[cabfpub] Ballot 218: Remove validation methods #1 and #5

Dimitris Zacharopoulos jimmy at it.auth.gr
Mon Jan 8 02:11:01 MST 2018 

On 8/1/2018 10:15 πμ, Ryan Sleevi wrote:
>
>
> On Mon, Jan 8, 2018 at 2:45 AM, Dimitris Zacharopoulos via Public 
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>
>     On 5/1/2018 6:31 μμ, Rich Smith wrote:
>>
>>     *From:*Public [mailto:public-bounces at cabforum.org
>>     <mailto:public-bounces at cabforum.org>] *On Behalf Of *Dimitris
>>     Zacharopoulos via Public
>>     *Sent:* Friday, January 5, 2018 5:44 AM
>>
>>     <snip>
>>
>>     --- BEGIN updated language for 3.2.2.4.1 ---
>>
>>     Confirming the Applicant's control over the FQDN by validating
>>     the Applicant is the Domain Contact directly with the Domain Name
>>     Registrar. This method may only be used if:
>>
>>      1. The CA validates Domain Contact information obtained from the
>>         Domain Registrar by using the process described in section
>>         3.2.2.4.2 OR 3.2.2.4.3; OR
>>      2. The CA is also the Domain Name Registrar, or an Affiliate of
>>         the Registrar, of the Base Domain Name.
>>
>>     Note: Once the FQDN has been validated using this method, the CA
>>     MAY also issue Certificates for other FQDNs that end with all the
>>     labels of the validated FQDN. This method is suitable for
>>     validating Wildcard Domain Names.
>>
>>     --- END updated language for 3.2.2.4.1 ---
>>
>>     </snip>
>>
>>     I think your #1 is redundant as those methods already stipulate
>>     obtaining information from the registrar.
>>
>
>     Perhaps my reading is too strict but methods in 3.2.2.4.2 and
>     3.2.2.4.3 imply that you get information for Domain Contact
>     without necessarily *contacting* the Domain Registrar. My
>     understanding is that you can use Domain Registrant contact
>     information by whatever public information is available (via WHOIS).
>
>
> I'm not sure I understand the distinction being made here between 
> WHOIS and contacting the registrar. For example, the .com WHOIS 
> implementation involves contacting the registrar's WHOIS services 
> (while, conversely, .org's WHOIS involves effectively contacting the 
> registry's WHOIS). However, see the points below to see if they are 
> able to slice through that confusion.

Thanks Ryan, this is the distinction I had in mind. My understanding is 
that using the publicly available WHOIS is not "contacting" the 
Registrar. I believed that "contacting" is an out-of-band way.

>
>     Here is the Domain Contact definition in 1.6.1:
>     "*Domain Contact*: The Domain Name Registrant, technical contact,
>     or administrative contract (or the equivalent under a ccTLD) as
>     listed in the WHOIS record of the Base Domain Name or in a DNS SOA
>     record"
>
>     The only method that currently mentions that the CA may contact
>     the Domain Name Registrar *directly*, is 3.2.2.4.1. I don't think
>     getting publicly available WHOIS information means "contacting"
>     the Domain Registrar. This is necessary for registries that don't
>     provide public WHOIS information about Domain Registrants.
>
>
> So to make sure I understand your view: For situations such as ccTLDs 
> (which are not bound by ICANN's registry agreements as they predate 
> ICANN and are separately managed from ICANN), where WHOIS is not 
> available, your view is 3.2.2.4.1 is the only method that allows for 
> out-of-band contact with the registrar (which is contracted with the 
> registry) in order to determine the Registrant/technical 
> contact/administrative contact/equivalent.
>

Correct.

> An example of pre-existing TLD adhering to this is .gov (in the US) - 
> and I'm guessing you know of one or more ccTLDs that also fit into 
> this category?
>
> The advantage being is that this permits non-gTLDs (i.e. those within 
> the ICANN sphere of oversight) to use methods 'equivalent' to WHOIS. 
> The disadvantage is that, in the absence of the registry agreements, 
> the level of assurance or equivalence of those respective methods is 
> at the determination of the ccTLD/TLD operator and the CA, and not 
> uniform in assurance or reliability.

The level of assurance for Domain Contact phone numbers and e-mail 
addresses is pretty much the same in most gTLD, ccTLD cases, that's why 
I proposed that they are combined with methods 3.2.2.4.2 or 3.2.2.4.3. I 
am hoping to have the WHOIS "equivalent" methods for all Domains. We are 
talking about Domain Validation methods so I don't think we should use 
"Organization Information" of WHOIS or Domain Registrar records to 
validate Domain ownership.


Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180108/5dbc9f08/attachment-0001.html>

More information about the Public mailing list