Jeremy, I would also happily endorse a ballot removing both these methods.
-Rich From: Public [mailto:[email protected]] On Behalf Of Ryan Sleevi via Public Sent: Tuesday, December 19, 2017 4:03 PM To: Jeremy Rowley <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Verification of Domain Contact and Domain Authorization Document On Tue, Dec 19, 2017 at 4:30 PM, Jeremy Rowley via Public <[email protected] <mailto:[email protected]> > wrote: I’m looking to remove/fix both of these methods as both these methods lack the necessary controls to ensure that the verification ties to the domain holder. These methods probably should have been removed back when we passed 169/182. Would anyone being willing to endorse a ballot killing these or making some necessary improvements? Certainly, the concerns you raise with 3.2.2.4.5 are ones we shared, such as during the discussion in the Berlin F2F regarding the use of Delegated Third Parties for Domain Control Validation. During that discussion, we spent some time discussing how that particular validation method allows for a host of risks associated with issuance - and for the ambiguity as to how the CA appropriately validates the authenticity and the credentials. I'm not sure I share your optimism for 3.2.2.4.1 with respect to EV. In discussions about why site operators might want to limit what methods a CA can use to issue, these two methods are both examples of less than ideal methods, and so I'm thrilled to see others recognize it, while simultaneously disheartened at how many customers were validated through those methods. We'd be happy to endorse removal of both of those methods.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
