[cabfpub] Ballot 218: Remove validation methods #1 and #5

Ryan Sleevi sleevi at google.com
Mon Jan 8 01:15:25 MST 2018


On Mon, Jan 8, 2018 at 2:45 AM, Dimitris Zacharopoulos via Public <
public at cabforum.org> wrote:

> On 5/1/2018 6:31 μμ, Rich Smith wrote:
>
> *From:* Public [mailto:public-bounces at cabforum.org
> <public-bounces at cabforum.org>] *On Behalf Of *Dimitris Zacharopoulos via
> Public
> *Sent:* Friday, January 5, 2018 5:44 AM
>
> <snip>
>
> --- BEGIN updated language for 3.2.2.4.1 ---
>
> Confirming the Applicant's control over the FQDN by validating the
> Applicant is the Domain Contact directly with the Domain Name Registrar.
> This method may only be used if:
>
>    1. The CA validates Domain Contact information obtained from the
>    Domain Registrar by using the process described in section 3.2.2.4.2 OR
>    3.2.2.4.3; OR
>    2. The CA is also the Domain Name Registrar, or an Affiliate of the
>    Registrar, of the Base Domain Name.
>
> Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN. This method is suitable for validating Wildcard Domain
> Names.
>
> --- END updated language for 3.2.2.4.1 ---
>
> </snip>
>
>
>
> I think your #1 is redundant as those methods already stipulate obtaining
> information from the registrar.
>
>
> Perhaps my reading is too strict but methods in 3.2.2.4.2 and 3.2.2.4.3
> imply that you get information for Domain Contact without necessarily
> *contacting* the Domain Registrar. My understanding is that you can use
> Domain Registrant contact information by whatever public information is
> available (via WHOIS).
>

I'm not sure I understand the distinction being made here between WHOIS and
contacting the registrar. For example, the .com WHOIS implementation
involves contacting the registrar's WHOIS services (while, conversely,
.org's WHOIS involves effectively contacting the registry's WHOIS).
However, see the points below to see if they are able to slice through that
confusion.


>
> Here is the Domain Contact definition in 1.6.1:
> "*Domain Contact*: The Domain Name Registrant, technical contact, or
> administrative contract (or the equivalent under a ccTLD) as listed in the
> WHOIS record of the Base Domain Name or in a DNS SOA record"
>
> The only method that currently mentions that the CA may contact the Domain
> Name Registrar *directly*, is 3.2.2.4.1. I don't think getting publicly
> available WHOIS information means "contacting" the Domain Registrar. This
> is necessary for registries that don't provide public WHOIS information
> about Domain Registrants.
>

So to make sure I understand your view: For situations such as ccTLDs
(which are not bound by ICANN's registry agreements as they predate ICANN
and are separately managed from ICANN), where WHOIS is not available, your
view is 3.2.2.4.1 is the only method that allows for out-of-band contact
with the registrar (which is contracted with the registry) in order to
determine the Registrant/technical contact/administrative
contact/equivalent.

An example of pre-existing TLD adhering to this is .gov (in the US) - and
I'm guessing you know of one or more ccTLDs that also fit into this
category?

The advantage being is that this permits non-gTLDs (i.e. those within the
ICANN sphere of oversight) to use methods 'equivalent' to WHOIS. The
disadvantage is that, in the absence of the registry agreements, the level
of assurance or equivalence of those respective methods is at the
determination of the ccTLD/TLD operator and the CA, and not uniform in
assurance or reliability.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180108/961be9a5/attachment.html>


More information about the Public mailing list