Jeremy,
This is excellent work and helps people understand each method a lot better.
Some comments:
"The CA MUST record the subsection and version of the Baseline
Requirements used to validate an Applicant’s control over each FQDN
included in an issued certificate"
When is this expected to become effective?
In methods 3.2.2.4.1, 3.2.2.4.2, 3.2.2.4.3, b (2), you say that the CA
must verify that the WHOIS information for the Base Domain has not
changed since the CA performed the verification process. Is this the
WHOIS information record itself or should CAs be looking for the Domain
Contact to appear in the WHOIS record? I'm asking because some WHOIS
databases do not release Domain Contact information and CAs require an
official document from the Domain Registrar that contains information
about the domain owner and contacts for the initial domain validation.
For example, this is the WHOIS record for example.gr:
Domain Name:example.gr
Domain Handle:dr-1234-gr
Protocol Number:1234
Creation Date:24-07-1997
Expiration Date:31-12-2017
Updated Date:05-11-2015
Registrar:FOO
Registrar Referral URL:http://www.FOO.gr
Registrar Email:[email protected]
Registrar Telephone:+30.123456
Whois Server:
Bundle Name:example.gr
Name Server:XXXX.example.gr
Name Server:XXXXXX.example.gr
According to your proposal, CAs only need to check if the record above
has not changed?
Also, there is a small typo in the 3rd paragraph of 3.2.2.4.2 a (FQNs
--> FQDNs).
Thanks,
Dimitris.
On 15/5/2017 11:41 μμ, Jeremy Rowley via Public wrote:
While working on implementing the methods defined by ballot 169, we
noticed a lot of inconsistencies in the language and process. This
made some of the methods confusing, especially on how they applied to
reuse of information and verification of subdomains/wildcards.
Attached is a proposal that we think clarifies the process and
tightens up the language.
A couple of notes:
1. The proposal doesn’t intend to substantially change any of the
methods. However, this is DigiCert’s interpretation of the
requirements. Given the previous language, disagreement on the
interpretation is likely and will highlight the need for a
clarifying ballot.
2. This method doesn’t necessarily replace 190. If longer discussion
is needed (because there are lots of changes), then this could be
a subsequent revision to the validation methods and include more
stringent controls (like reverifying WHOIS information within 30
days and restricting sub-domain methods). For now, I tried to keep
the process and reuse the same.
3. The proposal separates out sub domain reuse, reuse of
documentation, and splits the longer methods into discrete steps.
There are lots of redundant sections. This is intentional. The
goal is to (eventually) talk about each method discretely and
decide what requirements are tied to document reuse and sub-domain
validation.
Look forward to your comments.
Jeremy
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
