Hi Matt Thank you for your statement.
Let me try to clarify: In 3.2.2.4 we specify the Authorization by Domain Name Registrant as follows: 3.2.2.4 Authorization by Domain Name Registrant For each Fully-Qualified Domain Name listed in a Certificate, SG PKI confirms that, as of the date the Certificate was issued, the Applicant (or the Applicant's Parent Company, Subsidiary Company or Affiliate, collectively referred to as "Applicant" for the purpose of this Section) either is the Domain Name Registrant or has control over the FQDN by: - communicating directly with the Domain Name Registrant using the contact information listed in the WHOIS records "registrant", "technical" or "administrative" field. - Relying upon a Domain Authorization Document approved by the Domain Name Registrant. The document MUST be dated on or after the certificate request date or used by SG PKI to verify a previously issued certificate and that the Domain Name's WHOIS record has not been modified since the previous certificate issuance. And in paragraph 4.2 the certificate application process is described and refers in the end to the before mentioned checklist: [...] The validation process is detailed in a checklist for each certificate type. [25][26][27] [...] As the checklist potentially needs to be adapted to actual threats, we chose to leave it in a separate document and refer to it in the CPS to make the check procedure transparent. If required, we will adapt this procedure and integrate all steps into the CPS. That would make the checklist document handling less agile. I would appreciate some more input on this point from others, before we change that. Regards Michael -----Ursprüngliche Nachricht----- Von: dev-security-policy [mailto:dev-security-policy-bounces+michael.vonniederhaeusern=bit.admin...@lists.mozilla.org] Im Auftrag von Matt Palmer via dev-security-policy Gesendet: Donnerstag, 23. November 2017 08:55 An: dev-security-policy@lists.mozilla.org Betreff: Re: Swiss Government root inclusion request On Thu, Nov 23, 2017 at 06:43:42AM +0000, =?utf-8?q?Michael_von_Niederh=C3=A4usern_via_dev-security-policy_=3Cd?=@lists.mozilla.org wrote: > - 2.2(3) says: " The CA's CP/CPS must clearly specify the procedure(s) that > the CA employs, and each documented procedure should state which subsection > of 3.2.2.4 it is complying with." > In our opinion this does not mean that the very description has to be in > CP/CPS itself. Really? "The [...] CPS must clearly specify the procedure" doesn't mean the description has to be in the CPS? I'm sorry, but your opinion is misguided and ill-advised. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
