<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 8/1/2018 6:29 μμ, Tim Hollebeek
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM5PR14MB1289AB20B6F00B4122C2F57C83130@DM5PR14MB1289.namprd14.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.gmail-
{mso-style-name:gmail-;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I think you and Ryan are on the right
track.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’ve expressed before an interest in
explicitly allowing RDAP in addition to WHOIS (I don’t support
the idea of making the requirement more generic because
security analysis is much more difficult for generic
requirements).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It wouldn’t be a bad thing if at the same
time we added explicit requirements around the acceptable ways
to directly contact a domain registrar. Like Rich, I want to
see the details so I can determine whether the requirements
make sense.</p>
</div>
</blockquote>
<br>
I can describe the case of Registrars in Greece (under the gr
ccTLD). They usually provide a signed letter that includes domain
name and Registrant information (administrative contact, technical
contact, organization name, telephone numbers and e-mail addresses)
which is usually enough information for a CA to use and validate
Domain ownership via 3.2.2.4.2 or 3.2.2.4.3.<br>
<br>
Registrars have official telephone numbers and e-mail addresses to
be contacted and this information is publicly provided by the
National registry. It doesn't have to be just WHOIS or RDAP.<br>
<br>
For the case where the CA is also a Registrar, the "signed letter"
part can be skipped, since, as a Registrar, the Domain Contact
information is already known. In fact, it is even better because if
a Domain has expired and the CA/Registrar gets a Certificate
Request for that Domain, it will not issue because they know it is
expired and will (most likely) not rely on previous information, as
non-Registrar CAs would normally do.<br>
<br>
I could provide more details if necessary.<br>
<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:DM5PR14MB1289AB20B6F00B4122C2F57C83130@DM5PR14MB1289.namprd14.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I was asked on Thursday to split 218 into
two ballots, since it seems #1 will take a little more work
than #5. #5 seems uncontroversial, but I keep getting
requests for a longer timeline (possibly phased, with strong
requirements to eliminate the egregious problems early) for
#1.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Should we have two ballots so we can
eliminate #5 early, while making reasonable improvements to
#1?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">BTW, for those who have asked, the ballot
217 “you have the time you need” discussion requirements was
the reason I wasn’t overly concerned about when I posted the
ballot.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-Tim<o:p></o:p></p>
<p class="MsoNormal"><a name="_MailEndCompose"
moz-do-not-send="true"><o:p> </o:p></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div>
<div>
<div>
<p class="MsoNormal">I wonder, then, if it would
resolve your concerns about the removal of 3.2.2.4.1
to update the Domain Contact method - the issues I
highlighted on variability notwithstanding. That is,
it sounds like we're in agreement that 3.2.2.4.1, as
worded, is entirely ambiguous as to the level of
assurance provided. The methods of contacting in
3.2.2.4.2/.3 are acceptable, the only question is
how we determine the information. We allow WHOIS,
for example, but as worded, it would preclude RDAP
or other forms, and would preclude the cases (such
as .gov) in which direct registry contact is
required. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Domain Contact: The Domain Name
Registrant, technical contact, or administrative
contract (or the equivalent under a ccTLD) as
provided by the Domain Registrar or, for TLDs in
which the Registry provides information, the
Registry. Acceptable methods of determination
include the WHOIS record of the Base Domain Name,
within a DNS SOA record [Note: This includes the
hierarchal tree walking, by virtue of 3.2.2.4's
recursion], or through direct contact with the
applicable Domain Name Registrar or Domain Name
Registry.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This can then be separately
expanded to RDAP, or be moved more formally in to a
section within 3.2 as to acceptable methods for the
determination of the Domain Contact (e.g. moving the
normative requirements for validation outside of the
definition).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">That seems like it would resolve
the issues, right?<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>