[cabfpub] Ballot 218: Remove validation methods #1 and #5

Ryan Sleevi sleevi at google.com
Fri Jan 5 19:07:03 MST 2018 

I agree with Rich here. I don't think the proposed #1 would offer anything
new here - #1 .1 simply refers to .2/.3 as equivalent, and #1 .2 is, as
Rich points out, "Any other method"

Notable on the issuance side is the other forms of validation are
appropriate/usable - for example, technical methods of validation. .gr is
not the only registry to restrict information to its WHOIS (.gov is perhaps
a notable example), but the other methods of control already suffice for
such cases.

On Fri, Jan 5, 2018 at 11:31 AM, Rich Smith via Public <public at cabforum.org>
wrote:

> *From:* Public [mailto:public-bounces at cabforum.org] *On Behalf Of *Dimitris
> Zacharopoulos via Public
> *Sent:* Friday, January 5, 2018 5:44 AM
>
> <snip>
>
> --- BEGIN updated language for 3.2.2.4.1 ---
>
> Confirming the Applicant's control over the FQDN by validating the
> Applicant is the Domain Contact directly with the Domain Name Registrar.
> This method may only be used if:
>
>    1. The CA validates Domain Contact information obtained from the
>    Domain Registrar by using the process described in section 3.2.2.4.2 OR
>    3.2.2.4.3; OR
>    2. The CA is also the Domain Name Registrar, or an Affiliate of the
>    Registrar, of the Base Domain Name.
>
> Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN. This method is suitable for validating Wildcard Domain
> Names.
>
> --- END updated language for 3.2.2.4.1 ---
>
> </snip>
>
>
>
> I think your #1 is redundant as those methods already stipulate obtaining
> information from the registrar.  I’m not completely opposed to #2 because I
> do think that it makes some sense for a CA who is also the registrar to be
> able to have some internal process available to it which verifies domain
> authorization which is by definition not available to a CA which is not
> also the registrar, however I would really prefer that those CAs which are
> also registrars would come forward to discuss and outline more specifics as
> to what those processes might look like, so that we can codify them with
> more detail as to what is acceptable in such instance rather than continue
> to be ‘hand wavy’ about it.  We’ve now gotten very specific as to the
> acceptable methods for non-registrar CAs and gotten rid of ‘any other
> method’ but I see the lack of specificity in this particular case as an
> ‘any other method’ for registrar CAs and I’m not sure why we should
> continue to allow it without any specifics.
>
>
>
> Regards,
>
> Rich
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180105/98a21840/attachment.html>

More information about the Public mailing list