<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Cambria-Bold;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoPlainText">Jeff - here are the three relevant definitions:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in;text-autospace:none"><b>Applicant: </b>
The natural person or Legal Entity that applies for (or seeks renewal of) a Certificate. Once the Certificate issues, the Applicant is referred to as the Subscriber.<o:p></o:p></p>
<p class="MsoNormal" style="text-autospace:none"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><b>Domain Contact</b>: The Domain Name Registrant, technical contact, or administrative contract (or the equivalent under a ccTLD) as listed in the WHOIS record of the Base Domain Name or in a DNS SOA record.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><b>Domain Name Registrant</b>: Sometimes referred to as the “owner” of a Domain Name, but more properly the person(s) or entity(ies) registered with a Domain Name Registrar as having the right to control how
a Domain Name is used, such as the natural person or Legal Entity that is listed as the “Registrant” by WHOIS or the Domain Name Registrar.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">"Domain Contact" is just the self-reported name in WhoIs -- so I think Domain Name Registrant is the party we are actually trying to verify as the Applicant.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Public [mailto:public-bounces@cabforum.org] On Behalf Of Geoff Keating via Public<br>
Sent: Friday, January 19, 2018 10:18 AM<br>
To: Mads Egil Henriksveen <Mads.Henriksveen@buypass.no>; CA/Browser Forum Public Discussion List <public@cabforum.org><br>
Subject: Re: [cabfpub] [EXTERNAL] Verification of Domain Contact and Domain Authorization Document</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I think this proposed change actually makes 3.2.2.4.1 weaker. Previously it was necessary to validate that the Applicant and the Domain Contact were the same—some CAs might not have been doing this properly, but it was what the words
said. Now you’re just validating that the Applicant has the same name and represents to a Q*IS that it has the same address.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> On Jan 19, 2018, at 4:58 AM, Mads Egil Henriksveen via Public <<a href="mailto:public@cabforum.org"><span style="color:windowtext;text-decoration:none">public@cabforum.org</span></a>> wrote:<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Hi Gerv<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> The current version 3.2.2.4.1 says:<o:p></o:p></p>
<p class="MsoPlainText">> ----<o:p></o:p></p>
<p class="MsoPlainText">> 3.2.2.4.1 Validating the Applicant as a Domain Contact Confirming the
<o:p></o:p></p>
<p class="MsoPlainText">> Applicant's control over the FQDN by validating the Applicant is the Domain Contact directly with the Domain Name Registrar.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> This method may only be used if:<o:p></o:p></p>
<p class="MsoPlainText">> 1. The CA authenticates the Applicant's identity under BR Section
<o:p></o:p></p>
<p class="MsoPlainText">> 3.2.2.1 and the authority of the Applicant Representative under BR
<o:p></o:p></p>
<p class="MsoPlainText">> Section 3.2.5, OR 2. The CA authenticates the Applicant's identity under EV Guidelines Section 11.2 and the agency of the Certificate Approver under EV Guidelines Section 11.8; OR 3. The CA is also the Domain Name Registrar, or an
Affiliate of the Registrar, of the Base Domain Name.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN. This method is suitable for validating Wildcard Domain Names.<o:p></o:p></p>
<p class="MsoPlainText">> -----<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Our proposal concentrates on the first part, i.e. the following statement:
<o:p></o:p></p>
<p class="MsoPlainText">>>> Confirming the Applicant's control over the FQDN by validating the Applicant is the Domain Contact directly with the Domain Name Registrar.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Is to be replaced with:<o:p></o:p></p>
<p class="MsoPlainText">> << Conforming the Applicant's control over the FQDN by validating the Applicant as the Domain Name Registrant by verifying that:
<o:p></o:p></p>
<p class="MsoPlainText">> << 1. The name of the Domain Name Registrant matches the Applicant's name AND<o:p></o:p></p>
<p class="MsoPlainText">> << 2. Additional information about the Domain Name Registrant in the WHOIS meet the following requirements:<o:p></o:p></p>
<p class="MsoPlainText">> << i. The Registrant's postal address in the WHOIS belongs to the Applicant. CAs MUST verify this by matching it with one of the Applicant's addresses in: (a) a QGIS, QTIS, or QIIS; or (b) a Verified Professional Letter.
