[cabf_validation] domain registrar as an applicant

Ryan Sleevi sleevi at google.com
Mon Oct 22 06:10:10 MST 2018


I think any CA advocating that would need to describe under 3.2.2.4 which
method they're using to validate. Could you explain a process that a CA
could use that compiles with one of the 3.2.2.4 validation methods that
meets that?

There had been some discussion about proposing additional methods - what,
during the validation work, had been suggested as "3.2.2.4.13", which was a
modification proposed by Peter Bowen at Amazon that would have allowed
greater flexibility while still achieving the same security objectives of
3.2.2.4.12, in a more interoperable way. However, Peter didn't push that
forward as .13, and no other member stepped up to do so.

On Mon, Oct 22, 2018 at 5:25 AM Adriano Santoni via Validation <
validation at cabforum.org> wrote:

> All,
>
> I'd like to get some opinions on the following doubt.
>
> Can it be inferred, from the BRs, that the entity which is is officialy
> designated (e.g. by governmental acts) as the /unique/ registrar of a
> certain domain also /controls/ that domain and is therefore "entitled"
> (subject to the remaining checks required by the BRs) to receive SSL server
> certificates for such domain and all subdomains thereof? I mean, can we
> draw this conclusion based on "just" the official documental evidences
> (e.g. by governmental acts) ? Section 3.2.2.4 of the BRs seems not to allow
> that - or not too clearly, at any rate.
>
> (Please note that I am not referring to the particular circumstance
> addressed by 3.2.2.4.12 of the BRs)
> Adriano
>
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181022/b5f3a7cf/attachment.html>


More information about the Validation mailing list