[cabf_validation] Updates to Method 3
Ryan Sleevi
sleevi at google.com
Fri Apr 20 12:57:44 MST 2018
On Fri, Apr 20, 2018 at 2:59 PM, Doug Beattie via Validation <
validation at cabforum.org> wrote:
> I'm working on updating Method 3, per the Validation Summit meeting.
>
> It currently says:
>
> Confirming the Applicant's control over the FQDN by calling the Domain
> Name Registrant's phone number and obtaining a response confirming the
> Applicant's request for validation of the FQDN. The CA MUST place the call
> to a phone number identified by the Domain Name Registrar as the Domain
> Contact.
>
> Each phone call SHALL be made to a single number and MAY confirm control
> of multiple FQDNs, provided that the phone number is identified by the
> Domain Registrar as a valid contact method for every Base Domain Name being
> verified using the phone call.
>
> Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN. This method is suitable for validating Wildcard Domain
> Names.
>
> We're looking to make a few changes, see:
>
> * https://docs.google.com/document/d/1aJiOzYVTpoAPVWDucnp20cTO2PR_
> cRsHncvkhlrcR10/edit#
>
> The main question I have is, why is there no mention of ADN in this
> method? It seems like you should be able to use the phone number of the
> ADN, and that you should be able to re-use this validation for any other
> FQDN that ends with the ADN.
>
I'm not really sure I understand the question. WHOIS is not tied to
FQDN/ADN, but through communication with the Domain Name Registrar.
If it's the "Note:" part, well, that's because some members felt it was
appropriate to duplicate informatively what is normatively specified
elsewhere.
> Are there any issues I'm missing with this suggestion? The Yellow items
> are important for this question, the other changes are for other
> recommended changes.
>
I'm not sure what Yellow items you're referring to. Perhaps your mail
client is misconfigured?
In general, this is where collaborating on GitHub for actual proposed
changes may make more effective collaboration.
As far as terminology, it seems like a very poor language choice to say
"Authorization Domain Name FQDN", and may highlight the misunderstanding
about what an ADN is.
> Confirming the Applicant's control over the FQDN by calling the Domain
> Contact's phone number and obtaining a response confirming the Applicant's
> request for validation of the Authorization Domain Name FQDN. The CA MUST
> place the call to a phone number identified by the Domain Name Registrar as
> the Domain Contact.
>
> Each phone call SHALL be made to a single number and MAY confirm control
> of multiple FQDNs, provided that the phone number is identified by the
> Domain Registrar as a valid contact method for every FQDN Authorization
> Domain Name being verified using the phone call.
>
> In the event of a phone transfer, you can only be transferred to a Domain
> Contact. In the event of reaching voicemail, a Random Value shall be left
> and the Domain contact may return that to the CA via Phone, Email, Fax, or
> SMS to approve the domain within 30 days of the voicemail.
>
> Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN Authorization Domain Name. This method is suitable for
> validating Wildcard Domain Names.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180420/ab4df366/attachment.html>
More information about the Validation
mailing list