I agree with Rich here. I don't think the proposed #1 would offer anything new here - #1 .1 simply refers to .2/.3 as equivalent, and #1 .2 is, as Rich points out, "Any other method"
Notable on the issuance side is the other forms of validation are appropriate/usable - for example, technical methods of validation. .gr is not the only registry to restrict information to its WHOIS (.gov is perhaps a notable example), but the other methods of control already suffice for such cases. On Fri, Jan 5, 2018 at 11:31 AM, Rich Smith via Public <[email protected]> wrote: > *From:* Public [mailto:[email protected]] *On Behalf Of *Dimitris > Zacharopoulos via Public > *Sent:* Friday, January 5, 2018 5:44 AM > > <snip> > > --- BEGIN updated language for 3.2.2.4.1 --- > > Confirming the Applicant's control over the FQDN by validating the > Applicant is the Domain Contact directly with the Domain Name Registrar. > This method may only be used if: > > 1. The CA validates Domain Contact information obtained from the > Domain Registrar by using the process described in section 3.2.2.4.2 OR > 3.2.2.4.3; OR > 2. The CA is also the Domain Name Registrar, or an Affiliate of the > Registrar, of the Base Domain Name. > > Note: Once the FQDN has been validated using this method, the CA MAY also > issue Certificates for other FQDNs that end with all the labels of the > validated FQDN. This method is suitable for validating Wildcard Domain > Names. > > --- END updated language for 3.2.2.4.1 --- > > </snip> > > > > I think your #1 is redundant as those methods already stipulate obtaining > information from the registrar. I’m not completely opposed to #2 because I > do think that it makes some sense for a CA who is also the registrar to be > able to have some internal process available to it which verifies domain > authorization which is by definition not available to a CA which is not > also the registrar, however I would really prefer that those CAs which are > also registrars would come forward to discuss and outline more specifics as > to what those processes might look like, so that we can codify them with > more detail as to what is acceptable in such instance rather than continue > to be ‘hand wavy’ about it. We’ve now gotten very specific as to the > acceptable methods for non-registrar CAs and gotten rid of ‘any other > method’ but I see the lack of specificity in this particular case as an > ‘any other method’ for registrar CAs and I’m not sure why we should > continue to allow it without any specifics. > > > > Regards, > > Rich > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
