[cabfpub] Ballot 218: Remove validation methods #1 and #5
jimmy at it.auth.gr
Mon Jan 8 00:45:48 MST 2018
On 5/1/2018 6:31 μμ, Rich Smith wrote:
> *From:*Public [mailto:public-bounces at cabforum.org] *On Behalf Of
> *Dimitris Zacharopoulos via Public
> *Sent:* Friday, January 5, 2018 5:44 AM
> --- BEGIN updated language for 188.8.131.52.1 ---
> Confirming the Applicant's control over the FQDN by validating the
> Applicant is the Domain Contact directly with the Domain Name
> Registrar. This method may only be used if:
> 1. The CA validates Domain Contact information obtained from the
> Domain Registrar by using the process described in section
> 184.108.40.206.2 OR 220.127.116.11.3; OR
> 2. The CA is also the Domain Name Registrar, or an Affiliate of the
> Registrar, of the Base Domain Name.
> Note: Once the FQDN has been validated using this method, the CA MAY
> also issue Certificates for other FQDNs that end with all the labels
> of the validated FQDN. This method is suitable for validating Wildcard
> Domain Names.
> --- END updated language for 18.104.22.168.1 ---
> I think your #1 is redundant as those methods already stipulate
> obtaining information from the registrar.
Perhaps my reading is too strict but methods in 22.214.171.124.2 and 126.96.36.199.3
imply that you get information for Domain Contact without necessarily
*contacting* the Domain Registrar. My understanding is that you can use
Domain Registrant contact information by whatever public information is
available (via WHOIS).
Here is the Domain Contact definition in 1.6.1:
"*Domain Contact*: The Domain Name Registrant, technical contact, or
administrative contract (or the equivalent under a ccTLD) as listed in
the WHOIS record of the Base Domain Name or in a DNS SOA record"
The only method that currently mentions that the CA may contact the
Domain Name Registrar *directly*, is 188.8.131.52.1. I don't think getting
publicly available WHOIS information means "contacting" the Domain
Registrar. This is necessary for registries that don't provide public
WHOIS information about Domain Registrants.
> I’m not completely opposed to #2 because I do think that it makes some
> sense for a CA who is also the registrar to be able to have some
> internal process available to it which verifies domain authorization
> which is by definition not available to a CA which is not also the
> registrar, however I would really prefer that those CAs which are also
> registrars would come forward to discuss and outline more specifics as
> to what those processes might look like, so that we can codify them
> with more detail as to what is acceptable in such instance rather than
> continue to be ‘hand wavy’ about it. We’ve now gotten very specific
> as to the acceptable methods for non-registrar CAs and gotten rid of
> ‘any other method’ but I see the lack of specificity in this
> particular case as an ‘any other method’ for registrar CAs and I’m not
> sure why we should continue to allow it without any specifics.
I don't know which CAs originally proposed #2 in 184.108.40.206.1 and what was
their reasoning. I know that during Domain registration, the company
representative provides contact information (phone numbers, e-mail
addresses). The CA/Registrar can use this information to contact the
Certificate Applicant to get authorization for issuance. This
information may or may not be available in the public WHOIS (or strictly
cover the "Domain Contact" definition of 1.6.1) but could be in an
internal database of the Registrar. Domain Registrants may also get
authentication credentials to web portals for Domain management that
could also be combined and used for authorization of Certificate issuance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public