is the Domain Contact directly with
the Domain Name Registrar. This method may only be used if:<o:p></o:p></p>
<ol start="1" type="1">
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l2
level1 lfo3">The CA validates Domain Contact information
obtained from the Domain Registrar by using the process
described in section 3.2.2.4.2 OR 3.2.2.4.3; OR<o:p></o:p></li>
<li class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-list:l2
level1 lfo3">The CA is also the Domain Name Registrar, or an
Affiliate of the Registrar, of the Base Domain Name.<o:p></o:p></li>
</ol>
<p class="MsoNormal">Note: Once the FQDN has been validated
using this method, the CA MAY also issue Certificates for
other FQDNs that end with all the labels of the validated
FQDN. This method is suitable for validating Wildcard Domain
Names.<br>
<br>
--- END updated language for 3.2.2.4.1 ---<br>
<br>
</snip><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I think your #1 is redundant as those
methods already stipulate obtaining information from the
registrar. </p>
</div>
</blockquote>
<br>
Perhaps my reading is too strict but methods in 3.2.2.4.2 and
3.2.2.4.3 imply that you get information for Domain Contact without
necessarily *contacting* the Domain Registrar. My understanding is
that you can use Domain Registrant contact information by whatever
public information is available (via WHOIS). <br>
<br>
Here is the Domain Contact definition in 1.6.1:<br>
"<strong>Domain Contact</strong>: The Domain Name Registrant,
technical contact, or administrative contract (or the equivalent
under a ccTLD) as listed in the WHOIS record of the Base Domain Name
or in a DNS SOA record"<br>
<br>
The only method that currently mentions that the CA may contact the
Domain Name Registrar *directly*, is 3.2.2.4.1. I don't think
getting publicly available WHOIS information means "contacting" the
Domain Registrar. This is necessary for registries that don't
provide public WHOIS information about Domain Registrants.<br>
<br>
<blockquote type="cite"
cite="mid:088101d38642$a759a570$f60cf050$@comodo.com">
<div class="WordSection1">
<p class="MsoNormal">I’m not completely opposed to #2 because I
do think that it makes some sense for a CA who is also the
registrar to be able to have some internal process available
to it which verifies domain authorization which is by
definition not available to a CA which is not also the
registrar, however I would really prefer that those CAs which
are also registrars would come forward to discuss and outline
more specifics as to what those processes might look like, so
that we can codify them with more detail as to what is
acceptable in such instance rather than continue to be ‘hand
wavy’ about it. We’ve now gotten very specific as to the
acceptable methods for non-registrar CAs and gotten rid of
‘any other method’ but I see the lack of specificity in this
particular case as an ‘any other method’ for registrar CAs and
I’m not sure why we should continue to allow it without any
specifics.</p>
</div>
</blockquote>
<br>
I don't know which CAs originally proposed #2 in 3.2.2.4.1 and what
was their reasoning. I know that during Domain registration, the
company representative provides contact information (phone numbers,
e-mail addresses). The CA/Registrar can use this information to
contact the Certificate Applicant to get authorization for issuance.
This information may or may not be available in the public WHOIS (or
strictly cover the "Domain Contact" definition of 1.6.1) but could
be in an internal database of the Registrar. Domain Registrants may
also get authentication credentials to web portals for Domain
management that could also be combined and used for authorization of
Certificate issuance.<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:088101d38642$a759a570$f60cf050$@comodo.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">Rich<span style="color:windowtext"><o:p></o:p></span></p>
</div>
</blockquote>
<br>
<br>
</body>
</html>