[Servercert-wg] Transitive Trust and DCV (was Re: Ballot SC-080 V1)

Andrew Ayer agwa at andrewayer.name
Tue Sep 24 12:17:41 UTC 2024


On Tue, 24 Sep 2024 07:48:00 +0000
Martijn Katerbarg via Servercert-wg <servercert-wg at cabforum.org> wrote:

> >I also wanted to ask in general, why does WHOIS based validation not
> >fall under the same rules as a delegated third party for domain
> >validation? 
> 
> In my personal opinion (but perhaps others have a different opinion
> on this), because there needs to be a source of truth, for the same
> reason we do allow DNS, and by that any, validation. 
> 
> With any DCV method, a third party is always used. And by that I do
> not mean using 8.8.8.8 or 1.1.1.1 for DNS queries, that obviously is
> a not-allowed practice. However, I’d claim that the
> *.root-servers.net are still a third party. We just see it as the
> single source of truth for DNS and walk the tree from there. (And
> that list of authorized servers, is also maintained by IANA:
> https://www.iana.org/domains/root/servers
> <https://www.iana.org/domains/root/servers>).

Yes, exactly this.

The problem with delegated third parties (like 8.8.8.8) is that the CA
is relying on another party to check the source of truth.  It's OK for
the CA to check the source of truth itself, even if the source of truth
is a third party. Indeed, it's unavoidable with DCV because of how the
domain system works.

Regards,
Andrew


More information about the Servercert-wg mailing list