[cabf_validation] Updates to Method 3

Doug Beattie doug.beattie at globalsign.com
Fri Apr 20 11:59:02 MST 2018


I'm working on updating Method 3, per the Validation Summit meeting.

It currently says:

Confirming the Applicant's control over the FQDN by calling the Domain Name Registrant's phone number and obtaining a response confirming the Applicant's request for validation of the FQDN. The CA MUST place the call to a phone number identified by the Domain Name Registrar as the Domain Contact.

Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs, provided that the phone number is identified by the Domain Registrar as a valid contact method for every Base Domain Name being verified using the phone call.

Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN.  This method is suitable for validating Wildcard Domain Names.

We're looking to make a few changes, see:

  *   https://docs.google.com/document/d/1aJiOzYVTpoAPVWDucnp20cTO2PR_cRsHncvkhlrcR10/edit#

The main question I have is, why is there no mention of ADN in this method?  It seems like you should be able to use the phone number of the ADN, and that you should be able to re-use this validation for any other FQDN that ends with the ADN.

Are there any issues I'm missing with this suggestion?  The Yellow items are important for this question, the other changes are for other recommended changes.

Confirming the Applicant's control over the FQDN by calling the Domain Contact's phone number and obtaining a response confirming the Applicant's request for validation of the Authorization Domain Name FQDN. The CA MUST place the call to a phone number identified by the Domain Name Registrar as the Domain Contact.

Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs, provided that the phone number is identified by the Domain Registrar as a valid contact method for every FQDN Authorization Domain Name being verified using the phone call.

In the event of a phone transfer, you can only be transferred to a Domain Contact.  In the event of reaching voicemail, a Random Value shall be left and the Domain contact may return that to the CA via Phone, Email, Fax, or SMS to approve the domain within 30 days of the voicemail.

Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN Authorization Domain Name.  This method is suitable for validating Wildcard Domain Names.


Doug
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 19556 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180420/616abb03/attachment-0001.bin>


More information about the Validation mailing list