[cabf_validation] Updates to Method 3

Doug Beattie doug.beattie at globalsign.com
Fri Apr 20 13:06:21 MST 2018


Yes, the format looks to have been dropped when you opened it (the one I received did have some formatting included).  Regardless, the proposed text is in the linked google Doc and is one way for the collaboration to happen.

When you saw “Authorization Domain Name FQDN”, I added “Authorization Domain Name” and lined out “FQDN”

The main question I wanted to ask was that when you validate a FQDN using an ADN (or the “thing” that’s registered with the Domain Name Registrar), it’s the ADN/”thing registered with the Registrar” that can be re-used for subsequent issuance, right?

I agree, we need to nuke the Notes, they are not always accurate and are irrelevant.

Doug



From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, April 20, 2018 3:58 PM
To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] Updates to Method 3



On Fri, Apr 20, 2018 at 2:59 PM, Doug Beattie via Validation <validation at cabforum.org<mailto:validation at cabforum.org>> wrote:
I'm working on updating Method 3, per the Validation Summit meeting.

It currently says:

Confirming the Applicant's control over the FQDN by calling the Domain Name Registrant's phone number and obtaining a response confirming the Applicant's request for validation of the FQDN. The CA MUST place the call to a phone number identified by the Domain Name Registrar as the Domain Contact.

Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs, provided that the phone number is identified by the Domain Registrar as a valid contact method for every Base Domain Name being verified using the phone call.

Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN.  This method is suitable for validating Wildcard Domain Names.

We're looking to make a few changes, see:

  *   https://docs.google.com/document/d/1aJiOzYVTpoAPVWDucnp20cTO2PR_cRsHncvkhlrcR10/edit#<https://docs.google.com/document/d/1aJiOzYVTpoAPVWDucnp20cTO2PR_cRsHncvkhlrcR10/edit>

The main question I have is, why is there no mention of ADN in this method?  It seems like you should be able to use the phone number of the ADN, and that you should be able to re-use this validation for any other FQDN that ends with the ADN.

I'm not really sure I understand the question. WHOIS is not tied to FQDN/ADN, but through communication with the Domain Name Registrar.

If it's the "Note:" part, well, that's because some members felt it was appropriate to duplicate informatively what is normatively specified elsewhere.

Are there any issues I'm missing with this suggestion?  The Yellow items are important for this question, the other changes are for other recommended changes.

I'm not sure what Yellow items you're referring to. Perhaps your mail client is misconfigured?

In general, this is where collaborating on GitHub for actual proposed changes may make more effective collaboration.

As far as terminology, it seems like a very poor language choice to say "Authorization Domain Name FQDN", and may highlight the misunderstanding about what an ADN is.

Confirming the Applicant's control over the FQDN by calling the Domain Contact's phone number and obtaining a response confirming the Applicant's request for validation of the Authorization Domain Name FQDN. The CA MUST place the call to a phone number identified by the Domain Name Registrar as the Domain Contact.

Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs, provided that the phone number is identified by the Domain Registrar as a valid contact method for every FQDN Authorization Domain Name being verified using the phone call.

In the event of a phone transfer, you can only be transferred to a Domain Contact.  In the event of reaching voicemail, a Random Value shall be left and the Domain contact may return that to the CA via Phone, Email, Fax, or SMS to approve the domain within 30 days of the voicemail.

Note: Once the FQDN has been validated using this method, the CA MAY also issue Certificates for other FQDNs that end with all the labels of the validated FQDN Authorization Domain Name.  This method is suitable for validating Wildcard Domain Names.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180420/cf4722e2/attachment-0001.html>


More information about the Validation mailing list