[cabfpub] Proposed modification to domain verification

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Thu May 16 20:56:41 UTC 2013

On 05/15/2013 10:44 PM, From Jeremy Rowley:
> In preparation of tomorrow’s call, here’s our proposal on how the 
> domain validation section should change.  At the very least, this 
> should get everyone on the same discussion and help clearly identity 
> where there are open issues.

In  continuation of our call today and the domain control validation 
proposal for EV certificates I would like to highlight the following 
items from the BR:

Under section 11.1.1 Authorization by Domain Name Registrant:

    For each Fully-Qualified Domain Name listed in a Certificate, the CA
    SHALL confirm that, as of the date the Certificate was issued, the
    Applicant either is the Domain Name Registrant or has control over
    the FQDN by:

    3. Communicating directly with the Domain Name Registrant using the
    contact information listed in the WHOIS record’s “registrant”,
    “technical”, or “administrative” field;

    4. Communicating with the Domain’s administrator using an email
    address created by pre-pending ‘admin’, ‘administrator’,
    ‘webmaster’, ‘hostmaster’, or ‘postmaster’ in the local part,
    followed by the at-sign (“@”), followed by the Domain Name, which
    may be formed by pruning zero or more components from the requested

    Note: For purposes of determining the appropriate domain name level
    or Domain Namespace, the registerable Domain Name is the
    second-level domain for generic top-level domains (gTLD) such as
    .com, .net, or .org, or, if the Fully Qualified Domain Name contains
    a 2 letter Country Code Top-Level Domain (ccTLD), then the domain
    level is whatever is allowed for registration according to the rules
    of that ccTLD.

This means that the domain name as indicated above must be validated, 
e.g. if a subscriber requests sub.domain.co.uk the CA must use 
webmaster at domain.co.uk or one of the other administrative addresses. The 
"pruning zero or more components" is a means to get to the registered 
domain name, but maybe the "may" preceding is misunderstood either by me 
or some others and it would warrant some clarifications (which reminds 
me that Tim made some attempt but then left the forum).

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130516/ed0e42c9/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130516/ed0e42c9/attachment-0001.p7s>

More information about the Public mailing list