[cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft (2)
gerv at mozilla.org
Mon Apr 24 14:41:40 UTC 2017
On 20/04/17 18:57, Ryan Sleevi wrote:
> Based on our description, I believe your intent is also to cover Section
> 220.127.116.11, correct?
I guess so, although without permission to do 18.104.22.168 or 22.214.171.124, it
seems odd that anyone would outsource this bit.
> The concern raised in Raleigh that this introduces is that it
> effectively forbids Enterprise RAs from managing the validation of
> domains beneath the Domain Namespace that the CA has verified. This is
> because Enterprise RAs are Delegated Third Parties.
> Is your intent to restrict such Enterprise RAs to only performing
> Subject Name validation?
> That is, if 126.96.36.199 were worded to somehow suggest that:
> "The CA SHALL confirm that, as of the date the Certificate issues, the
> CA has validated each Fully‐Qualified Domain Name (FQDN) listed in the
> Certificate using at least one of the methods listed below, or is within
> the Domain Namespace of a Fully-Qualified Domain Name (FQDN) that has
> been validated using at least one of the methods listed below. "
Are we happy that, for all 10 methods, proof of control of
foo.example.com makes it fine to issue wibble.fish.foo.example.com?
More information about the Public