[cabfpub] Applicant vs Applicant representative

Tim Hollebeek tim.hollebeek at digicert.com
Mon Jan 15 20:00:58 UTC 2018 

Forking off to a new thread because it doesn't really need to block Ballot 218, and as Ryan noted, the issue might exist elsewhere.

> > In 3.2.2.4.12, shouldn’t it be Applicant Representative instead of Applicant?  Applicant is an organization, Applicant Representative is a person.
> 
> I think it's correct as Applicant, since the use case we're discussing is the sort of logical account (e.g. the Applicant is the entity who requests the certificate, and is also the Domain Registrant).
> 
> I think supporting this would be looking at how 3.2.2.4.3 handles "Applicant's request" rather than "Applicant Representative's request" - which I think is the same manifestation of the point you're raising here.

> That said, I can also see an argument that both 3.2.2.4.3 and this should be using "Applicant Representative", because you wouldn't want "just anyone" from Google to be able to get a certificate. Put differently, if you were to call Google and ask "Can Google request a certificate for http://google.com", the answer is always yes. If your question is "Can Ryan Sleevi request a certificate for http://google.com", the answer is ... Maybe ;)
> 
> However, even with that, I think "Applicant" is still the better/correct answer, and think any risk is mitigated by the "Domain Contact" language requiring that it not just be "an Employee of Google" but the "Domain Name Registrant, technical contact, or administrative contract", where Registrant is similarly scoped as "the person(s) or entity(ies) registered with a Domain Name Registrar as having the right to control how a Domain Name is used"
> 
> Would you agree?

I don't think 12 and 3 are completely parallel cases.  

In 3, you are calling the Domain Contact on the phone.  This is fine because they are the Domain Contact.  That person may be neither the Applicant nor the Applicant representative, but they are presumably authoritative about issues of domain control, by virtue of being a Domain Contact.  I think this is your point.

In 12, you're trying to verify that the Applicant is the Domain Contact.  This makes sense in cases where the Applicant is the Domain Name Registrant.  I'm struggling to understand what it means to compare the Applicant to the "technical contact" or "administrative contact" listed in WHOIS.  Who do I compare the fictional entity dns-admin at google.com with Google?  Do we really mean "Applicant is the Domain Name Registrant", since unless you're a person, your administrative contact and technical contact will not be the Applicant?

But I think we intended to allow the technical contact and administrative contact to be authoritative.  So maybe "Applicant is the Domain Name Registrant or the Applicant Representative is the technical contact or administrative contact, as listed in WHOIS" ?

Maybe there's no problem here, but there do seem to be cases where #12 is attempting to compare apples and oranges.

-Tim

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180115/685ffd5a/attachment-0002.p7s>

More information about the Public mailing list