On 8/1/2018 10:15 πμ, Ryan Sleevi wrote:
On Mon, Jan 8, 2018 at 2:45 AM, Dimitris Zacharopoulos via Public
<[email protected] <mailto:[email protected]>> wrote:
On 5/1/2018 6:31 μμ, Rich Smith wrote:
*From:*Public [mailto:[email protected]
<mailto:[email protected]>] *On Behalf Of *Dimitris
Zacharopoulos via Public
*Sent:* Friday, January 5, 2018 5:44 AM
<snip>
--- BEGIN updated language for 3.2.2.4.1 ---
Confirming the Applicant's control over the FQDN by validating
the Applicant is the Domain Contact directly with the Domain Name
Registrar. This method may only be used if:
1. The CA validates Domain Contact information obtained from the
Domain Registrar by using the process described in section
3.2.2.4.2 OR 3.2.2.4.3; OR
2. The CA is also the Domain Name Registrar, or an Affiliate of
the Registrar, of the Base Domain Name.
Note: Once the FQDN has been validated using this method, the CA
MAY also issue Certificates for other FQDNs that end with all the
labels of the validated FQDN. This method is suitable for
validating Wildcard Domain Names.
--- END updated language for 3.2.2.4.1 ---
</snip>
I think your #1 is redundant as those methods already stipulate
obtaining information from the registrar.
Perhaps my reading is too strict but methods in 3.2.2.4.2 and
3.2.2.4.3 imply that you get information for Domain Contact
without necessarily *contacting* the Domain Registrar. My
understanding is that you can use Domain Registrant contact
information by whatever public information is available (via WHOIS).
I'm not sure I understand the distinction being made here between
WHOIS and contacting the registrar. For example, the .com WHOIS
implementation involves contacting the registrar's WHOIS services
(while, conversely, .org's WHOIS involves effectively contacting the
registry's WHOIS). However, see the points below to see if they are
able to slice through that confusion.
Thanks Ryan, this is the distinction I had in mind. My understanding is
that using the publicly available WHOIS is not "contacting" the
Registrar. I believed that "contacting" is an out-of-band way.
Here is the Domain Contact definition in 1.6.1:
"*Domain Contact*: The Domain Name Registrant, technical contact,
or administrative contract (or the equivalent under a ccTLD) as
listed in the WHOIS record of the Base Domain Name or in a DNS SOA
record"
The only method that currently mentions that the CA may contact
the Domain Name Registrar *directly*, is 3.2.2.4.1. I don't think
getting publicly available WHOIS information means "contacting"
the Domain Registrar. This is necessary for registries that don't
provide public WHOIS information about Domain Registrants.
So to make sure I understand your view: For situations such as ccTLDs
(which are not bound by ICANN's registry agreements as they predate
ICANN and are separately managed from ICANN), where WHOIS is not
available, your view is 3.2.2.4.1 is the only method that allows for
out-of-band contact with the registrar (which is contracted with the
registry) in order to determine the Registrant/technical
contact/administrative contact/equivalent.
Correct.
An example of pre-existing TLD adhering to this is .gov (in the US) -
and I'm guessing you know of one or more ccTLDs that also fit into
this category?
The advantage being is that this permits non-gTLDs (i.e. those within
the ICANN sphere of oversight) to use methods 'equivalent' to WHOIS.
The disadvantage is that, in the absence of the registry agreements,
the level of assurance or equivalence of those respective methods is
at the determination of the ccTLD/TLD operator and the CA, and not
uniform in assurance or reliability.
The level of assurance for Domain Contact phone numbers and e-mail
addresses is pretty much the same in most gTLD, ccTLD cases, that's why
I proposed that they are combined with methods 3.2.2.4.2 or 3.2.2.4.3. I
am hoping to have the WHOIS "equivalent" methods for all Domains. We are
talking about Domain Validation methods so I don't think we should use
"Organization Information" of WHOIS or Domain Registrar records to
validate Domain ownership.
Dimitris.
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
