[cabfpub] Domain validation

Jeremy Rowley jeremy.rowley at digicert.com
Tue May 16 09:12:04 MST 2017


This is excellent work and helps people understand each method a lot better.
- Thanks! Let me know if you disagree with anything. 

"The CA MUST record the subsection and version of the Baseline Requirements used to validate an Applicant’s control over each FQDN included in an issued certificate" 
When is this expected to become effective?
- Immediately after the IPR period expires

In methods 3.2.2.4.1, 3.2.2.4.2, 3.2.2.4.3,  b (2), you say that the CA must verify that the WHOIS information for the Base Domain has not changed since the CA performed the verification process. Is this the WHOIS information record itself or should CAs be looking for the Domain Contact to appear in the WHOIS record? I'm asking because some WHOIS databases do not release Domain Contact information and CAs require an official document from the Domain Registrar that contains information about the domain owner and contacts for the initial domain validation.
- Right now the time period in that section specifies the Domain  language 825 days so it’s identical to the verification period. I put this in explicitly in case we wanted to reduce the period to of WHOIS re-confirmation to a lesser period (such as 90 days?). It should have said WHOIS or Domain Registrar though instead of just WHOIS. I also don’t mind dropping bullet point 2 if everyone is opposed to a WHOIS/Domain Registrar refresh.

For example, this is the WHOIS record for example.gr:


Domain Name:example.gr
Domain Handle:dr-1234-gr
Protocol Number:1234
Creation Date:24-07-1997
Expiration Date:31-12-2017
Updated Date:05-11-2015
Registrar:FOO
Registrar Referral URL:http://www.FOO.gr
Registrar Email:registrar at FOO.gr <mailto:Email:registrar at FOO.gr> 
Registrar Telephone:+30.123456
Whois Server: 
Bundle Name:example.gr
Name Server:XXXX.example.gr
Name Server:XXXXXX.example.gr


According to your proposal, CAs only need to check if the record above has not changed?
- Yes. That is the point of bullet point 2. To try and address issues where domain ownership may have changed.


Also, there is a small typo in the 3rd paragraph of 3.2.2.4.2 a (FQNs --> FQDNs).
- Thanks!



 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170516/348df747/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170516/348df747/attachment-0001.bin>


More information about the Public mailing list