[cabfpub] Ballot 218: Remove validation methods #1 and #5

Dimitris Zacharopoulos jimmy at it.auth.gr
Mon Jan 8 07:45:48 UTC 2018 

On 5/1/2018 6:31 μμ, Rich Smith wrote:
>
> *From:*Public [mailto:public-bounces at cabforum.org] *On Behalf Of 
> *Dimitris Zacharopoulos via Public
> *Sent:* Friday, January 5, 2018 5:44 AM
>
> <snip>
>
> --- BEGIN updated language for 3.2.2.4.1 ---
>
> Confirming the Applicant's control over the FQDN by validating the 
> Applicant is the Domain Contact directly with the Domain Name 
> Registrar. This method may only be used if:
>
>  1. The CA validates Domain Contact information obtained from the
>     Domain Registrar by using the process described in section
>     3.2.2.4.2 OR 3.2.2.4.3; OR
>  2. The CA is also the Domain Name Registrar, or an Affiliate of the
>     Registrar, of the Base Domain Name.
>
> Note: Once the FQDN has been validated using this method, the CA MAY 
> also issue Certificates for other FQDNs that end with all the labels 
> of the validated FQDN. This method is suitable for validating Wildcard 
> Domain Names.
>
> --- END updated language for 3.2.2.4.1 ---
>
> </snip>
>
> I think your #1 is redundant as those methods already stipulate 
> obtaining information from the registrar.
>

Perhaps my reading is too strict but methods in 3.2.2.4.2 and 3.2.2.4.3 
imply that you get information for Domain Contact without necessarily 
*contacting* the Domain Registrar. My understanding is that you can use 
Domain Registrant contact information by whatever public information is 
available (via WHOIS).

Here is the Domain Contact definition in 1.6.1:
"*Domain Contact*: The Domain Name Registrant, technical contact, or 
administrative contract (or the equivalent under a ccTLD) as listed in 
the WHOIS record of the Base Domain Name or in a DNS SOA record"

The only method that currently mentions that the CA may contact the 
Domain Name Registrar *directly*, is 3.2.2.4.1. I don't think getting 
publicly available WHOIS information means "contacting" the Domain 
Registrar. This is necessary for registries that don't provide public 
WHOIS information about Domain Registrants.

> I’m not completely opposed to #2 because I do think that it makes some 
> sense for a CA who is also the registrar to be able to have some 
> internal process available to it which verifies domain authorization 
> which is by definition not available to a CA which is not also the 
> registrar, however I would really prefer that those CAs which are also 
> registrars would come forward to discuss and outline more specifics as 
> to what those processes might look like, so that we can codify them 
> with more detail as to what is acceptable in such instance rather than 
> continue to be ‘hand wavy’ about it.  We’ve now gotten very specific 
> as to the acceptable methods for non-registrar CAs and gotten rid of 
> ‘any other method’ but I see the lack of specificity in this 
> particular case as an ‘any other method’ for registrar CAs and I’m not 
> sure why we should continue to allow it without any specifics.
>

I don't know which CAs originally proposed #2 in 3.2.2.4.1 and what was 
their reasoning. I know that during Domain registration, the company 
representative provides contact information (phone numbers, e-mail 
addresses). The CA/Registrar can use this information to contact the 
Certificate Applicant to get authorization for issuance. This 
information may or may not be available in the public WHOIS (or strictly 
cover the "Domain Contact" definition of 1.6.1) but could be in an 
internal database of the Registrar. Domain Registrants may also get 
authentication credentials to web portals for Domain management that 
could also be combined and used for authorization of Certificate issuance.

Dimitris.

> Regards,
>
> Rich
>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180108/1971552f/attachment-0003.html>

More information about the Public mailing list