On 5/1/2018 6:31 μμ, Rich Smith wrote:
*From:*Public [mailto:[email protected]] *On Behalf Of
*Dimitris Zacharopoulos via Public
*Sent:* Friday, January 5, 2018 5:44 AM
<snip>
--- BEGIN updated language for 3.2.2.4.1 ---
Confirming the Applicant's control over the FQDN by validating the
Applicant is the Domain Contact directly with the Domain Name
Registrar. This method may only be used if:
1. The CA validates Domain Contact information obtained from the
Domain Registrar by using the process described in section
3.2.2.4.2 OR 3.2.2.4.3; OR
2. The CA is also the Domain Name Registrar, or an Affiliate of the
Registrar, of the Base Domain Name.
Note: Once the FQDN has been validated using this method, the CA MAY
also issue Certificates for other FQDNs that end with all the labels
of the validated FQDN. This method is suitable for validating Wildcard
Domain Names.
--- END updated language for 3.2.2.4.1 ---
</snip>
I think your #1 is redundant as those methods already stipulate
obtaining information from the registrar.
Perhaps my reading is too strict but methods in 3.2.2.4.2 and 3.2.2.4.3
imply that you get information for Domain Contact without necessarily
*contacting* the Domain Registrar. My understanding is that you can use
Domain Registrant contact information by whatever public information is
available (via WHOIS).
Here is the Domain Contact definition in 1.6.1:
"*Domain Contact*: The Domain Name Registrant, technical contact, or
administrative contract (or the equivalent under a ccTLD) as listed in
the WHOIS record of the Base Domain Name or in a DNS SOA record"
The only method that currently mentions that the CA may contact the
Domain Name Registrar *directly*, is 3.2.2.4.1. I don't think getting
publicly available WHOIS information means "contacting" the Domain
Registrar. This is necessary for registries that don't provide public
WHOIS information about Domain Registrants.
I’m not completely opposed to #2 because I do think that it makes some
sense for a CA who is also the registrar to be able to have some
internal process available to it which verifies domain authorization
which is by definition not available to a CA which is not also the
registrar, however I would really prefer that those CAs which are also
registrars would come forward to discuss and outline more specifics as
to what those processes might look like, so that we can codify them
with more detail as to what is acceptable in such instance rather than
continue to be ‘hand wavy’ about it. We’ve now gotten very specific
as to the acceptable methods for non-registrar CAs and gotten rid of
‘any other method’ but I see the lack of specificity in this
particular case as an ‘any other method’ for registrar CAs and I’m not
sure why we should continue to allow it without any specifics.
I don't know which CAs originally proposed #2 in 3.2.2.4.1 and what was
their reasoning. I know that during Domain registration, the company
representative provides contact information (phone numbers, e-mail
addresses). The CA/Registrar can use this information to contact the
Certificate Applicant to get authorization for issuance. This
information may or may not be available in the public WHOIS (or strictly
cover the "Domain Contact" definition of 1.6.1) but could be in an
internal database of the Registrar. Domain Registrants may also get
authentication credentials to web portals for Domain management that
could also be combined and used for authorization of Certificate issuance.
Dimitris.
Regards,
Rich
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
