[cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Apr 27 15:31:08 UTC 2017

Can you explain the difference between " independently audited DTPs" and "constrained/Enterprise RA" so we are all working with the same vocabulary?

I do believe CAs use external RAs (DTPs?) to do both organizational vetting in foreign countries and (in cases where the CAs is using WhoIs or some other manual method where the data must be matched to identity data) domain validation as well.

-----Original Message-----
From: Peter Bowen [mailto:pzb at amzn.com] 
Sent: Thursday, April 27, 2017 7:14 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

> On Apr 26, 2017, at 3:05 PM, Kirk Hall via Public <public at cabforum.org> wrote:
> Gerv, I’m late to the discussion on this.  By can you start at the beginning, and explain why you believe DTPs should not be permitted to perform domain validation under any circumstances?


My view is that this isn’t about DTPs.  This is about simplification of the BRs, which we can all agree are very long and complex.  I have not heard anyone speak up and say that they are using DTPs for domain validation.  I would even take it a step further and suggest that we consider removing the DTP language all together, leaving only constrained RAs.  This would avoid a lot of and conditional requirements.

I think the key issue is whether anyone is still depending on independently audited DTPs or if all external validation is only in the constrained/Enterprise RA context.


More information about the Public mailing list