<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Jan 8, 2018, at 9:20 AM, Wayne Thayer via Public <<a href="mailto:public@cabforum.org" class="">public@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div dir="ltr" class="">On Mon, Jan 8, 2018 at 9:46 AM, Tim Hollebeek via Public <span dir="ltr" class=""><<a href="mailto:public@cabforum.org" target="_blank" class="">public@cabforum.org</a>></span> wrote:<br class=""><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link="blue" vlink="purple" lang="EN-US" class=""><div class="m_-8622729908420754352m_-8419302617913859696WordSection1"><p class="MsoNormal">I’m not sure there are other valid cases (in fact I suspect there are not), but Wayne mentioned on the validation WG call that he’s concerned that this change could be very disruptive if not handled carefully, and I’m sympathetic to that concern. Especially since on the same call he also pointed out the same flaw that Dimitris did …</p><div class=""> <br class="webkit-block-placeholder"></div></div></div></blockquote></div>My concern is based on a small sample size, but in reviewing CPS' I've noted that government CAs often rely on 3.2.2.4.1. Other than Dimitris, they are not participating in this discussion and may not be aware of it. That isn't a good excuse to delay needed fixes, but I do think that the outright elimination of method #1 on Mar 1st will catch a number of these CAs by surprise and we'll see compliance issues. The approach that Ryan and Dimitris are discussing helps to address my concern.</div></div></div></blockquote><br class=""></div><div>I know I’m really late to this conversation, but I think we need to split 3.2.2.4.1. It currently has one very strong validation method combined with two that are under discussion.</div><div><br class=""></div><div>While I know it does not apply to many CAs, I think option 3 in 3.2.2.4.1 is excellent validation when available. If the CA is also the registry or registrar, then they can have a very high assurance that a certificate requester has control of the domain. I would hate to see this method go away, as I personally see this as the potentially the strongest proof of domain control.</div><div><br class=""></div><div>Thanks,</div><div>Peter</div></body></html>