On 16/5/2017 7:12 μμ, Jeremy Rowley wrote:
"The CA MUST record the subsection and version of the Baseline
Requirements used to validate an Applicant’s control over each FQDN
included in an issued certificate"
When is this expected to become effective?
- Immediately after the IPR period expires
Ok, I hope everyone understands what this means in terms of code changes.
In methods 3.2.2.4.1, 3.2.2.4.2, 3.2.2.4.3, b (2), you say that the
CA must verify that the WHOIS information for the Base Domain has not
changed since the CA performed the verification process. Is this the
WHOIS information record itself or should CAs be looking for the
Domain Contact to appear in the WHOIS record? I'm asking because some
WHOIS databases do not release Domain Contact information and CAs
require an official document from the Domain Registrar that contains
information about the domain owner and contacts for the initial domain
validation.
- Right now the time period in that section specifies the Domain
language 825 days so it’s identical to the verification period. I put
this in explicitly in case we wanted to reduce the period to of WHOIS
re-confirmation to a lesser period (such as 90 days?). It should have
said WHOIS or Domain Registrar though instead of just WHOIS. I also
don’t mind dropping bullet point 2 if everyone is opposed to a
WHOIS/Domain Registrar refresh.
No, I think checking for WHOIS change is fine if we agree on checking
just the WHOIS record. For the example below, the WHOIS record itself
does not reveal who the Domain Registrant is. It just states the Domain
Handle, Domain Identifier, dates and Registrar info. If all this
information remains the same, it is reasonable to assume that the
Registrant also remains the same. I don't know if my description is
fully captured in the currently proposed language.
For example, this is the WHOIS record for example.gr:
Domain Name:example.gr
Domain Handle:dr-1234-gr
Protocol Number:1234
Creation Date:24-07-1997
Expiration Date:31-12-2017
Updated Date:05-11-2015
Registrar:FOO
Registrar Referral URL:http://www.FOO.gr
Registrar Email:[email protected] <mailto:Email:[email protected]>
Registrar Telephone:+30.123456
Whois Server:
Bundle Name:example.gr
Name Server:XXXX.example.gr
Name Server:XXXXXX.example.gr
According to your proposal, CAs only need to check if the record above
has not changed?
- Yes. That is the point of bullet point 2. To try and address issues
where domain ownership may have changed.
In this example, if the domain ownership changed, the dates would change
and probably the Domain Handle and "Protocol Number". That should be
enough to trigger a re-validation of the domain. The "Expiration Date"
should also be a blocker if the issuance date is greater than the
expiration date of the domain.
Thanks again,
Dimitris.
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
