[cabfpub] Domain validation

Jeremy Rowley jeremy.rowley at digicert.com
Thu Apr 16 14:09:42 UTC 2015

Domain authorization letters are still permitted, I just dropped the opinion letter addition (ie, they are the same as the previous version of the BRs). I included the note for completeness. After I get Robin's edits, I'll circulate a redlined version.

Gervase Markham <gerv at mozilla.org> wrote:

If there is another round of edits, can we do:

On 16/04/15 00:28, Jeremy Rowley wrote:

> Base Domain: The portion of an applied-for FQDN that is the first
> domain name node left of a registry-controlled or public suffix plus
> the registry-controlled or public suffix (e.g. “domain.co.uk” or
> “domain.com”).

We should use example.co.uk and example.com for examples, as (at least
in the case of .com) they are reserved for this.

> 6.   Having the Applicant demonstrate control over the FQDN or Base
> Domain by adding a file containing a Random Value to  the

-> "...adding a file whose name or contents include a Random Value to

No reason to be overly-specific.

> 7.   Having the Applicant demonstrate control over the FQDN or Base
> Domain by the Applicant making a change to information in a DNS
> record for the FQDN or Base Domain where the change is a Random
> Value; or

-> "where the change is to insert a Random Value..."

> Note: For purposes of determining the appropriate domain name level
> or Domain Namespace, the registerable Domain Name is the
> second-level domain for generic top-level domains (gTLD) such as
> .com, .net, or .org, or, if the Fully Qualified Domain Name contains
> a 2 letter Country Code Top-Level Domain (ccTLD), then the domain
> level is whatever is allowed for registration according to the rules
> of that ccTLD.

Shouldn't this just refer to the definition of Base Domain? Or have I
missed something?

> If the CA relies upon a Domain Authorization Document
> to confirm the Applicant’s control over a FQDN, then the Domain
> Authorization Document MUST substantiate that the communication came
> from either the Domain Name Registrant (including any private,
> anonymous, or proxy registration service) or the Domain Name
> Registrar listed in the WHOIS. The CA MUST verify that the Domain
> Authorization Document was either (i) dated on or after the
> certificate request date or (ii) used by the CA to verify a
> previously issued certificate and that the Domain Name’s WHOIS record
> has not been modified since the previous certificate’s issuance.

Doesn't this bit refer to the opinion letters which are now removed?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150416/dab27061/attachment-0003.html>

More information about the Public mailing list