[cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft (2)

Ryan Sleevi sleevi at google.com
Mon Apr 24 09:04:37 MST 2017 

On Mon, Apr 24, 2017 at 10:24 AM, Peter Bowen <pzb at amzn.com> wrote:

>
> 3.2.2.4.2: same as .1
>>
>
> How do you argue this? The random value must be unique and cannot be
> reused > 30 days, so the documents and data obtained would need to be
> redone.
>
>
> I’m not suggesting to reuse the random value itself.  I’m reusing the
> documentation created when I verified the random value within 30 days of
> creation.
>

I see. That's an interesting definition of documentation that I did not
believe was supported through the text.

Could you expand on what you see this definition including? That is, I
think suggesting that "the act of verifying" is equivalent to "producing
documentation", and such documentation can be reused, is somewhat
problematic and inconsistent with the text, but perhaps I've misunderstood.


> And I suppose the interpretation that I'm taking is that 3.2.2.4 doesn't
> enumerate ADN, but does enumerate FQDN, and the confirmation applies to the
> FQDN, not the ADN, even if the FQDN was confirmed using an ADN. Because of
> this, "completed confirmations" refers to the FQDN - so you can reissue
> certificates for the same names, but you cannot add new names, even if an
> ADN is used.
>
> On first reading, I was inclined to support your interpretation (if we
> made it explicitly worded), but one problem with that interpretation is the
> intersection with CAA. If we allow the ADN authorization to be reused, then
> it allows bypassing the CAA checks for the FQDN, does it not? Or would you
> agree that 3.2.2.8 applies regardless of the reuse of information - that
> every FQDN must have CAA checked, regardless if authority was validated
> using a (reused) ADN validation?
>
>
> Where do you see 3.2.2.8 says you can skip it?  I’m trying to take your
> view that one runs the validation workflow (flowchart) each time you issue,
> but the inputs may have been collected on a previous validation run.
>

Using your definition that the act of verifying the ADN is producing
documentation, why wouldn't the act of verifying CAA be equivalent to
producing documentation?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170424/c4c51ecb/attachment.html>

More information about the Public mailing list