[cabfpub] Domain validation

Dimitris Zacharopoulos jimmy at it.auth.gr
Tue May 16 16:33:25 UTC 2017 


On 16/5/2017 7:12 μμ, Jeremy Rowley wrote:
>
> "The CA MUST record the subsection and version of the Baseline 
> Requirements used to validate an Applicant’s control over each FQDN 
> included in an issued certificate"
> When is this expected to become effective?
> - Immediately after the IPR period expires
>

Ok, I hope everyone understands what this means in terms of code changes.

> In methods 3.2.2.4.1, 3.2.2.4.2, 3.2.2.4.3,  b (2), you say that the 
> CA must verify that the WHOIS information for the Base Domain has not 
> changed since the CA performed the verification process. Is this the 
> WHOIS information record itself or should CAs be looking for the 
> Domain Contact to appear in the WHOIS record? I'm asking because some 
> WHOIS databases do not release Domain Contact information and CAs 
> require an official document from the Domain Registrar that contains 
> information about the domain owner and contacts for the initial domain 
> validation.
> - Right now the time period in that section specifies the Domain 
>  language 825 days so it’s identical to the verification period. I put 
> this in explicitly in case we wanted to reduce the period to of WHOIS 
> re-confirmation to a lesser period (such as 90 days?). It should have 
> said WHOIS or Domain Registrar though instead of just WHOIS. I also 
> don’t mind dropping bullet point 2 if everyone is opposed to a 
> WHOIS/Domain Registrar refresh.
>

No, I think checking for WHOIS change is fine if we agree on checking 
just the WHOIS record. For the example below, the WHOIS record itself 
does not reveal who the Domain Registrant is. It just states the Domain 
Handle, Domain Identifier, dates and Registrar info. If all this 
information remains the same, it is reasonable to assume that the 
Registrant also remains the same. I don't know if my description is 
fully captured in the currently proposed language.

> For example, this is the WHOIS record for example.gr:
>
> Domain Name:example.gr
> Domain Handle:dr-1234-gr
> Protocol Number:1234
> Creation Date:24-07-1997
> Expiration Date:31-12-2017
> Updated Date:05-11-2015
> Registrar:FOO
> Registrar Referral URL:http://www.FOO.gr
> Registrar Email:registrar at FOO.gr <mailto:Email:registrar at FOO.gr>
> Registrar Telephone:+30.123456
> Whois Server:
> Bundle Name:example.gr
> Name Server:XXXX.example.gr
> Name Server:XXXXXX.example.gr
>
>
> According to your proposal, CAs only need to check if the record above 
> has not changed?
> - Yes. That is the point of bullet point 2. To try and address issues 
> where domain ownership may have changed.
>

In this example, if the domain ownership changed, the dates would change 
and probably the Domain Handle and "Protocol Number". That should be 
enough to trigger a re-validation of the domain. The "Expiration Date" 
should also be a blocker if the issuance date is greater than the 
expiration date of the domain.


Thanks again,
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170516/90f5fcc7/attachment-0003.html>

More information about the Public mailing list