[cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Ryan Sleevi sleevi at google.com
Thu Apr 27 22:17:09 UTC 2017

On Thu, Apr 27, 2017 at 6:04 PM, Kirk Hall via Public <public at cabforum.org>

> Gerv, I have a question on the actual implementation of your proposal –
> would your proposal require all aspects of domain validation to be done by
> employees of the CA?


> Is everyone who is not an employee considered a DTP?

As required in the Baseline Requirements, yes.

> At Trend Micro, when validating some governments and enterprises in
> Central and South America, we relied on law firms in the countries involved
> to (1) obtain necessary validation documents confirming the legal name(s)
> of the applicants (sometimes they had more than one legal name), and then
> (2) comparing the legal name with the name information in WhoIs.  It was
> invaluable to get the help and interpretation of people in-country, who
> will know what common abbreviations mean, whether Plaza de la Republica is
> the same as Bolivar Avenue, etc.  Likewise, abbreviations in the WhoIs name
> may be easy for local people to interpret against the confirmed identity
> names, but harder for someone who speaks Spanish living in Cupertino or
> Ottawa to interpret.  It makes for much more accurate domain vetting.
> Their research and findings (and recommendations) would be translated to
> English and bundled up for our vetting teams, then included in the vetting
> files and were subject to audits.

None of this is impacted by Gerv's proposal.

> Is a local law firm in that case a DTP, and would CAs be prohibited from
> using them to verify domains?  (By the way – for some large enterprises and
> government agencies, the idea that they can respond to emails to verify
> domains or put something on their web page is just not practical – the
> people ordering the certs often aren’t sure how to make that happen, and
> prefer a WhoIs lookup.)

Yes, it would be.

> Law firms aside, suppose MegaCA has a growing number of customers in
> Freedonia.  Again, you will get much better and more accurate results from
> someone in-country in Freedonia (who is a native and local speaker of
> Freedonian, knows customs in names and addresses, abbreviations, etc.) than
> an employee of MegaCA who lives in Cupertino or Ottawa and speaks fairly
> good Freedonian.  I have seen this with Japanese vetters – the ones in
> Japan can give a more accurate result (based on local knowledge), like
> knowing which neighborhood in Tokyo should go in the L field, etc.

And this would not be affected.

> Which also brings up domain verification in places that use non-Roman
> alphabets – local is better.

Can you please explain why you believe this to be, considering that domains
are expressed as A-labels using IDNA syntax (aka Punycode)?

> Would all of these cases, using local people to do portions of the domain
> verification work, be outlawed under your ballot?


> Also, please consider that not all companies (including CAs) want to make
> everyone who does work for them an employee.

That's great. Please consider that I think all companies, hopefully
including CAs, want systems to be secure. This only affects the domain
validation portion, which, through the power of a global Internet, is
something that does not require being in Freedonia or speaking Freedonian
to support.

> So you see, the situation is more complex than we ever discussed at the
> F2F meeting.

Actually, these points were discussed during the F2F meeting, and I am once
again saddened by the non-participation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170427/0f7001ed/attachment-0003.html>

More information about the Public mailing list