[Smcwg-public] Validation of Information for Name-Constrained SubCAs
Ben Wilson
bwilson at mozilla.com
Tue Aug 8 20:22:32 UTC 2023
Thanks! The reason I asked -- I'm finalizing the Mozilla Root Store Policy
v. 2.9, and I'm thinking of referencing "3.2.2" as a way to broadly cover
the validation of information that might go in a name-constrained sub CA.
Thanks again,
Ben
On Tue, Aug 8, 2023 at 2:17 PM Stephen Davidson <
Stephen.Davidson at digicert.com> wrote:
> Hi Ben:
>
>
> The reference to Section 3.2.2.3 goes with the "or has been authorized by
> the domain registrant to act on the registrant's behalf" part only. The
> typical verification of the domain under active control of the registrant
> would be done via Section 3.2.2.1.
>
>
>
> A possible clarification might be phrased as:
>
>
>
> "The CA SHALL confirm that the Applicant has registered the FQDN contained
> in the rfc822Name* in line with the verification practices of Section
> 3.2.2.1, *or has been authorized by the domain registrant to act on the
> registrant’s behalf in line with the verification practices of Section
> 3.2.2.3."
>
>
>
> Best, Stephen
>
>
>
>
>
> *From:* Smcwg-public <smcwg-public-bounces at cabforum.org> *On Behalf Of *Ben
> Wilson via Smcwg-public
> *Sent:* Tuesday, August 8, 2023 4:56 PM
> *To:* SMIME Certificate Working Group <smcwg-public at cabforum.org>
> *Subject:* [Smcwg-public] Validation of Information for Name-Constrained
> SubCAs
>
>
>
> Does anyone recall offhand why section 7.1.5 doesn't also refer to section
> 3.2.2.1?
>
>
>
> Section 7.1.5 says, "The CA SHALL confirm that the Applicant has
> registered the FQDN contained in the rfc822Name or has authorized by the
> domain registrant to act on the registrant’s behalf in line with the
> verification practices of Section 3.2.2.3." Section 3.2.2.3 is
> "Validating applicant as operator of associated mail server(s)", and
> section 3.2.2.1 is "Validating authority over mailbox via domain." Was
> there a concern that 3.2.2.1 was too broad and that validation had to be
> done pursuant to section 3.2.2.3? And what about section 3.2.2.2
> (validating control over mailbox via email).
>
>
>
> Thanks,
>
>
>
> Ben
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230808/07bbbc59/attachment-0001.html>
More information about the Smcwg-public
mailing list