[Servercert-wg] Ballot SC 13 version 3

Tim Hollebeek tim.hollebeek at digicert.com
Wed Nov 28 11:41:55 MST 2018

That matches my reading.  The question is how to say it.  That’s why I suggested “one of”, which I think captures the fact that the individual validation uses exactly one ADN from the potential ADNs.


I’m open to other suggested text that says the same thing if you don’t think that’s clear.


To be explicit, my problem with “the” is that it would need a qualifier to unambiguous identify that only one of the a number of potential ADNs is being referred to.  E.g. “the chosen ADN” or “the ADN selected to validate the FQDN”.  Otherwise it is prone to misinterpretation.




From: Ryan Sleevi <sleevi at google.com> 
Sent: Tuesday, November 27, 2018 5:09 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>
Cc: servercert-wg at cabforum.org; Doug Beattie <doug.beattie at globalsign.com>
Subject: Re: [Servercert-wg] Ballot SC 13 version 3



On Tue, Nov 27, 2018 at 4:40 PM Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> > wrote:

Yeah, I’m not trying to be difficult, I’m just not seeing the ambiguity you do, and I appreciate the discussion.  I don’t think there’s actually much if any disagreement about what we want to say and how it should be interpreted, just disagreement about what readings are or are not sensible.  Which is of course the entire point of the discussion period.


In fact I personally think “the ADN” is much more likely to be misinterpreted than “a ADN”, as it mistakenly implies that there is only one ADN that can be used.  So I think that makes things worse, not better.


Maybe “one of the Authentication Domain Names” ?  I think that makes it unambiguously clear that you’re supposed to select a single item from the set of potential candidates.


So, I think I'm seeing where we're not on the same page, but I'm not sure how to resolve it.


I would expect, for any given validation method, that when you execute the 'algorithm', there can be and is one and exactly one ADN. That ADN is selected, by the CA, prior to performing that validation method. They select that ADN to use by considering each of the possible ADNs (by potentially removing labels from the FQDN) prior to selecting the validation method, then perform the steps detailed in that validation method.


More explicitly, I do not believe there is ever a plurality of ADNs. There is only ever one single ADN. There _is_ a plurality of possible ADNs, which can be constructed, but prior to performing a validation method, the CA determines the ADN and the FQDN.


If that's the case, then for any validation method, one selects the ADN beforehand, and there is only "the" ADN, which is the ADN selected.


Does that not match your read? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181128/6ec5b0ae/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181128/6ec5b0ae/attachment.p7s>

More information about the Servercert-wg mailing list