On Mon, Jan 8, 2018 at 2:45 AM, Dimitris Zacharopoulos via Public < [email protected]> wrote:
> On 5/1/2018 6:31 μμ, Rich Smith wrote: > > *From:* Public [mailto:[email protected] > <[email protected]>] *On Behalf Of *Dimitris Zacharopoulos via > Public > *Sent:* Friday, January 5, 2018 5:44 AM > > <snip> > > --- BEGIN updated language for 3.2.2.4.1 --- > > Confirming the Applicant's control over the FQDN by validating the > Applicant is the Domain Contact directly with the Domain Name Registrar. > This method may only be used if: > > 1. The CA validates Domain Contact information obtained from the > Domain Registrar by using the process described in section 3.2.2.4.2 OR > 3.2.2.4.3; OR > 2. The CA is also the Domain Name Registrar, or an Affiliate of the > Registrar, of the Base Domain Name. > > Note: Once the FQDN has been validated using this method, the CA MAY also > issue Certificates for other FQDNs that end with all the labels of the > validated FQDN. This method is suitable for validating Wildcard Domain > Names. > > --- END updated language for 3.2.2.4.1 --- > > </snip> > > > > I think your #1 is redundant as those methods already stipulate obtaining > information from the registrar. > > > Perhaps my reading is too strict but methods in 3.2.2.4.2 and 3.2.2.4.3 > imply that you get information for Domain Contact without necessarily > *contacting* the Domain Registrar. My understanding is that you can use > Domain Registrant contact information by whatever public information is > available (via WHOIS). > I'm not sure I understand the distinction being made here between WHOIS and contacting the registrar. For example, the .com WHOIS implementation involves contacting the registrar's WHOIS services (while, conversely, .org's WHOIS involves effectively contacting the registry's WHOIS). However, see the points below to see if they are able to slice through that confusion. > > Here is the Domain Contact definition in 1.6.1: > "*Domain Contact*: The Domain Name Registrant, technical contact, or > administrative contract (or the equivalent under a ccTLD) as listed in the > WHOIS record of the Base Domain Name or in a DNS SOA record" > > The only method that currently mentions that the CA may contact the Domain > Name Registrar *directly*, is 3.2.2.4.1. I don't think getting publicly > available WHOIS information means "contacting" the Domain Registrar. This > is necessary for registries that don't provide public WHOIS information > about Domain Registrants. > So to make sure I understand your view: For situations such as ccTLDs (which are not bound by ICANN's registry agreements as they predate ICANN and are separately managed from ICANN), where WHOIS is not available, your view is 3.2.2.4.1 is the only method that allows for out-of-band contact with the registrar (which is contracted with the registry) in order to determine the Registrant/technical contact/administrative contact/equivalent. An example of pre-existing TLD adhering to this is .gov (in the US) - and I'm guessing you know of one or more ccTLDs that also fit into this category? The advantage being is that this permits non-gTLDs (i.e. those within the ICANN sphere of oversight) to use methods 'equivalent' to WHOIS. The disadvantage is that, in the absence of the registry agreements, the level of assurance or equivalence of those respective methods is at the determination of the ccTLD/TLD operator and the CA, and not uniform in assurance or reliability.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
