[Smcwg-public] Validation of Information for Name-Constrained SubCAs
Stephen Davidson
Stephen.Davidson at digicert.com
Tue Aug 8 20:17:02 UTC 2023
Hi Ben:
The reference to Section 3.2.2.3 goes with the "or has been authorized by the domain registrant to act on the registrant's behalf" part only. The typical verification of the domain under active control of the registrant would be done via Section 3.2.2.1.
A possible clarification might be phrased as:
"The CA SHALL confirm that the Applicant has registered the FQDN contained in the rfc822Name in line with the verification practices of Section 3.2.2.1, or has been authorized by the domain registrant to act on the registrant’s behalf in line with the verification practices of Section 3.2.2.3."
Best, Stephen
From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Ben Wilson via Smcwg-public
Sent: Tuesday, August 8, 2023 4:56 PM
To: SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: [Smcwg-public] Validation of Information for Name-Constrained SubCAs
Does anyone recall offhand why section 7.1.5 doesn't also refer to section 3.2.2.1?
Section 7.1.5 says, "The CA SHALL confirm that the Applicant has registered the FQDN contained in the rfc822Name or has authorized by the domain registrant to act on the registrant’s behalf in line with the verification practices of Section 3.2.2.3." Section 3.2.2.3 is "Validating applicant as operator of associated mail server(s)", and section 3.2.2.1 is "Validating authority over mailbox via domain." Was there a concern that 3.2.2.1 was too broad and that validation had to be done pursuant to section 3.2.2.3? And what about section 3.2.2.2 (validating control over mailbox via email).
Thanks,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230808/36480753/attachment.html>
More information about the Smcwg-public
mailing list