[cabfpub] "Domain Name Registrar"

Geoff Keating geoffk at apple.com
Mon Aug 1 21:53:03 UTC 2016

> On 1 Aug. 2016, at 12:57 pm, Peter Bowen <pzb at amzn.com> wrote:
>> On Aug 1, 2016, at 12:13 PM, geoffk at apple.com wrote:
>>> On 1 Aug. 2016, at 9:52 am, Peter Bowen <pzb at amzn.com> wrote:
>>> I’m familiar with the two sections.  However I’m not clear on the rules for what goes where.
>> I think it’s not really a bright-line situation.  And, importantly, not one that really matters for the purpose of certificate issuance; no matter how you do it, you need to check that the domain is authorized all the way back to the root, whether that’s by consulting an IANA list or whois or whatever; the classification of registrars is just so you don’t have to keep verifying “yes, Verisign still runs .com just as it did 30 seconds ago for the previous domain”.
> I think it does matter for certificate issuance when using validation methods that don’t involve DNS lookup of the name being verified.  For example, if I want to send an email to the domain registrant, can I send it to the person who registered example.de.com with CentralNic or must it only go to the person who registered de.com (e.g. CentralNic themselves)?

That’s what I mean by ‘all the way back’: you can get the e-mail address from CentralNic, but you also need to check that CentralNic does actually own de.com <http://de.com/>.  It is not wrong to e-mail CentralNic and accept their answer in this case, although it might be ineffective.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160801/3026bbc2/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160801/3026bbc2/attachment-0001.p7s>

More information about the Public mailing list