[cabf_validation] Validation by telephone

Doug Beattie doug.beattie at globalsign.com
Wed Jan 20 13:56:39 MST 2016


I think SMS and Fax should use the random value – they are more like Email than a phone call (even though they are all telecommunications)

 

I think we also need the second part.  If we just say “Confirming the Applicant’s control over a requested FQDN through…”, we aren’t saying how this is confirmed – is just making a call to the number and making sure it’s in service?  No, you need to be sure that when you dial the number you reach the applicant (someone claiming to be the applicant), then ask them “the” question: did you submit the request to have example.com validated?  I think that’s important to keep in the definition.

 

 

From: Peter Bowen [mailto:pzb at amzn.com] 
Sent: Tuesday, January 19, 2016 12:21 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: Doug Beattie <doug.beattie at globalsign.com>; Rick Andrews <Rick_Andrews at symantec.com>; validation at cabforum.org
Subject: Re: [cabf_validation] Validation by telephone

 

Are you saying that SMS, fax, etc should be exempt from the random requirement?  

 

On Jan 19, 2016, at 9:14 AM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

 

I think we should plan ahead for SMS, fax communication, etc.  I think the second part is redundant with the first.  We already say they are confirming control over the requested FQDN.  How about:

 

Confirming the Applicant’s control over a requested FQDN through a telecom-based communication with the Domain Name Registrant where the telecom number was obtained from (a) the Domain Name Registrar or (b) the WHOIS record’s “registration”, “technical”, or “administrative” field; or

 

 

From: Peter Bowen [ <mailto:pzb at amzn.com> mailto:pzb at amzn.com] 
Sent: Tuesday, January 19, 2016 10:07 AM
To: Doug Beattie
Cc: Rick Andrews; Jeremy Rowley;  <mailto:validation at cabforum.org> validation at cabforum.org
Subject: Re: [cabf_validation] Validation by telephone

 

I like the second.  It does reorganize the validation methods but I think it makes sense — whether you get it from the registrar (via some method) or via WHOIS (explicit method), it should be the same steps after.

 

On Jan 19, 2016, at 7:47 AM, Doug Beattie < <mailto:doug.beattie at globalsign.com> doug.beattie at globalsign.com> wrote:

 

I don’t like references to certificate requests because this section isn’t limited to that.

 

How about this?

 

Confirming the Applicant’s control over the requested FQDN by placing a phone call to the Domain Name Registrant using a telephone number obtained from the WHOIS record’s “registrant”, “technical”, or “administrative” field and confirming the Applicant's request for validation of the FQDN; or

 

Or 

 

Confirming the Applicant’s control over the requested FQDN by calling the Domain Name Registrant's phone number where the phone number was obtained from (a) the Domain Name Registrar or (b) the WHOIS record’s “registration”, “technical”, or “administrative” field, and confirming the Applicant's request for validation of the FQDN; or

 

From:  <mailto:validation-bounces at cabforum.org> validation-bounces at cabforum.org [ <mailto:validation-bounces at cabforum.org> mailto:validation-bounces at cabforum.org] On Behalf Of Rick Andrews
Sent: Monday, January 18, 2016 6:55 PM
To: Jeremy Rowley < <mailto:jeremy.rowley at digicert.com> jeremy.rowley at digicert.com>;  <mailto:validation at cabforum.org> validation at cabforum.org
Subject: Re: [cabf_validation] Validation by telephone

 

Thanks, Jeremy. I like #1 better too.

 

From:  <mailto:validation-bounces at cabforum.org> validation-bounces at cabforum.org [ <mailto:validation-bounces at cabforum.org> mailto:validation-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, January 14, 2016 5:12 PM
To:  <mailto:validation at cabforum.org> validation at cabforum.org
Subject: [cabf_validation] Validation by telephone

 

Here are the two telephone validation processes split out from the email:

 

2. Confirming the Applicant’s domain ownership or control by receiving confirmation of the certificate’s request from the Domain Name Registrant where (i) the certificate request is confirmed by communicating with the Domain Name Registrant using a postal address or by email, (ii) the address or email used for communicating with the Domain Name Registrant is either (a) provided by the Domain Name Registrar or (b) listed in the WHOIS record’s “registration”, “technical”, or “administrative” field, (ii) the confirmation of the certificate’s request contains a Random Value unique to the Applicant, and (iii) the Applicant responds to the communication with a response confirming the Applicant’s receipt of the Random Value; or

 

3. Confirming the Applicant’s domain ownership or control by receiving confirmation of  the certificate request from the Domain Name Registrant where the certificate request is confirmed by communicating with the Domain Name Registrant using a telephone number provided by either (i) the Domain Name Registrar or (ii) listed in the WHOIS record’s “registrant”, “technical”, or “administrative” field; or

 

Alternative:

 

2. Confirming the Applicant’s domain ownership or control by communicating with the Domain Name Registrant using a postal address or by email where (ii) the address or email of the Domain Name Registrant is either (a) provided by the Domain Name Registrar or (b) is listed in the WHOIS record’s “registration”, “technical”, or “administrative” field, (ii) the confirmation of the certificate’s request contains a Random Value unique to the Applicant, and (iii) the Applicant responds to the communication with a response confirming the Applicant’s receipt of the Random Value; or

 

3. Confirming the Applicant’s domain ownership or control by communicating with the Domain Name Registrant using a telephone number that is either (i) provided by the Domain Name Registrar or (ii) listed in the WHOIS record’s “registrant”, “technical”, or “administrative” field; or

 

I liked #1 because it required that there be a confirmation of the certificate request from the Domain Name Registrant. It’s not just simply calling a number (or sending an email) that contains no information about the purpose of the email/call.

_______________________________________________
Validation mailing list
 <mailto:Validation at cabforum.org> Validation at cabforum.org
 <https://cabforum.org/mailman/listinfo/validation> https://cabforum.org/mailman/listinfo/validation

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20160120/745a0b29/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4289 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20160120/745a0b29/attachment-0001.bin 


More information about the Validation mailing list