[cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft (2)

Gervase Markham gerv at mozilla.org
Mon Apr 24 14:41:40 UTC 2017

On 20/04/17 18:57, Ryan Sleevi wrote:
> Based on our description, I believe your intent is also to cover Section
>, correct?

I guess so, although without permission to do or, it
seems odd that anyone would outsource this bit.

> The concern raised in Raleigh that this introduces is that it
> effectively forbids Enterprise RAs from managing the validation of
> domains beneath the Domain Namespace that the CA has verified. This is
> because Enterprise RAs are Delegated Third Parties.
> Is your intent to restrict such Enterprise RAs to only performing
> Subject Name validation?


> That is, if were worded to somehow suggest that:
> "The CA SHALL confirm that, as of the date the Certificate issues, the
> CA has validated each Fully‐Qualified Domain Name (FQDN) listed in the
> Certificate using at least one of the methods listed below, or is within
> the Domain Namespace of a Fully-Qualified Domain Name (FQDN) that has
> been validated using at least one of the methods listed below. "

Are we happy that, for all 10 methods, proof of control of
foo.example.com makes it fine to issue wibble.fish.foo.example.com?


More information about the Public mailing list