[cabfpub] Verification of Domain Contact and Domain Authorization Document

Ryan Sleevi sleevi at google.com
Tue Dec 19 22:03:17 UTC 2017


On Tue, Dec 19, 2017 at 4:30 PM, Jeremy Rowley via Public <
public at cabforum.org> wrote:
>
> I’m looking to remove/fix both of these methods as both these methods lack
> the necessary controls to ensure that the verification ties to the domain
> holder. These methods probably should have been removed back when we passed
> 169/182. Would anyone being willing to endorse a ballot killing these or
> making some necessary improvements?
>

Certainly, the concerns you raise with 3.2.2.4.5 are ones we shared, such
as during the discussion in the Berlin F2F regarding the use of Delegated
Third Parties for Domain Control Validation. During that discussion, we
spent some time discussing how that particular validation method allows for
a host of risks associated with issuance - and for the ambiguity as to how
the CA appropriately validates the authenticity and the credentials.

I'm not sure I share your optimism for 3.2.2.4.1 with respect to EV.

In discussions about why site operators might want to limit what methods a
CA can use to issue, these two methods are both examples of less than ideal
methods, and so I'm thrilled to see others recognize it, while
simultaneously disheartened at how many customers were validated through
those methods.

We'd be happy to endorse removal of both of those methods.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171219/956f8cb5/attachment-0003.html>


More information about the Public mailing list