[cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft (2)
Gervase Markham
gerv at mozilla.org
Mon Apr 24 07:41:40 MST 2017
On 20/04/17 18:57, Ryan Sleevi wrote:
> Based on our description, I believe your intent is also to cover Section
> 3.2.2.6, correct?
I guess so, although without permission to do 3.2.2.4 or 3.2.2.5, it
seems odd that anyone would outsource this bit.
> The concern raised in Raleigh that this introduces is that it
> effectively forbids Enterprise RAs from managing the validation of
> domains beneath the Domain Namespace that the CA has verified. This is
> because Enterprise RAs are Delegated Third Parties.
>
> Is your intent to restrict such Enterprise RAs to only performing
> Subject Name validation?
No.
> That is, if 3.2.2.4 were worded to somehow suggest that:
> "The CA SHALL confirm that, as of the date the Certificate issues, the
> CA has validated each Fully‐Qualified Domain Name (FQDN) listed in the
> Certificate using at least one of the methods listed below, or is within
> the Domain Namespace of a Fully-Qualified Domain Name (FQDN) that has
> been validated using at least one of the methods listed below. "
Are we happy that, for all 10 methods, proof of control of
foo.example.com makes it fine to issue wibble.fish.foo.example.com?
Gerv
More information about the Public
mailing list