[cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft
Kirk.Hall at entrustdatacard.com
Thu Apr 27 22:04:50 UTC 2017
Ryan, in response to your recent messages - see below as to specific concrete concerns with the proposal.
I addressed the message below to Gerv as the proposer of the ballot, but I would welcome your response as well to make sure all impacts of the proposal have been publicly addressed.
From: Kirk Hall
Sent: Thursday, April 27, 2017 12:12 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Forbid DTPs from doing Domain/IP Ownership Validation ballot draft
Gerv, I have a question on the actual implementation of your proposal - would your proposal require all aspects of domain validation to be done by employees of the CA? Is everyone who is not an employee considered a DTP?
At Trend Micro, when validating some governments and enterprises in Central and South America, we relied on law firms in the countries involved to (1) obtain necessary validation documents confirming the legal name(s) of the applicants (sometimes they had more than one legal name), and then (2) comparing the legal name with the name information in WhoIs. It was invaluable to get the help and interpretation of people in-country, who will know what common abbreviations mean, whether Plaza de la Republica is the same as Bolivar Avenue, etc. Likewise, abbreviations in the WhoIs name may be easy for local people to interpret against the confirmed identity names, but harder for someone who speaks Spanish living in Cupertino or Ottawa to interpret. It makes for much more accurate domain vetting. Their research and findings (and recommendations) would be translated to English and bundled up for our vetting teams, then included in the vetting files and were subject to audits.
Is a local law firm in that case a DTP, and would CAs be prohibited from using them to verify domains? (By the way - for some large enterprises and government agencies, the idea that they can respond to emails to verify domains or put something on their web page is just not practical - the people ordering the certs often aren't sure how to make that happen, and prefer a WhoIs lookup.)
Law firms aside, suppose MegaCA has a growing number of customers in Freedonia. Again, you will get much better and more accurate results from someone in-country in Freedonia (who is a native and local speaker of Freedonian, knows customs in names and addresses, abbreviations, etc.) than an employee of MegaCA who lives in Cupertino or Ottawa and speaks fairly good Freedonian. I have seen this with Japanese vetters - the ones in Japan can give a more accurate result (based on local knowledge), like knowing which neighborhood in Tokyo should go in the L field, etc.
Which also brings up domain verification in places that use non-Roman alphabets - local is better.
Would all of these cases, using local people to do portions of the domain verification work, be outlawed under your ballot?
Also, please consider that not all companies (including CAs) want to make everyone who does work for them an employee. If the work in Freedonia only requires a Freedonian who works one-third time, companies may prefer working with that person as an independent contractor, not an employee - is this outlawed? Of course, everything must be audited - but suppose MegaCA's auditor has no one who speaks or can read Freedonian? At that point, it make make sense to find a local WebTrust auditor in or near Freedonia to do that part of the audit - and roll it up into MegaCA's main audit.
I know you and Google favor automated machine-to-machine verification of domains above all else, but it's not practical at this time for many customers.
So you see, the situation is more complex than we ever discussed at the F2F meeting.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public