[cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Peter Bowen pzb at amzn.com
Mon May 1 13:12:30 UTC 2017


> On May 1, 2017, at 5:13 AM, Gervase Markham <gerv at mozilla.org> wrote:
> 
> On 28/04/17 15:56, Peter Bowen wrote:
>> I would suggest a simpler approach — simply remove Delegated Third
>> Party from the BRs altogether.  That removes the carve-out allowing
>> the CA to shift blame.
> 
> Do I understand right if I say that the removal of the DTP concept from
> the BRs would not stop CAs getting third parties to perform parts of the
> validation process; it would simply mean that it was required that those
> third parties were included in the scope of the CA's audit? (And that if
> the CA saw practical problems with that, they would have to not delegate
> that function to that entity.)
> 
> So then domain validation could be delegated, but would have to be
> properly audited in the audit which the root stores get to see?

You understand correctly.  Today CAs use many third parties as part of operation — they rent space in data centers and office buildings they don’t own, they contract with companies to provide security guards, etc.

Thanks,
Peter


More information about the Public mailing list