[cabfpub] Ballot 218: Remove validation methods #1 and #5

Ryan Sleevi sleevi at google.com
Mon Jan 8 09:24:31 UTC 2018

On Mon, Jan 8, 2018 at 4:11 AM, Dimitris Zacharopoulos <jimmy at it.auth.gr>
> An example of pre-existing TLD adhering to this is .gov (in the US) - and
> I'm guessing you know of one or more ccTLDs that also fit into this
> category?
> The advantage being is that this permits non-gTLDs (i.e. those within the
> ICANN sphere of oversight) to use methods 'equivalent' to WHOIS. The
> disadvantage is that, in the absence of the registry agreements, the level
> of assurance or equivalence of those respective methods is at the
> determination of the ccTLD/TLD operator and the CA, and not uniform in
> assurance or reliability.
> The level of assurance for Domain Contact phone numbers and e-mail
> addresses is pretty much the same in most gTLD, ccTLD cases, that's why I
> proposed that they are combined with methods or

I don't believe we can simply state this. That is, we can objectively
evaluate, say, the ICANN Registry agreement, and the means in which the
information is provided and maintained, and make a determination on that.
Outside of those cases - legacy TLDs and ccTLDs - it's less clear that we
can objectively reach the same conclusions.

> I am hoping to have the WHOIS "equivalent" methods for all Domains. We are
> talking about Domain Validation methods so I don't think we should use
> "Organization Information" of WHOIS or Domain Registrar records to validate
> Domain ownership.

I wonder, then, if it would resolve your concerns about the removal of to update the Domain Contact method - the issues I highlighted on
variability notwithstanding. That is, it sounds like we're in agreement
that, as worded, is entirely ambiguous as to the level of
assurance provided. The methods of contacting in are
acceptable, the only question is how we determine the information. We allow
WHOIS, for example, but as worded, it would preclude RDAP or other forms,
and would preclude the cases (such as .gov) in which direct registry
contact is required.

Domain Contact: The Domain Name Registrant, technical contact, or
administrative contract (or the equivalent under a ccTLD) as provided by
the Domain Registrar or, for TLDs in which the Registry provides
information, the Registry. Acceptable methods of determination include the
WHOIS record of the Base Domain Name, within a DNS SOA record [Note: This
includes the hierarchal tree walking, by virtue of's recursion], or
through direct contact with the applicable Domain Name Registrar or Domain
Name Registry.

This can then be separately expanded to RDAP, or be moved more formally in
to a section within 3.2 as to acceptable methods for the determination of
the Domain Contact (e.g. moving the normative requirements for validation
outside of the definition).

That seems like it would resolve the issues, right?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180108/24e4518e/attachment-0003.html>

More information about the Public mailing list