<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 8/1/2018 10:15 πμ, Ryan Sleevi
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACvaWvbq+sZYApK-QH67qX2dYaAnwtPCxBW5cWPvLir1pLBDFg@mail.gmail.com">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Jan 8, 2018 at 2:45 AM,
Dimitris Zacharopoulos via Public <span dir="ltr"><<a
href="mailto:public@cabforum.org" target="_blank"
moz-do-not-send="true">public@cabforum.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div class="m_5568994031566043988moz-cite-prefix">On
5/1/2018 6:31 μμ, Rich Smith wrote:<br>
</div>
<blockquote type="cite">
<div class="m_5568994031566043988WordSection1">
<p class="MsoNormal"><b><span
style="color:windowtext">From:</span></b><span
style="color:windowtext"> Public [<a
class="m_5568994031566043988moz-txt-link-freetext"
href="mailto:public-bounces@cabforum.org"
target="_blank" moz-do-not-send="true">mailto:public-bounces@<wbr>cabforum.org</a>]
<b>On Behalf Of </b>Dimitris Zacharopoulos
via Public<br>
<b>Sent:</b> Friday, January 5, 2018 5:44 AM<br>
<br>
</span></p>
<p><span style="color:windowtext"><snip></span></p>
<p>--- BEGIN updated language for 3.2.2.4.1 ---</p>
<p>Confirming the Applicant's control over the
FQDN by validating the Applicant is the Domain
Contact directly with the Domain Name Registrar.
This method may only be used if:</p>
<ol start="1" type="1">
<li class="MsoNormal" style="margin-left:0in">The
CA validates Domain Contact information
obtained from the Domain Registrar by using
the process described in section 3.2.2.4.2 OR
3.2.2.4.3; OR</li>
<li class="MsoNormal" style="margin-left:0in">The
CA is also the Domain Name Registrar, or an
Affiliate of the Registrar, of the Base Domain
Name.</li>
</ol>
<p class="MsoNormal">Note: Once the FQDN has been
validated using this method, the CA MAY also
issue Certificates for other FQDNs that end with
all the labels of the validated FQDN. This
method is suitable for validating Wildcard
Domain Names.<br>
<br>
--- END updated language for 3.2.2.4.1 ---<br>
<br>
</snip></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I think your #1 is redundant
as those methods already stipulate obtaining
information from the registrar. </p>
</div>
</blockquote>
<br>
</span> Perhaps my reading is too strict but methods in
3.2.2.4.2 and 3.2.2.4.3 imply that you get information
for Domain Contact without necessarily *contacting* the
Domain Registrar. My understanding is that you can use
Domain Registrant contact information by whatever public
information is available (via WHOIS). <br>
</div>
</blockquote>
<div><br>
</div>
<div>I'm not sure I understand the distinction being made
here between WHOIS and contacting the registrar. For
example, the .com WHOIS implementation involves contacting
the registrar's WHOIS services (while, conversely, .org's
WHOIS involves effectively contacting the registry's
WHOIS). However, see the points below to see if they are
able to slice through that confusion.</div>
<div> </div>
</div>
</div>
</div>
</blockquote>
<br>
Thanks Ryan, this is the distinction I had in mind. My understanding
is that using the publicly available WHOIS is not "contacting" the
Registrar. I believed that "contacting" is an out-of-band way.<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvbq+sZYApK-QH67qX2dYaAnwtPCxBW5cWPvLir1pLBDFg@mail.gmail.com">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> <br>
Here is the Domain Contact definition in 1.6.1:<br>
"<strong>Domain Contact</strong>: The Domain Name
Registrant, technical contact, or administrative
contract (or the equivalent under a ccTLD) as listed in
the WHOIS record of the Base Domain Name or in a DNS SOA
record"<br>
<br>
The only method that currently mentions that the CA may
contact the Domain Name Registrar *directly*, is
3.2.2.4.1. I don't think getting publicly available
WHOIS information means "contacting" the Domain
Registrar. This is necessary for registries that don't
provide public WHOIS information about Domain
Registrants.</div>
</blockquote>
<div><br>
</div>
<div>So to make sure I understand your view: For situations
such as ccTLDs (which are not bound by ICANN's registry
agreements as they predate ICANN and are separately
managed from ICANN), where WHOIS is not available, your
view is 3.2.2.4.1 is the only method that allows for
out-of-band contact with the registrar (which is
contracted with the registry) in order to determine the
Registrant/technical contact/administrative
contact/equivalent.</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Correct.<br>
<br>
<blockquote type="cite"
cite="mid:CACvaWvbq+sZYApK-QH67qX2dYaAnwtPCxBW5cWPvLir1pLBDFg@mail.gmail.com">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>An example of pre-existing TLD adhering to this is .gov
(in the US) - and I'm guessing you know of one or more
ccTLDs that also fit into this category?</div>
<div><br>
</div>
<div>The advantage being is that this permits non-gTLDs
(i.e. those within the ICANN sphere of oversight) to use
methods 'equivalent' to WHOIS. The disadvantage is that,
in the absence of the registry agreements, the level of
assurance or equivalence of those respective methods is at
the determination of the ccTLD/TLD operator and the CA,
and not uniform in assurance or reliability.</div>
</div>
</div>
</div>
</blockquote>
<br>
The level of assurance for Domain Contact phone numbers and e-mail
addresses is pretty much the same in most gTLD, ccTLD cases, that's
why I proposed that they are combined with methods 3.2.2.4.2 or
3.2.2.4.3. I am hoping to have the WHOIS "equivalent" methods for
all Domains. We are talking about Domain Validation methods so I
don't think we should use "Organization Information" of WHOIS or
Domain Registrar records to validate Domain ownership. <br>
<br>
<br>
Dimitris.<br>
</body>
</html>