On 8/1/2018 11:24 πμ, Ryan Sleevi wrote:
On Mon, Jan 8, 2018 at 4:11 AM, Dimitris Zacharopoulos
<[email protected] <mailto:[email protected]>> wrote:
An example of pre-existing TLD adhering to this is .gov (in the
US) - and I'm guessing you know of one or more ccTLDs that also
fit into this category?
The advantage being is that this permits non-gTLDs (i.e. those
within the ICANN sphere of oversight) to use methods 'equivalent'
to WHOIS. The disadvantage is that, in the absence of the
registry agreements, the level of assurance or equivalence of
those respective methods is at the determination of the ccTLD/TLD
operator and the CA, and not uniform in assurance or reliability.
The level of assurance for Domain Contact phone numbers and e-mail
addresses is pretty much the same in most gTLD, ccTLD cases,
that's why I proposed that they are combined with methods
3.2.2.4.2 or 3.2.2.4.3.
I don't believe we can simply state this. That is, we can objectively
evaluate, say, the ICANN Registry agreement, and the means in which
the information is provided and maintained, and make a determination
on that. Outside of those cases - legacy TLDs and ccTLDs - it's less
clear that we can objectively reach the same conclusions.
I am hoping to have the WHOIS "equivalent" methods for all
Domains. We are talking about Domain Validation methods so I don't
think we should use "Organization Information" of WHOIS or Domain
Registrar records to validate Domain ownership.
I wonder, then, if it would resolve your concerns about the removal of
3.2.2.4.1 to update the Domain Contact method - the issues I
highlighted on variability notwithstanding. That is, it sounds like
we're in agreement that 3.2.2.4.1, as worded, is entirely ambiguous as
to the level of assurance provided. The methods of contacting in
3.2.2.4.2/.3 are acceptable, the only question is how we determine the
information. We allow WHOIS, for example, but as worded, it would
preclude RDAP or other forms, and would preclude the cases (such as
.gov) in which direct registry contact is required.
Domain Contact: The Domain Name Registrant, technical contact, or
administrative contract (or the equivalent under a ccTLD) as provided
by the Domain Registrar or, for TLDs in which the Registry provides
information, the Registry. Acceptable methods of determination include
the WHOIS record of the Base Domain Name, within a DNS SOA record
[Note: This includes the hierarchal tree walking, by virtue of
3.2.2.4's recursion], or through direct contact with the applicable
Domain Name Registrar or Domain Name Registry.
This can then be separately expanded to RDAP, or be moved more
formally in to a section within 3.2 as to acceptable methods for the
determination of the Domain Contact (e.g. moving the normative
requirements for validation outside of the definition).
That seems like it would resolve the issues, right?
I am a bit confused about the agreements part between registries and
registrars but I don't think it is a blocking factor for our discussion.
At the end of the day, the Domain owner provides contact information to
a Registrar and these records are kept by the Registrar. Registrars
probably don't need to validate anything (e-mail addresses, phone
numbers). Domain owners have the incentive to provide accurate
information so that they can be contacted if something bad happens with
their Domain. If this information is inaccurate, the CA will probably
not be able to reach the Domain owner to validate. There have been cases
of Domain hijacking but I don't think that the CA/Browser Forum should
try to solve this problem.
We already have a definition for Domain Name Registrar which covers the
ccTLD cases.
"Domain Name Registrar: A person or entity that registers Domain Names
under the auspices of or by agreement with: (i) the Internet Corporation
for Assigned Names and Numbers (ICANN), (ii) a national Domain Name
authority/registry, or (iii) a Network Information Center (including
their affiliates, contractors, delegates, successors, or assigns)".
We don't currently define "Registry" but there are several places where
we use "registry-controlled, or public-suffix". Perhaps we can leave it
as is.
How about using simpler language?
"Domain Contact: The Domain Name Registrant, technical contact, or
administrative contract (or the equivalent under a ccTLD) as listed in
the WHOIS record of the Base Domain Name or in a DNS SOA record or
through direct contact with the Domain Name Registrar."
Dimitris.
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
