[cabfpub] Updated domain validation revisions

Jeremy Rowley jeremy.rowley at digicert.com
Fri Mar 13 19:46:59 UTC 2015


Thanks Gerv, 

Some responses below:

As noted in the meeting, I have a concern over the idea that a Verified Legal Opinion or Verified Accountant Letter would be considered sufficient for determining domain control. All of the other methods of checking are technical checks on the domain, services running on the domain, or electronic metadata associated with the domain in the DNS, or directly asking someone (such as a registrar) who maintains such information. A lawyer's letter, by contrast, is just "some guy says", normally because "some other guy told me" or "some document the other guy gave me says". That guy may often be right, but without him doing one of the other checks in the list, he can't know.

Verifying that the person you are issuing to has practical domain control is the fundamental check in all certificate issuance. (For DV, it's the only one.) We should not be issuing certificates based on "some guy says", lawyer or not.

[JR] I'll leave this for Kirk to answer as it's his suggestion to include them.

Also:

* The definition "Test Certificate" appears not to be used anywhere. It it supposed to be used in 11.1.1.11?
[JR]  Indeed it was.  However, the new language of 11 eliminated test cert.  I'll update to remove the definition. 

* Would it not be more general to use the .well-known/certificate directory rather than .well-known/cabforum? Also, do we have to register that well-known name somehow? Should we do that before passing the ballot?
[JR] We discussed this a little bit during the working group meeting.  Originally we suggested cabforum to distinguish from other potential uses, but certificate works just as well for me.  We should probably do this before passing a ballot.  I'll reach out to Mark Nottingham as soon as we have a consensus on what the well-known directory should be.

* Number 6 doesn't have the 128-bit entropy requirement that others do.
Perhaps you should define a Random Value and use that definition in all of these? You could also just define that based on entropy; it doesn't have to be a number.
[JR] Okay. Thanks!

* In 7, "TXT record" is unnecessarily specific. Any record will do, surely?
[JR] Good point. I'll update.

* 11. has the word "practical" which others do not. Suggest removing.
[JR] Will do.


More information about the Public mailing list