[cabfpub] Updated domain validation revisions

Gervase Markham gerv at mozilla.org
Fri Mar 13 19:42:03 UTC 2015

On 12/03/15 15:34, Jeremy Rowley wrote:
> This is based on the face-to-face discussions.  Not sure I captured 100%
> of what was said, but it’s probably pretty close.  I’m looking forward
> to the comments.

As noted in the meeting, I have a concern over the idea that a Verified
Legal Opinion or Verified Accountant Letter would be considered
sufficient for determining domain control. All of the other methods of
checking are technical checks on the domain, services running on the
domain, or electronic metadata associated with the domain in the DNS, or
directly asking someone (such as a registrar) who maintains such
information. A lawyer's letter, by contrast, is just "some guy says",
normally because "some other guy told me" or "some document the other
guy gave me says". That guy may often be right, but without him doing
one of the other checks in the list, he can't know.

Verifying that the person you are issuing to has practical domain
control is the fundamental check in all certificate issuance. (For DV,
it's the only one.) We should not be issuing certificates based on "some
guy says", lawyer or not.


* The definition "Test Certificate" appears not to be used anywhere. It
it supposed to be used in

* Would it not be more general to use the .well-known/certificate
directory rather than .well-known/cabforum? Also, do we have to register
that well-known name somehow? Should we do that before passing the ballot?

* Number 6 doesn't have the 128-bit entropy requirement that others do.
Perhaps you should define a Random Value and use that definition in all
of these? You could also just define that based on entropy; it doesn't
have to be a number.

* In 7, "TXT record" is unnecessarily specific. Any record will do, surely?

* 11. has the word "practical" which others do not. Suggest removing.


More information about the Public mailing list