[cabfpub] Updated domain validation revisions

Ryan Sleevi sleevi at google.com
Sat Mar 14 09:52:39 MST 2015 

Reposting with permission
On Mar 14, 2015 8:57 AM, "Peter Bowen" <pzbowen at gmail.com> wrote:

> On Thu, Mar 12, 2015 at 3:34 PM, Jeremy Rowley
> <jeremy.rowley at digicert.com> wrote:
> > This is based on the face-to-face discussions.  Not sure I captured 100%
> of
> > what was said, but it’s probably pretty close.  I’m looking forward to
> the
> > comments.
>
> I'm not sure what led to the change in 11.1.1 (1), but adding Reliable
> Method of Communication does not seem to make sense here.  Reliable
> Method of Communication is defined as "a method of communication, such
> as a postal/courier delivery address, telephone number, or email
> address, that was verified using a source other than the Applicant
> Representative."  11.1.1(1) is about the CA talking directly to the
> Registrar and confirming that the Applicant is the Registrant.  This
> could, for example, comparing the customer signature on each of their
> contract for services or because the CA and the Registrar are the same
> company and the customer requested the certificate at the same time as
> registering the domain.
>
> My crystal ball is telling me that this change was meant to address a
> public comment in another forum that a common process CAs use might
> not meet the 11.1.1 1-6:
>
> "[The CA's CPS] describes a means for validating domain ownership that is
> not described within Section 11.1.1 of the BR 1.2.3. In particular, it
> uses the WHOIS information (described in 11.1.1 p3) in conjunction with
> email (described in 11.1.1 p4) to send to a non-whitelisted address. It
> may be that this is seen as an acceptable equivalent (per 11.1.1 p7), or
> it may be seen that email satisfies the "Communicating directly"
> requirement of 11.1.1 p3, but it was enough to be worth calling out."
>
> I would suggest changing the revised 11.1.1 (2) to:
>
> Confirming authorization of the Certificate’s issuance directly with
> the Domain Name Registrant using a Reliable Method of Communication
> verified either by (i) communication with the Domain Name Registrar or
> (ii) being listed as the contact information for  “registrant”,
> “technical”, or “administrative” contacts listed in the WHOIS record
> for the Base Domain.
>
> It also seems that the new 11.1.1 (7) is a subset of the new 11.1.1
> (8), so I'm not sure why they are both included.
>
> As a more general comment, it might also be good to clarify how
> Wildcard FQDNs work with several of the options.  Maybe additional
> text is 11.1.3 is appropriate to clarify how the 11.1.1 rules for
> FQDNs should be applied.
>
> Thanks,
> Peter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150314/63234ec2/attachment-0001.html

More information about the Public mailing list