[cabfpub] Ballot 218: Remove validation methods #1 and #5
jimmy at it.auth.gr
Mon Jan 8 02:11:01 MST 2018
On 8/1/2018 10:15 πμ, Ryan Sleevi wrote:
> On Mon, Jan 8, 2018 at 2:45 AM, Dimitris Zacharopoulos via Public
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
> On 5/1/2018 6:31 μμ, Rich Smith wrote:
>> *From:*Public [mailto:public-bounces at cabforum.org
>> <mailto:public-bounces at cabforum.org>] *On Behalf Of *Dimitris
>> Zacharopoulos via Public
>> *Sent:* Friday, January 5, 2018 5:44 AM
>> --- BEGIN updated language for 188.8.131.52.1 ---
>> Confirming the Applicant's control over the FQDN by validating
>> the Applicant is the Domain Contact directly with the Domain Name
>> Registrar. This method may only be used if:
>> 1. The CA validates Domain Contact information obtained from the
>> Domain Registrar by using the process described in section
>> 184.108.40.206.2 OR 220.127.116.11.3; OR
>> 2. The CA is also the Domain Name Registrar, or an Affiliate of
>> the Registrar, of the Base Domain Name.
>> Note: Once the FQDN has been validated using this method, the CA
>> MAY also issue Certificates for other FQDNs that end with all the
>> labels of the validated FQDN. This method is suitable for
>> validating Wildcard Domain Names.
>> --- END updated language for 18.104.22.168.1 ---
>> I think your #1 is redundant as those methods already stipulate
>> obtaining information from the registrar.
> Perhaps my reading is too strict but methods in 22.214.171.124.2 and
> 126.96.36.199.3 imply that you get information for Domain Contact
> without necessarily *contacting* the Domain Registrar. My
> understanding is that you can use Domain Registrant contact
> information by whatever public information is available (via WHOIS).
> I'm not sure I understand the distinction being made here between
> WHOIS and contacting the registrar. For example, the .com WHOIS
> implementation involves contacting the registrar's WHOIS services
> (while, conversely, .org's WHOIS involves effectively contacting the
> registry's WHOIS). However, see the points below to see if they are
> able to slice through that confusion.
Thanks Ryan, this is the distinction I had in mind. My understanding is
that using the publicly available WHOIS is not "contacting" the
Registrar. I believed that "contacting" is an out-of-band way.
> Here is the Domain Contact definition in 1.6.1:
> "*Domain Contact*: The Domain Name Registrant, technical contact,
> or administrative contract (or the equivalent under a ccTLD) as
> listed in the WHOIS record of the Base Domain Name or in a DNS SOA
> The only method that currently mentions that the CA may contact
> the Domain Name Registrar *directly*, is 188.8.131.52.1. I don't think
> getting publicly available WHOIS information means "contacting"
> the Domain Registrar. This is necessary for registries that don't
> provide public WHOIS information about Domain Registrants.
> So to make sure I understand your view: For situations such as ccTLDs
> (which are not bound by ICANN's registry agreements as they predate
> ICANN and are separately managed from ICANN), where WHOIS is not
> available, your view is 184.108.40.206.1 is the only method that allows for
> out-of-band contact with the registrar (which is contracted with the
> registry) in order to determine the Registrant/technical
> contact/administrative contact/equivalent.
> An example of pre-existing TLD adhering to this is .gov (in the US) -
> and I'm guessing you know of one or more ccTLDs that also fit into
> this category?
> The advantage being is that this permits non-gTLDs (i.e. those within
> the ICANN sphere of oversight) to use methods 'equivalent' to WHOIS.
> The disadvantage is that, in the absence of the registry agreements,
> the level of assurance or equivalence of those respective methods is
> at the determination of the ccTLD/TLD operator and the CA, and not
> uniform in assurance or reliability.
The level of assurance for Domain Contact phone numbers and e-mail
addresses is pretty much the same in most gTLD, ccTLD cases, that's why
I proposed that they are combined with methods 220.127.116.11.2 or 18.104.22.168.3. I
am hoping to have the WHOIS "equivalent" methods for all Domains. We are
talking about Domain Validation methods so I don't think we should use
"Organization Information" of WHOIS or Domain Registrar records to
validate Domain ownership.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public