[Servercert-wg] Ballot SC 13 version 3

[Ryan Sleevi]

On Tue, Nov 27, 2018 at 4:40 PM Tim Hollebeek <tim.hollebeek at digicert.com>
wrote:

> Yeah, I’m not trying to be difficult, I’m just not seeing the ambiguity
> you do, and I appreciate the discussion.  I don’t think there’s actually
> much if any disagreement about what we want to say and how it should be
> interpreted, just disagreement about what readings are or are not
> sensible.  Which is of course the entire point of the discussion period.
>
>
>
> In fact I personally think “the ADN” is much more likely to be
> misinterpreted than “a ADN”, as it mistakenly implies that there is only
> one ADN that can be used.  So I think that makes things worse, not better.
>
>
>
> Maybe “one of the Authentication Domain Names” ?  I think that makes it
> unambiguously clear that you’re supposed to select a single item from the
> set of potential candidates.
>

So, I think I'm seeing where we're not on the same page, but I'm not sure
how to resolve it.

I would expect, for any given validation method, that when you execute the
'algorithm', there can be and is one and exactly one ADN. That ADN is
selected, by the CA, prior to performing that validation method. They
select that ADN to use by considering each of the possible ADNs (by
potentially removing labels from the FQDN) prior to selecting the
validation method, then perform the steps detailed in that validation
method.

More explicitly, I do not believe there is ever a plurality of ADNs. There
is only ever one single ADN. There _is_ a plurality of possible ADNs, which
can be constructed, but prior to performing a validation method, the CA
determines the ADN and the FQDN.

If that's the case, then for any validation method, one selects the ADN
beforehand, and there is only "the" ADN, which is the ADN selected.

Does that not match your read?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181127/eac0a499/attachment.html>