[cabfpub] Updated domain validation revisions
sleevi at google.com
Sat Mar 14 09:52:39 MST 2015
Reposting with permission
On Mar 14, 2015 8:57 AM, "Peter Bowen" <pzbowen at gmail.com> wrote:
> On Thu, Mar 12, 2015 at 3:34 PM, Jeremy Rowley
> <jeremy.rowley at digicert.com> wrote:
> > This is based on the face-to-face discussions. Not sure I captured 100%
> > what was said, but it’s probably pretty close. I’m looking forward to
> > comments.
> I'm not sure what led to the change in 11.1.1 (1), but adding Reliable
> Method of Communication does not seem to make sense here. Reliable
> Method of Communication is defined as "a method of communication, such
> as a postal/courier delivery address, telephone number, or email
> address, that was verified using a source other than the Applicant
> Representative." 11.1.1(1) is about the CA talking directly to the
> Registrar and confirming that the Applicant is the Registrant. This
> could, for example, comparing the customer signature on each of their
> contract for services or because the CA and the Registrar are the same
> company and the customer requested the certificate at the same time as
> registering the domain.
> My crystal ball is telling me that this change was meant to address a
> public comment in another forum that a common process CAs use might
> not meet the 11.1.1 1-6:
> "[The CA's CPS] describes a means for validating domain ownership that is
> not described within Section 11.1.1 of the BR 1.2.3. In particular, it
> uses the WHOIS information (described in 11.1.1 p3) in conjunction with
> email (described in 11.1.1 p4) to send to a non-whitelisted address. It
> may be that this is seen as an acceptable equivalent (per 11.1.1 p7), or
> it may be seen that email satisfies the "Communicating directly"
> requirement of 11.1.1 p3, but it was enough to be worth calling out."
> I would suggest changing the revised 11.1.1 (2) to:
> Confirming authorization of the Certificate’s issuance directly with
> the Domain Name Registrant using a Reliable Method of Communication
> verified either by (i) communication with the Domain Name Registrar or
> (ii) being listed as the contact information for “registrant”,
> “technical”, or “administrative” contacts listed in the WHOIS record
> for the Base Domain.
> It also seems that the new 11.1.1 (7) is a subset of the new 11.1.1
> (8), so I'm not sure why they are both included.
> As a more general comment, it might also be good to clarify how
> Wildcard FQDNs work with several of the options. Maybe additional
> text is 11.1.3 is appropriate to clarify how the 11.1.1 rules for
> FQDNs should be applied.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public