[cabfpub] Domain Validation Revision

[Gervase Markham]

On 13/02/15 02:55, Jeremy Rowley wrote:
> Attached is a draft proposal from the EV working group about revising
> the domain validation in the BRs.  The intent is 1) to eliminate the
> “any other option” (as it made domain validation essentially
> meaningless, 

I don't agree that the "any other option" makes domain validation
essentially meaningless. The current text is as follows:

"Using any other method of confirmation, provided that the CA maintains
documented evidence that the method of confirmation establishes that the
Applicant is the Domain Name Registrant or has control over the FQDN to
at least the same level of assurance as those methods previously described."

This basically means that CAs can innovate in the way they do domain
control as long as the level of assurance remains the same, and it makes
the CA responsible for confirming that this is so. (And if a CA was
using this clause, I would expect the auditor auditing them to the BRs
to review their documentation and make an assessment as to whether the
level of assurance was equivalent.)

Given that this is an area of CA operations where there are patents on
some methods of doing things, open-endedness is IMO important to make
sure that the BRs are not used as a device to force CAs to acquire
patent licenses due to limited options.

I have no objection to listing more methods that the CAB Forum
explicitly finds to be acceptable, but I think removing the flexibility
is a backwards step.

> 3) permit
> attorney/accountants to draft the domain authorization document.

If I understand this correctly, then I am opposed. I don't see why a
lawyer or an accountant is an appropriate authority on the subject of
who controls a domain. Domain control can only be properly validated
either by the registrar who issued the domain, the registrant listed in
WHOIS, or some practical demonstration of control. No-one else's opinion
matters.

Gerv