[cabfpub] Verification of Domain Contact and Domain Authorization Document
richard.smith at comodo.com
Wed Dec 20 17:50:02 UTC 2017
Jeremy, I would also happily endorse a ballot removing both these methods.
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Tuesday, December 19, 2017 4:03 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Verification of Domain Contact and Domain Authorization Document
On Tue, Dec 19, 2017 at 4:30 PM, Jeremy Rowley via Public <public at cabforum.org <mailto:public at cabforum.org> > wrote:
I’m looking to remove/fix both of these methods as both these methods lack the necessary controls to ensure that the verification ties to the domain holder. These methods probably should have been removed back when we passed 169/182. Would anyone being willing to endorse a ballot killing these or making some necessary improvements?
Certainly, the concerns you raise with 18.104.22.168.5 are ones we shared, such as during the discussion in the Berlin F2F regarding the use of Delegated Third Parties for Domain Control Validation. During that discussion, we spent some time discussing how that particular validation method allows for a host of risks associated with issuance - and for the ambiguity as to how the CA appropriately validates the authenticity and the credentials.
I'm not sure I share your optimism for 22.214.171.124.1 with respect to EV.
In discussions about why site operators might want to limit what methods a CA can use to issue, these two methods are both examples of less than ideal methods, and so I'm thrilled to see others recognize it, while simultaneously disheartened at how many customers were validated through those methods.
We'd be happy to endorse removal of both of those methods.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public