<o:p></o:p></p>
<p class="MsoPlainText">> << Note: Address details in the WHOIS are required to use this option. Address details must include at a minimum the Country and either Locality, State or Province. OR
<o:p></o:p></p>
<p class="MsoPlainText">> << ii. The WHOIS contains the Registration (or similar) Number assigned to the Applicant by the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration as appropriate. CAs MUST verify
this by matching the Registration Number in the WHOIS with the Applicant's Registration Number in a QGIS or a QTIS.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> The first change is the use of Domain Name Registrant instead of Domain Contact, i.e. the focus is on domain ownership.
<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> The proposal requires that the name of the Registrant (in WHOIS) matches 1) the name of the Applicant AND either 2 i) the postal address of the Registrant (in WHOIS) matches the postal address of the Applicant (in sources accepted
for EV validation) OR 2 ii) a Registration Number for the Registrant (in WHOIS) matches the Registration Number of the Applicant (in a QGIS or QTIS).<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> The proposal addresses threats due to that organization names are not unique, the combination of organization name and address or organization name and registration number should be unique. It also removes ambiguities the current language
permits (according to Jeremy - see attachment). <o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Regards<o:p></o:p></p>
<p class="MsoPlainText">> Mads<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> -----Original Message-----<o:p></o:p></p>
<p class="MsoPlainText">> From: Public [<a href="mailto:public-bounces@cabforum.org"><span style="color:windowtext;text-decoration:none">mailto:public-bounces@cabforum.org</span></a>] On Behalf Of Gervase
<o:p></o:p></p>
<p class="MsoPlainText">> Markham via Public<o:p></o:p></p>
<p class="MsoPlainText">> Sent: fredag 19. januar 2018 10:29<o:p></o:p></p>
<p class="MsoPlainText">> To: Mads Egil Henriksveen via Public <<a href="mailto:public@cabforum.org"><span style="color:windowtext;text-decoration:none">public@cabforum.org</span></a>><o:p></o:p></p>
<p class="MsoPlainText">> Subject: Re: [cabfpub] [EXTERNAL] Verification of Domain Contact and
<o:p></o:p></p>
<p class="MsoPlainText">> Domain Authorization Document<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> On 19/01/18 06:51, Mads Egil Henriksveen via Public wrote:<o:p></o:p></p>
<p class="MsoPlainText">>> Buypass, Entrust Datacard and GlobalSign have been working on some
<o:p></o:p></p>
<p class="MsoPlainText">>> text to strengthen 3.2.2.4.1 instead of removing it - find the draft
<o:p></o:p></p>
<p class="MsoPlainText">>> text below. The draft was discussed in the Validation Working Group
<o:p></o:p></p>
<p class="MsoPlainText">>> meeting yesterday. We would like to offer this as an amendment to Ballot 218.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Is it possible to provide a diff, e.g. by turning the new text into a Github pull request, or some other mechanism?<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Once we have a diff, might it be possible for rationale to be provided for each change?<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Gerv<o:p></o:p></p>
<p class="MsoPlainText">> _______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">> Public mailing list<o:p></o:p></p>
<p class="MsoPlainText">> <a href="mailto:Public@cabforum.org"><span style="color:windowtext;text-decoration:none">Public@cabforum.org</span></a><o:p></o:p></p>
<p class="MsoPlainText">> <a href="https://cabforum.org/mailman/listinfo/public">
<span style="color:windowtext;text-decoration:none">https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p>
<p class="MsoPlainText">> <Mail Attachment.eml>_______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">> Public mailing list<o:p></o:p></p>
<p class="MsoPlainText">> <a href="mailto:Public@cabforum.org"><span style="color:windowtext;text-decoration:none">Public@cabforum.org</span></a><o:p></o:p></p>
<p class="MsoPlainText">> <a href="https://cabforum.org/mailman/listinfo/public">
<span style="color:windowtext;text-decoration:none">https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
</div>
</body>
</html>